Data processing method and apparatus, and storage medium

By introducing network function entities with network authorization and data protection capabilities into the 6G distributed network, the problem of high configuration complexity of NRF network elements is solved, and more secure and reliable data exchange is achieved.

CN122372984APending Publication Date: 2026-07-10DATANG MOBILE COMM EQUIP CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
DATANG MOBILE COMM EQUIP CO LTD
Filing Date
2025-01-08
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

In 6G distributed network architecture, the configuration and maintenance of NRF network elements are highly complex during data exchange between networks, which can easily lead to misconfiguration and data leakage risks. In particular, it is difficult to meet security and resilience requirements in data exchange between independent non-public networks and distributed networks.

Method used

A dedicated network function entity for data protection is introduced, which is a first network function with network authorization capabilities and data protection processing capabilities. This function enables authorized access to the second network and data protection processing, reducing dependence on NRF network elements and simplifying configuration and maintenance processes.

Benefits of technology

It reduces the probability of misconfiguration during data exchange, improves the security and reliability of data exchange, and meets the data security requirements of 6G networks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122372984A_ABST
    Figure CN122372984A_ABST
Patent Text Reader

Abstract

This application provides a data processing method, apparatus, and storage medium, relating to the field of communication technology. The method is applied to a first network function in a first network, which is a network function with network authorization capabilities and data protection processing capabilities. The method includes: receiving first data sent by a first data analysis function network element in the first network, wherein the first data is data requested by a second data analysis function network element in a second network, and the second network is a network authorized for access by the first network function; performing data protection processing on the first data to obtain second data; and sending the second data to the second network function in the second network. The solution of this application reduces the probability of misconfiguration and the risk of network authorization during data exchange, thereby improving the security and reliability of the data exchange process.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of communication technology, and in particular to a data processing method, apparatus and storage medium. Background Technology

[0002] In the distributed network architecture of 6G, there is a need for data exchange between different networks, that is, one network needs to access data in another network.

[0003] In related technologies, if network A needs to access data in network B, it needs to authorize network A to access the data through the Network Repository Function (NRF) element in network B. After network B authorizes network A to access the data, network A has the permission to request data access from network B. However, the configuration and maintenance of NRF elements are relatively complex and prone to misconfiguration. Summary of the Invention

[0004] This application provides a data processing method, apparatus, and storage medium, which solves the technical problem that current data exchange processes are prone to leading to a lack of configuration.

[0005] In a first aspect, this application provides a data processing method applied to a first network function in a first network, wherein the first network function is a network function with network authorization capability and data protection processing capability, and the method includes:

[0006] Receive first data sent by the first data analysis function network element in the first network, the first data being data requested by the second data analysis function network element in the second network, the second network being the network authorized for access by the first network function;

[0007] The first data is processed for data protection to obtain the second data;

[0008] Send second data to the second network function in the second network.

[0009] In some embodiments, data protection processing is privacy processing.

[0010] In some embodiments, the method further includes:

[0011] Receive token request messages sent by the second network function;

[0012] The token information is sent to the second network function according to the token request message. The token information is used to instruct the second network function to authorize access to the network for the first network function.

[0013] In some embodiments, the token request message includes at least one of the following:

[0014] The first data analysis function provides information on the type of network elements;

[0015] The type information of the second data analysis function network element; the second data analysis function network element is the network element in the second network that requests data.

[0016] The service name requested by the network element for the second data analysis function;

[0017] The second data analysis function requests data type information from network elements;

[0018] The indication information is used to indicate whether the data requested by the second data analysis function network element belongs to the data related to the terminal.

[0019] In some embodiments, sending token information to a second network function according to a token request message includes:

[0020] Verify the token request message and obtain the first verification result;

[0021] If the first verification result is successful, a token message is sent to the second network function.

[0022] In some embodiments, the token information includes data type indication information, wherein:

[0023] The data type indication information is used to indicate the data type that the first network authorizes to access the second network.

[0024] In some embodiments, the first network is a non-public network or a distributed subnet;

[0025] The second network falls into one of the following categories: public network, non-public network, or distributed subnet.

[0026] Secondly, this application provides a data processing method applied to a second network function in a second network, the method comprising:

[0027] The system receives a first data request message sent by a second data analysis function network element in the second network. The first data request message is used to request first data. The second network is a network authorized to access by a first network function in the first network. The first network function is a network function with network authorization capability and data protection processing capability.

[0028] Based on the first data request message, a second data request message is sent to the first data analysis function network element in the first network;

[0029] Receive second data sent by the first network function, wherein the second data is data obtained by performing data protection processing on the first data;

[0030] Send the second data to the second data analysis function network element.

[0031] In some embodiments, data protection processing is privacy processing.

[0032] In some embodiments, the second data request message includes at least one of the following:

[0033] Token information, used to instruct the second network to authorize access to the functions of the first network;

[0034] The identifier of the first data;

[0035] The identifier of the second network.

[0036] In some embodiments, the first data request message includes an identifier of the first data and / or an identifier of the second network.

[0037] In some embodiments, the method further includes:

[0038] Send a token request message to the first network function;

[0039] Receive token information sent by the first network function, the token information being used to instruct the second network to authorize access to the network by the first network function.

[0040] In some embodiments, the token request message includes at least one of the following:

[0041] The first data analysis function provides information on the type of network elements;

[0042] The type information of the second data analysis function network element; the second data analysis function network element is the network element in the second network that requests data.

[0043] The service name requested by the network element for the second data analysis function;

[0044] The second data analysis function requests data type information from network elements;

[0045] The indication information is used to indicate whether the data requested by the second data analysis function network element belongs to the data related to the terminal.

[0046] In some embodiments, the token information includes data type indication information, wherein:

[0047] The data type indication information is used to indicate the data type that the first network authorizes to access the second network.

[0048] In some embodiments, the first network is a non-public network or a distributed subnet;

[0049] The second network falls into one of the following categories: public network, non-public network, or distributed subnet.

[0050] Thirdly, this application provides a data processing method applied to a first data analysis function network element in a first network, the method comprising:

[0051] Receives a second data request message sent by a second network function in a second network; the second network is a network authorized for access by a first network function in a first network, and the first network function is a network function with network authorization capability and data protection processing capability;

[0052] Obtain the first data according to the second data request message;

[0053] Send the first data to the first network function in the first network.

[0054] In some embodiments, the second data request message includes at least one of the following:

[0055] Token information, used to instruct the second network to authorize access to the functions of the first network;

[0056] The identifier of the first data;

[0057] The identifier of the second network.

[0058] In some embodiments, the token information includes data type indication information, wherein:

[0059] The data type indication information is used to indicate the data type that the first network authorizes to access the second network.

[0060] In some embodiments, obtaining first data according to a second data request message includes:

[0061] The second data request message is verified to obtain the second verification result.

[0062] If the second verification result is successful, obtain the first data.

[0063] In some embodiments, the first network is a non-public network or a distributed subnet;

[0064] The second network falls into one of the following categories: public network, non-public network, or distributed subnet.

[0065] Fourthly, this application provides a data processing apparatus applied to a first network function in a first network. The first network function is a network function with network authorization capabilities and data protection processing capabilities. The apparatus includes:

[0066] The first receiving module is used to receive first data sent by the first data analysis function network element in the first network. The first data is data requested by the second data analysis function network element in the second network. The second network is a network authorized for access by the first network function.

[0067] The processing module is used to perform data protection processing on the first data to obtain the second data;

[0068] The first sending module is used to send second data to the second network function in the second network.

[0069] Fifthly, this application provides a data processing apparatus for use in a second network function within a second network, the apparatus comprising:

[0070] The second receiving module is used to receive a first data request message sent by the second data analysis function network element in the second network. The first data request message is used to request first data. The second network is a network authorized to access by the first network function in the first network. The first network function is a network function with network authorization capability and data protection processing capability.

[0071] The second sending module is used to send a second data request message to the first data analysis function network element in the first network according to the first data request message;

[0072] The third receiving module is used to receive the second data sent by the first network function. The second data is data obtained by performing data protection processing on the first data.

[0073] The third sending module is used to send the second data to the second data analysis function network element.

[0074] Sixthly, this application provides a data processing apparatus applied to a first data analysis function network element in a first network, the apparatus comprising:

[0075] The fourth receiving module is used to receive a second data request message sent by the second network function in the second network; the second network is a network authorized to be accessed by the first network function in the first network, and the first network function is a network function with network authorization capability and data protection processing capability;

[0076] The acquisition module is used to obtain the first data based on the second data request message;

[0077] The fourth sending module is used to send the first data to the first network function in the first network.

[0078] In a seventh aspect, this application provides a data processing apparatus, including a memory, a transceiver, and a processor:

[0079] Memory is used to store computer programs; transceiver is used to send and receive data under the control of the processor; the processor is used to read the computer program from memory and perform the following operations:

[0080] Receive first data sent by the first data analysis function network element in the first network. The first data is data requested by the second data analysis function network element in the second network. The second network is a network authorized to access by the first network function in the first network. The first network function is a network function with network authorization capability and data protection processing capability.

[0081] The first data is processed for data protection to obtain the second data;

[0082] Send second data to the second network function in the second network.

[0083] In some embodiments, data protection processing is privacy processing.

[0084] In some embodiments, the processor is also configured to perform the following operations:

[0085] Receive token request messages sent by the second network function;

[0086] The token information is sent to the second network function according to the token request message. The token information is used to instruct the second network function to authorize access to the network for the first network function.

[0087] In some embodiments, the token request message includes at least one of the following:

[0088] The first data analysis function provides information on the type of network elements;

[0089] The type information of the second data analysis function network element; the second data analysis function network element is the network element in the second network that requests data.

[0090] The service name requested by the network element for the second data analysis function;

[0091] The second data analysis function requests data type information from network elements;

[0092] The indication information is used to indicate whether the data requested by the second data analysis function network element belongs to the data related to the terminal.

[0093] In some embodiments, sending token information to a second network function according to a token request message includes:

[0094] Verify the token request message and obtain the first verification result;

[0095] If the first verification result is successful, a token message is sent to the second network function.

[0096] In some embodiments, the token information includes data type indication information, wherein:

[0097] The data type indication information is used to indicate the data type that the first network authorizes to access the second network.

[0098] In some embodiments, the first network is a non-public network or a distributed subnet;

[0099] The second network falls into one of the following categories: public network, non-public network, or distributed subnet.

[0100] Eighthly, this application provides a data processing apparatus, including a memory, a transceiver, and a processor:

[0101] Memory is used to store computer programs; transceiver is used to send and receive data under the control of the processor; the processor is used to read the computer program from memory and perform the following operations:

[0102] The system receives a first data request message sent by a second data analysis function network element in the second network. The first data request message is used to request first data. The second network is a network authorized to access by a first network function in the first network. The first network function is a network function with network authorization capability and data protection processing capability.

[0103] Based on the first data request message, a second data request message is sent to the first data analysis function network element in the first network;

[0104] Receive second data sent by the first network function, wherein the second data is data obtained by performing data protection processing on the first data;

[0105] Send the second data to the second data analysis function network element.

[0106] In some embodiments, data protection processing is privacy processing.

[0107] In some embodiments, the second data request message includes at least one of the following:

[0108] Token information, used to instruct the second network to authorize access to the functions of the first network;

[0109] The identifier of the first data;

[0110] The identifier of the second network.

[0111] In some embodiments, the first data request message includes an identifier of the first data and / or an identifier of the second network.

[0112] In some embodiments, the processor is also configured to perform the following operations:

[0113] Send a token request message to the first network function;

[0114] Receive token information sent by the first network function, the token information being used to instruct the second network to authorize access to the network by the first network function.

[0115] In some embodiments, the token request message includes at least one of the following:

[0116] The first data analysis function provides information on the type of network elements;

[0117] The type information of the second data analysis function network element; the second data analysis function network element is the network element in the second network that requests data.

[0118] The service name requested by the network element for the second data analysis function;

[0119] The second data analysis function requests data type information from network elements;

[0120] The indication information is used to indicate whether the data requested by the second data analysis function network element belongs to the data related to the terminal.

[0121] In some embodiments, the token information includes data type indication information, wherein:

[0122] The data type indication information is used to indicate the data type that the first network authorizes to access the second network.

[0123] In some embodiments, the first network is a non-public network or a distributed subnet;

[0124] The second network falls into one of the following categories: public network, non-public network, or distributed subnet.

[0125] Ninthly, this application provides a data processing apparatus, including a memory, a transceiver, and a processor:

[0126] Memory is used to store computer programs; transceiver is used to send and receive data under the control of the processor; the processor is used to read the computer program from memory and perform the following operations:

[0127] Receives a second data request message sent by a second network function in a second network; the second network is a network authorized for access by a first network function in a first network, and the first network function is a network function with network authorization capability and data protection processing capability;

[0128] Obtain the first data according to the second data request message;

[0129] Send the first data to the first network function in the first network.

[0130] In some embodiments, the second data request message includes at least one of the following:

[0131] Token information, used to instruct the second network to authorize access to the functions of the first network;

[0132] The identifier of the first data;

[0133] The identifier of the second network.

[0134] In some embodiments, the token information includes data type indication information, wherein:

[0135] The data type indication information is used to indicate the data type that the first network authorizes to access the second network.

[0136] In some embodiments, obtaining first data according to a second data request message includes:

[0137] The second data request message is verified to obtain the second verification result.

[0138] If the second verification result is successful, obtain the first data.

[0139] In some embodiments, the first network is a non-public network or a distributed subnet;

[0140] The second network falls into one of the following categories: public network, non-public network, or distributed subnet.

[0141] In a tenth aspect, this application provides a non-transitory readable storage medium storing a computer program for causing a processor to perform the method described in any one of the first to third aspects.

[0142] The data processing method, apparatus, and storage medium provided in this application propose a dedicated network function entity for data protection, namely a first network function. When a second data analysis function network element in a second network needs to request data from the first network, the first network function in the first network authorizes access to the second network. Upon obtaining authorized access from the first network function, the first data analysis function network element in the first network acquires first data and sends it to the first network function. The first network function then performs data protection processing on the first data to obtain second data, which is then sent to the second network function. Since both authorized access to the second network and data protection processing are completed through the first network function, compared to NRF network elements, the first network function is a dedicated network function entity for data protection. Its configuration and maintenance complexity are lower, reducing the probability of misconfiguration and network authorization risks during data exchange, and improving the security and reliability of the data exchange process.

[0143] It should be understood that the description in the foregoing summary section is not intended to limit the key or essential features of the embodiments of the present invention, nor is it intended to restrict the scope of the invention. Other features of the invention will become readily apparent from the following description. Attached Figure Description

[0144] To more clearly illustrate the technical solutions in this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0145] Figure 1 A schematic diagram illustrating integrity and confidentiality verification provided for embodiments of this application;

[0146] Figure 2 A signaling diagram for data exchange provided in an embodiment of this application;

[0147] Figure 3 Signaling for the data processing method provided in the embodiments of this application Figure 1 ;

[0148] Figure 4 Signaling for the data processing method provided in the embodiments of this application Figure 2 ;

[0149] Figure 5 Signaling for the data processing method provided in the embodiments of this application Figure 3 ;

[0150] Figure 6 Signaling for the data processing method provided in the embodiments of this application Figure 4 ;

[0151] Figure 7 Schematic diagram of the data processing apparatus provided in the embodiments of this application Figure 1 ;

[0152] Figure 8 Schematic diagram of the data processing apparatus provided in the embodiments of this application Figure 2 ;

[0153] Figure 9 Schematic diagram of the data processing apparatus provided in the embodiments of this application Figure 3 ;

[0154] Figure 10 Schematic diagram of the data processing apparatus provided in the embodiments of this application Figure 4 ;

[0155] Figure 11 Schematic diagram of the data processing apparatus provided in the embodiments of this application Figure 5 ;

[0156] Figure 12 Schematic diagram of the data processing apparatus provided in the embodiments of this application Figure 6. Detailed Implementation

[0157] In the embodiments of this application, the term "and / or" describes the relationship between associated objects, indicating that three relationships can exist. For example, A and / or B can represent three cases: A alone, A and B simultaneously, and B alone. The character " / " generally indicates that the preceding and following associated objects have an "or" relationship.

[0158] In the embodiments of this application, the term "at least one" refers to one or more, "multiple" refers to two or more, and other quantifiers are similar.

[0159] The terms "first," "second," etc., used in the embodiments of this application are for illustrative purposes and to distinguish the objects being described. They do not indicate any order and do not imply any special limitation on the number of objects in the embodiments of this application. They do not constitute any limitation on the embodiments of this application.

[0160] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of this application, and not all of the embodiments. Based on the embodiments of this application, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of this application.

[0161] This application provides a data processing method, apparatus, and storage medium to solve the technical problem that misconfiguration can easily occur during data exchange.

[0162] The method and apparatus are based on the same concept of the application. Since the methods and apparatus solve problems in similar ways, the implementation of the apparatus and methods can refer to each other, and the repeated parts will not be described again.

[0163] The technical solutions provided in this application can be applied to a variety of systems. For example, applicable systems may include Long Term Evolution (LTE) systems, LTE Frequency Division Duplex (FDD) systems, LTE Time Division Duplex (TDD) systems, Long Term Evolution Advanced (LTE-A) systems, Universal Mobile Telecommunications System (UMTS), Worldwide Interoperability for Microwave Access (WiMAX) systems, 5G New Radio (NR) systems and their evolved communication systems, and 6G (sixth generation mobile communication technology) systems. These systems may include terminal equipment and network equipment. The systems may also include a core network component, such as the Evolved Packet Core (EPC) and the 5G Core Network (5GC).

[0164] The terminal devices involved in the embodiments of this application can be devices that provide voice and / or data connectivity to users, handheld devices with wireless connectivity, or other processing devices connected to a wireless modem. The names of the terminal devices may differ in different systems; for example, in 5G or 6G systems, the terminal device may be called User Equipment (UE). Wireless terminal devices can be USB storage devices, other personal computer memory devices, and dongles. They can also communicate with one or more core networks (CNs) via a Radio Access Network (RAN). Wireless terminal devices can be mobile terminal devices, such as mobile phones (or "cellular" phones) and computers with mobile terminal devices. For example, they can be portable, pocket-sized, handheld, computer-embedded, or vehicle-mounted mobile devices that exchange voice and / or data with the radio access network. Examples of such devices include Personal Communication Service (PCS) phones, cordless phones, Session Initiated Protocol (SIP) phones, Wireless Local Loop (WLL) stations, Personal Digital Assistants (PDAs), personal computers, tablets, and Machine-type Communication (MTC) terminal devices. Wireless terminal devices can also be referred to as systems, subscriber units, subscriber stations, mobile stations, mobile devices, remote stations, access points, remote terminals, access terminals, user terminals, user agents, user devices, and wireless access devices and routers / modems that meet the limitations of this definition; however, this application does not limit the scope of the embodiments.

[0165] The network device involved in this application embodiment can be a base station, which may include multiple cells providing services to terminals. Depending on the specific application, the base station may also be called an access point, or a device in the access network that communicates with wireless terminal devices through one or more sectors on the air interface, or other names. The network device can be used to exchange received air frames with Internet Protocol (IP) packets, acting as a router between the wireless terminal device and the rest of the access network, where the rest of the access network may include an Internet Protocol (IP) communication network. The network device can also coordinate the attribute management of the air interface. For example, the network device involved in this application embodiment can be an evolved Node B (eNB or e-NodeB) in a long term evolution (LTE) system, a 5G base station (gNB) in a next generation system, or a Home evolved Node B (HeNB), relay node, femto, pico, network testing equipment, etc., and is not limited in this application embodiment. In some network architectures, network devices may include centralized unit (CU) nodes and distributed unit (DU) nodes, which may also be geographically separated.

[0166] A non-public network (NPN) is a network specifically provided for use by an enterprise or organization. There are two types of NPNs: stand-alone non-public networks (SNPNs) and public network integrated NPNs (PNI-NPNs). SNPNs are independent of carriers, while PNI-NPNs are networks built upon carrier networks.

[0167] With the development of communication technology, future 6G will introduce a network architecture of central and distributed networks. Among them, the distributed network in 6G can inherit and evolve from SNPN to realize the deployment of 6G distributed networks.

[0168] Figure 1 A schematic diagram illustrating the integrity and confidentiality verification provided in the embodiments of this application, such as... Figure 1As shown, it includes SNPN1, SNPN2, and a terminal. Among them, SNPN1 and SNPN2 are equivalent SNPNs.

[0169] SNPN1 is the SNPN where the terminal is currently located, and AMF1 is the Access and Mobility Management Function (AMF) network element in SNPN1; SNPN2 is the SNPN that the terminal is requesting to register with, and AMF2 is the AMF network element in SNPN2. The terminal's movement direction is from the coverage area of ​​SNPN1 to the coverage area of ​​SNPN2.

[0170] During the terminal's mobility registration process with SNPN2 or the initial registration process with SNPN2, the terminal performs integrity protection and encryption on the initial Non-Access Stratum (NAS) message based on context information and sends the initial NAS message to the access network equipment in SNPN2. The access network equipment then sends the integrity-protected and confidential initial NAS message to AMF2. AMF2 determines AMF1 based on the terminal's 5G Globally Unique Temporary Identifier (5G-GUTI) and requests the terminal's context information from AMF1. Then, AMF2 performs integrity and confidentiality verification on the initial NAS message based on the context information returned by AMF1. If the verification is successful, the terminal registration process continues; if the verification fails, the terminal undergoes primary authentication.

[0171] Currently, in roaming scenarios, data exchange between different networks is achieved through NRF network elements, as detailed in [link to relevant documentation]. Figure 2 Introduction. Figure 2 A signaling diagram for data exchange provided in an embodiment of this application, in Figure 2 The example includes two Public Land Mobile Networks (PLMNs), namely PLMN1 and PLMN2. PLMN1 includes a first Network Data Analytics Function (NWDAF) network element and a first NRF network element, while PLMN2 includes a second NWDAF network element and a second NRF network element.

[0172] exist Figure 2In the example, the second NWDAF network element needs to be pre-configured with the list of allowed analyses under each PLMN. For any PLMN, the list of allowed analyses under that PLMN includes the Analytics ID of the data that the PLMN is allowed to request from PLMN2. For example... Figure 2 As shown, it includes:

[0173] S201, the first NWDAF network element sends a token acquisition request message to the first NRF network element.

[0174] The first NWDAF network element needs to request data from PLMN2. Before requesting data from PLMN2, PLMN1 needs to obtain authorization from PLMN2. Therefore, the first NWDAF network element sends a token acquisition request message to the first NRF network element. This token acquisition request message is used to request a token. If PLMN1 can obtain the token sent by PLMN2, then PLMN1 has obtained authorization from PLMN2.

[0175] S202, the first NRF network element sends a token acquisition request message to the second NRF network element.

[0176] After receiving the token acquisition request message from the first NWDAF network element, the first NRF network element forwards the token acquisition request message to the second NRF network element. Optionally, the token acquisition request message includes an Analytics ID, which is used to indicate the requested data.

[0177] S203, the second NRF element verifies the token acquisition request message.

[0178] After receiving the token acquisition request message, the second NRF network element verifies the token acquisition request message and determines whether the Analytics ID is in the list of Analytics IDs allowed by PLMN1. If it is, the second NRF network element verifies the token acquisition request message.

[0179] S204, the second NRF network element sends a token acquisition response message to the first NRF network element.

[0180] After the second NRF network element verifies the token acquisition request message, the second NRF network element generates a token, which includes the Analytics ID that PLMN1 is allowed to access. The Analytics ID is used to indicate the data that PLMN1 is allowed to access.

[0181] S205, the first NRF network element sends a token to the first NWDAF network element.

[0182] After receiving the token, the first NRF network element sends the token to the first NWDAF network element. The first NWDAF network element can determine that PLMN1 has been authorized by PLMN2 based on the token.

[0183] The above embodiments describe how PLMN1 obtains authorization from PLMN2. The following describes, in conjunction with S206 to S209, how PLMN1 exchanges data after obtaining authorization from PLMN2.

[0184] S206, the first NWDAF network element sends a data request message to the second NWDAF network element.

[0185] The first NWDAF network element is the network element in PLMN1 that requests data. After PLMN1 obtains authorization from PLMN2, the first NWDAF network element sends a data request message to the second NWDAF network element. This data request message is used to request data from the second NWDAF network element. Correspondingly, the second NWDAF network element receives the data request message sent by the first NWDAF network element.

[0186] Optionally, the data request message includes an Analytics ID, which indicates the data requested by the first NWDAF network element.

[0187] Optionally, the data request message includes a token containing an Analytics ID that PLMN1 is allowed to access, which indicates the data that PLMN1 is allowed to access.

[0188] Optionally, the data request message may include an identifier for PLMN1, which is used to indicate PLMN1.

[0189] S207, the second NWDAF network element verifies the data request message and obtains the verification result.

[0190] Optionally, if the data request message includes a token, the second NWDAF network element verifies the token, such as verifying its validity and legality. If the second NWDAF network element fails to verify the token, the verification result of the data request message can be determined as verification failure.

[0191] Optionally, the data request message includes the identifier of PLMN1. The second NWDAF network element determines whether to open the data requested by the first NWDAF network element to PLMN1 based on the identifier of PLMN1 and the pre-configured local policy.

[0192] S208, the second NWDAF network element performs security protection processing on the data.

[0193] If the second NWDAF network element determines, based on the identifier of PLMN1 and pre-configured local policies, to expose the data requested by the first NWDAF network element to PLMN1, the second NWDAF network element can perform security protection processing on the data, such as anonymization, restriction, and desensitization, to obtain the data after security protection processing. In some embodiments, the second NWDAF network element can perform security protection processing on the data requested by each data consumer (PLMN granularity), determining the specific security protection processing strategy based on operator policies.

[0194] S209, the second NWDAF network element sends the data after security protection processing to the first NWDAF network element.

[0195] After receiving the data with security protection processing, the second NWDAF network element sends the data with security protection processing to the first NWDAF network element.

[0196] Based on the above Figure 2 As the introduction states, currently, data exchange between different PLMNs is authorized through tokens issued by the NRF network elements of each PLMN. Data exchange between PLMNs occurs only after authorization is granted. This entire process is maintained by the main network's NRF network elements. The configuration and maintenance of NRF network elements are complex; misconfiguration could lead to unauthorized authorization to PLMNs, resulting in data leaks and other risks. Furthermore, NRF network elements do not solely handle network security functions. 6G networks place even greater demands on security and resilience. Taking Artificial Intelligence (AI) data as an example, where AI is a core function of 6G networks, cross-domain data security cannot be guaranteed if access is authorized through NRF network elements and the extent of data access is determined by NWDAF network elements. This fails to meet the data security requirements of 6G networks.

[0197] Furthermore, there are currently no data protection methods designed for distributed networks and independent non-public networks independent of operators, and for data exchange between these independent non-public networks. Moreover, in independent non-public network scenarios, accessing terminals may have different security policy requirements, resulting in varying degrees of data openness and making implementation difficult.

[0198] Based on this, this application provides a data processing method that sets up a separate first network function for authorized network access, eliminating the need for authorized network access through NRF network elements. Since the first network function is a dedicated network function entity for data protection, its configuration and maintenance complexity is low, thereby reducing the probability of misconfiguration and the risk of network authorization during data exchange.

[0199] Figure 3Signaling for the data processing method provided in the embodiments of this application Figure 1 This method is applied to the first network function in the first network, such as... Figure 3 As shown, the method includes:

[0200] S31, receive first data sent by the first data analysis function network element in the first network, the first data being data requested by the second data analysis function network element in the second network, the second network being the network authorized for access by the first network function.

[0201] The first network may include multiple network elements, such as the first data analysis function network element, the first network function, and the AMF network element, etc.

[0202] The first data analysis function network element is a network element that possesses data analysis capabilities, data processing capabilities, or AI inference capabilities. In some embodiments, the first data analysis function network element may be, for example, an NWDAF network element.

[0203] The second network may include multiple network elements, such as a second data analysis function network element, a second network function, or an AMF network element, etc.

[0204] The second data analysis function network element is a network element that possesses data analysis capabilities, data processing capabilities, or AI inference capabilities. In some embodiments, the second data analysis function network element may be, for example, an NWDAF network element.

[0205] In this embodiment, before requesting data from the first network, the second data analysis function network element in the second network needs to obtain authorization from the first network function. The first network function is a network element within the first network specifically used for authorization management of data access to the first network and for security protection of the data within the first network. The first network function is a network function with network authorization capabilities and data protection processing capabilities. Network authorization capabilities can be, for example, the ability to act as an interface for data (e.g., AI data) between different networks. The first network function can authorize access to other networks, enabling those networks to request corresponding data from the first network. Data protection capabilities can be, for example, the ability to perform privacy-preserving computations or processing on data with privacy requirements, etc. In some embodiments, data protection capabilities can be the ability to perform privacy-preserving processing on data.

[0206] After the first network function authorizes access to the second network, the second data analysis function network element in the second network can send a first data request message to the second network function to request first data. The second network function receives the first data request message sent by the second data analysis function network element and sends a second data request message to the first data analysis function network element according to the first data request message.

[0207] The first data analysis function network element obtains the first data according to the second data request message and sends the first data to the first network function. Correspondingly, the first network function receives the first data sent by the first data analysis function network element.

[0208] S32, perform data protection processing on the first data to obtain the second data.

[0209] After receiving the first data, the first network function performs data protection processing on the first data. In some embodiments, the data protection processing is privacy processing, which may include anonymizing, restricting, or desensitizing the first data, thereby obtaining the second data.

[0210] S33, send second data to the second network function in the second network.

[0211] After receiving the second data, the first network function sends the second data to the second network function, and the second network function receives the second data sent by the first network function.

[0212] The data processing method provided in this application proposes a network function entity dedicated to data protection, namely a first network function with network authorization and data protection processing capabilities. When a second data analysis function network element in a second network needs to request data from the first network, it authorizes access to the second network through the first network function in the first network. Upon obtaining authorized access from the first network function, the first data analysis function network element in the first network acquires first data and sends it to the first network function. The first network function then performs data protection processing on the first data to obtain second data, which is then sent to the second network function. Since both the authorization access to the second network and the data protection processing are completed through the first network function, compared to NRF network elements, the first network function, being a dedicated data protection network function entity, has lower configuration and maintenance complexity, reducing the probability of misconfiguration and network authorization risks during data exchange, and improving the security and reliability of the data exchange process.

[0213] Figure 4 Signaling for the data processing method provided in the embodiments of this application Figure 2 ,like Figure 4 As shown, it includes:

[0214] S401, the second network function sends a token request message to the first network function.

[0215] In some embodiments, if an analytics consumer in the second network (e.g., an AMF network element in the second network) needs to subscribe to data, the analytics consumer in the second network can send a subscription message to a second data analytics function network element in the second network. Upon receiving the subscription message, the second data analytics function network element determines that it needs to obtain data from the first network.

[0216] When a second network requests data from the first network for the first time, or when the second network does not have authorized access to the functions of the first network, the second network needs to obtain authorized access to the functions of the first network before it can request data from the first network.

[0217] In some embodiments, a second network function in a second network can send a token request message to a first network function in a first network to request token information. Correspondingly, the first network function receives the token request message sent by the second network function and sends token information to the second network function based on the token request message. This token information is used to instruct the second network to authorize network access for the first network function.

[0218] In some embodiments, the token request message includes at least one of the following (a) to (e):

[0219] (a) Type information of the first data analysis function network element.

[0220] Since the second data analysis function network element in the second network requests data, and the first data analysis function network element is used to collect or acquire data, the first data analysis function network element is a data provider. The type information of the first data analysis function network element is used to indicate that the first data analysis function network element is a data provider. In some embodiments, the type information of the first data analysis function network element may also be referred to as the target network element type.

[0221] (b) Type information of the second data analysis function network element.

[0222] The second data analysis function network element is a network element in the second network that requests data. This second data analysis function network element requests data from the first data analysis function network element in the first network; therefore, the second data analysis function network element is a data consumer. The type information of the second data analysis function network element is used to indicate the consumer of the second data analysis function network element's metadata. In some embodiments, the type information of the second data analysis function network element can also be referred to as the consumer network element type.

[0223] (c) The service name requested by the second data analysis function network element.

[0224] In some embodiments, the second data analysis function network element requests data from the first data analysis function network element, and may also request corresponding services. The services requested by the second data analysis function network element can be indicated by service names. The second data analysis function network element uses request token information to access the requested services. In some embodiments, the services requested by the second data analysis function network element may include, for example, services exposed in the Nwdaf_RoamingAnalytics_Subscribe / Request API.

[0225] (d) Data type information requested by the network element for the second data analysis function.

[0226] The data type information requested by the second data analysis function network element is used to indicate the data type requested by the second data analysis function network element. The data type requested by the second data analysis function network element may include, for example, AI data, inference data, analysis result data, business data, etc., and this application embodiment does not limit this.

[0227] (e) Instruction information.

[0228] The token request message may include indication information, which indicates whether the data requested by the second data analysis function network element is terminal-related data.

[0229] In some embodiments, terminal-related data is data that requires corresponding data protection processing. Through this indication information, the first network function can determine whether the data requested by the second data analysis function network element belongs to terminal-related data, thereby determining whether to provide the relevant data to the second data analysis function network element, or to perform corresponding data protection operations on the relevant data.

[0230] In some embodiments, after receiving a token request message sent by a second network function, the first network function may first verify the token request message to determine whether to send token information to the second network function. This process can be referred to in the relevant descriptions of S402-S403.

[0231] S402, the first network function verifies the token request message and obtains the first verification result.

[0232] After receiving the token request message, the first network function verifies the token request message. The process of the first network function verifying the token request message is mainly used to verify whether the token request message is a legitimate token request message.

[0233] The token request message includes at least one of the information in (a) to (e). In some embodiments, the first network function can determine whether the token request message includes the corresponding information to obtain a first verification result.

[0234] For example, the token request message needs to include the type information of the first data analysis function network element, the type information of the second data analysis function network element, the service name requested by the second data analysis function network element, the data type information requested by the second data analysis function network element, and indication information. After receiving the token request message, the first network function can determine whether the token request message includes the above information. If the token request message includes the above information, the first verification result is verification passed; if the token request message does not include the above information, the first verification result is verification passed.

[0235] For example, the token request message needs to include the service name requested by the second data analysis function network element, the data type information requested by the second data analysis function network element, and indication information. After receiving the token request message, the first network function can determine whether the token request message includes the service name requested by the second data analysis function network element, the data type information requested by the second data analysis function network element, and indication information. If the token request message includes the service name requested by the second data analysis function network element, the data type information requested by the second data analysis function network element, and indication information, then the first verification result is verification passed; if the token request message does not include at least one of the service name requested by the second data analysis function network element, the data type information requested by the second data analysis function network element, and indication information, then the first verification result is verification passed.

[0236] S403, if the first verification result is successful, the first network function sends token information to the second network function.

[0237] If the first verification result is successful, it means that the token request message sent by the second network function is a valid token request message. Therefore, the first network function sends token information to the second network function.

[0238] In some embodiments, the token information includes data type indication information, which indicates the data type that the first network authorizes to access the second network.

[0239] Specifically, if the first verification result is successful, the first network function can query the data type that the first network authorized access to the second network, and then include the data type indication information in the token information. Correspondingly, the second network function receives the token information sent by the first network function.

[0240] In some embodiments, the first network function can query the data types that the first network authorizes to access the second network based on local network policies.

[0241] In some embodiments, the token information may also include other information, such as an electronic signature, the validity period of the token information, etc.

[0242] S404, the second data analysis function network element sends a first data request message to the second network function.

[0243] In some embodiments, if an analysis consumer in the second network (e.g., an AMF network element in the second network) needs to subscribe to the first data, the analysis consumer in the second network can send a subscription message to the second data analysis function network element in the second network.

[0244] After receiving the subscription message, the second data analysis function network element determines that it needs to obtain the first data from the first network. Then, the second data analysis function network element can send a first data request message to the second network function. Correspondingly, the second network function receives the first data request message sent by the second data analysis function network element. The first data request message is used to request the first data.

[0245] In some embodiments, the first data request message includes an identifier for first data and / or an identifier for a second network. The identifier for the first data indicates the first data; for example, if the first data is analytics data, the identifier for the first data could be, for example, the Analytics ID of the first data. The identifier for the second network indicates the second network.

[0246] S405, the second network function sends a second data request message to the first data analysis function network element based on the first data request message.

[0247] The second network is the network authorized to access by the first network function in the first network. The first network function authorizes access to the second network through token information. The authorization process can be found in the relevant descriptions in S401-S403, and will not be repeated here.

[0248] Since the second network has obtained authorized access to the functions of the first network, the second network function can request data from the first data analysis network within the first network. Specifically, based on the first data request message, the second network function sends a second data request message to the first data analysis function network element, and correspondingly, the first data analysis function network element receives the second data request message sent by the second network function.

[0249] In some embodiments, the second data request message includes at least one of the following: token information, an identifier of the first data, and an identifier of the second network.

[0250] In some embodiments, the token information is used to indicate to the second network the network that the first network has authorized access to. Optionally, the token information includes data type indication information to indicate the data type that the first network has authorized access to the second network.

[0251] In some embodiments, the first data request message includes an identifier of the first data. After receiving the first data request message, the second network function can obtain the identifier of the first data and carry it in the second data request message.

[0252] In some embodiments, the first data request message includes the identifier of the second network. After receiving the first data request message, the second network function can obtain the identifier of the second network and carry it in the second data request message.

[0253] S406, the first data analysis function network element obtains the first data according to the second data request message.

[0254] Specifically, after receiving the second data request message, the first data analysis function network element verifies the second data request message and obtains the second verification result.

[0255] For example, the second data request message includes token information, and the first data analysis function network element can verify the token information (e.g., verifying the validity and expiration of the token information). If the token information is invalid or has expired, the second verification result is determined to be verification failure.

[0256] For example, the second data request message includes token information and an identifier for the first data. The token information includes data type indication information, which indicates the data type that the first network authorizes to access the second network. The first data analysis function network element can determine whether the data type of the first data belongs to the data type that the first network authorizes to access the second network based on the identifier of the first data and the data type indication information included in the token information. If the data type of the first data does not belong to the data type that the first network authorizes to access the second network, the second verification result is verification failure.

[0257] If the second verification result is successful, the first data analysis function network element acquires the first data. In some embodiments, the first data analysis function network element may subscribe to data collection from relevant network elements to acquire the first data.

[0258] S407, the first data analysis function network element sends the first data to the first network function.

[0259] After the first data analysis function network element obtains the first data, it does not send it directly to the second data analysis function network element, but instead sends it to the first network function. Correspondingly, the first network function receives the first data sent by the first data analysis function network element.

[0260] S408, the first network function performs data protection processing on the first data to obtain the second data.

[0261] In some embodiments, the data protection processing is privacy processing, which may include, for example, anonymization processing, restriction processing, desensitization processing, noise addition processing, differential privacy processing, etc. After receiving the first data, the first network function performs data protection processing on the first data to obtain the second data.

[0262] S409, the first network function sends second data to the second network function.

[0263] After receiving the second data, the first network function sends the second data to the second network function, and the second network function receives the second data sent by the first network function.

[0264] S410, the second network function sends the second data to the second data analysis function network element.

[0265] After receiving the second data, the second network function sends the second data to the second data analysis function network element, and the second data analysis function network element receives the second data sent by the second network function.

[0266] The solution proposed in this application provides a network function entity dedicated to data protection, namely a first network function with network authorization capabilities and data protection processing capabilities. When a second data analysis function network element in a second network needs to request data from the first network, the first network function in the first network performs authorized access and data protection processing on the second network. Compared with NRF network elements, since the first network function is a network function entity dedicated to data protection, the configuration and maintenance complexity is lower, reducing the dependence on centralized management, reducing the probability of misconfiguration and network authorization risks during data exchange, and improving the security and reliability of the data exchange process.

[0267] In some embodiments, the first network is a non-public network or a distributed subnet, and the second network is one of the following: a public network, a non-public network, or a distributed subnet.

[0268] In some embodiments, the non-public network may be, for example, an SNPN, and the public network may be, for example, a PLMN. The distributed subnet is a distributed node in the 6G distributed network architecture, and the distributed subnet may inherit and evolve the deployment of the SNPN.

[0269] The following will use PLMN as an example of a public network and SNPN as a non-public network to illustrate the solution of this application.

[0270] Figure 5 Signaling for the data processing method provided in the embodiments of this application Figure 3 ,like Figure 5 As shown, it includes two networks: SNPN1 and SNPN2.

[0271] exist Figure 5 In the example, we will take the first network as a non-public network, the second network as a non-public network, the non-public network as SNPN, and the data analysis function network element as NWDAF as an example.

[0272] The first network is SNPN2, which includes network function B and NWDAF network element B. Figure 5 In the example, SNPN2 and the first network can be interchanged, network function B and the first network function in the first network can be interchanged, and NWDAF network element B and the first data analysis function network element in the first network can be interchanged.

[0273] The second network is SNPN1, which includes NF network element A, network function A, and NWDAF network element A. Figure 5 In the example, SNPN1 and the second network can be interchanged, network function A and the second network function in the second network can be interchanged, and NWDAF network element A and the second data analysis function network element in the second network can be interchanged.

[0274] like Figure 5 As shown, the method includes:

[0275] S501, NF network element A sends a subscription message to NWDAF network element A.

[0276] In some embodiments, if NF network element A needs to subscribe to first data, then NF network element A can send a subscription message to NWDAF network element A.

[0277] S502, NWDAF network element A determines that it needs to obtain the first data from SNPN2 based on the subscription message.

[0278] S503, NWDAF network element A sends a first data request message to network function A.

[0279] After receiving the subscription message, NWDAF network element A determines that it needs to obtain the first data from SNPN2. Then, NWDAF network element A can send a first data request message to network function A. Correspondingly, network function A receives the first data request message sent by NWDAF network element A. The first data request message is used to request the first data.

[0280] S504, Network Function A sends a token request message to Network Function B.

[0281] When requesting data from SNPN2 for the first time, or when SNPN1 has not obtained authorized access from Network Function B, SNPN1 needs to obtain authorized access from Network Function B before it can request data from SNPN2.

[0282] In some embodiments, network function A can send a token request message to network function B to request token information. Correspondingly, network function B receives the token request message sent by network function A. For a detailed description of the token request message, please refer to the relevant content in S401 of the above embodiments, which will not be repeated here.

[0283] S505, Network Function B verifies the token request message and obtains the first verification result.

[0284] After receiving the token request message, network function B verifies it. The verification process by network function B primarily checks whether the token request message is valid. The verification process can be found in the relevant description of S402 in the above embodiment, and will not be repeated here.

[0285] S506, if the first verification result is successful, network function B sends a token message to network function A.

[0286] If the first verification result is successful, it means that the token request message sent by network function A is a valid token request message. Therefore, network function B sends token information to network function A.

[0287] S507, Network function A sends a second data request message to NWDAF network element B based on the first data request message.

[0288] Through the above steps S501 to S506, SNPN1 has obtained authorized access from network function B, therefore network function A can request data from NWDAF network element B. Specifically, network function A sends a second data request message to NWDAF network element B according to the first data request message, and correspondingly, NWDAF network element B receives the second data request message sent by network function A. A description of the second data request message can be found in the relevant description of S405 in the above embodiments, and will not be repeated here.

[0289] S508, NWDAF network element B obtains the first data according to the second data request message.

[0290] Specifically, after receiving the second data request message, NWDAF network element B verifies the second data request message and obtains a second verification result. The verification process of the second data request message can be found in the relevant description of S406 in the above embodiment, and will not be repeated here.

[0291] S509, NWDAF network element B sends the first data to network function B.

[0292] After NWDAF element B obtains the first data, it does not send it directly to NWDAF element A, but instead sends it to network function B. Correspondingly, network function B receives the first data sent by NWDAF element B.

[0293] S510, Network Function B performs data protection processing on the first data to obtain the second data.

[0294] In some embodiments, the data protection processing is privacy processing, which may include, for example, anonymization, restriction, desensitization, noise addition, differential privacy processing, etc. After receiving the first data, network function B performs data protection processing on the first data to obtain the second data.

[0295] S511, Network function B sends second data to network function A.

[0296] S512, Network function A sends second data to NWDAF network element A.

[0297] The solution in this application embodiment can be applied to scenarios where both the first network and the second network are non-public networks (or distributed subnets). It proposes a network function entity dedicated to data protection, namely the first network function. When the second data analysis function network element in the second network needs to request data from the first network, the first network function in the first network can authorize access to the second network and perform data protection processing, thereby reducing the probability of misconfiguration and the risk of network authorization during data exchange, and improving the security and reliability of the data exchange process.

[0298] Figure 6 Signaling for the data processing method provided in the embodiments of this application Figure 4 ,like Figure 6 As shown, it includes two networks: SNPN1 and SNPN2.

[0299] exist Figure 6 In the example, the first network is a non-public network, the second network is a public network, the non-public network is SNPN, the public network is PLMN, and the data analysis function network element is NWDAF.

[0300] The first network is SNPN1 / SNPN2, where SNPN1 includes network function A and NWDAF network element A. Figure 6 In the example, SNPN1 and the first network can be interchanged, network function A and the first network function in the first network can be interchanged, and NWDAF network element A and the first data analysis function network element in the first network can be interchanged; SNPN2 includes network function B and NWDAF network element B. Figure 6 In the example, SNPN2 and the first network can be interchanged, network function B and the first network function in the first network can be interchanged, and NWDAF network element B and the first data analysis function network element in the first network can be interchanged.

[0301] The second network is a PLMN, which includes network function C and NWDAF network element C. Figure 6 In the example, PLMN and the second network can be interchanged, network function C and the second network function in the second network can be interchanged, and NWDAF network element C and the second data analysis function network element in the second network can be interchanged.

[0302] like Figure 6 As shown, the method includes:

[0303] S601, NWDAF network element C sends a first data request message to network function C.

[0304] S602, Network function C determines, based on the first data request message, that it needs to obtain first data from SNPN1 / SNPN2.

[0305] S603a, Network Function C sends a token request message to Network Function A.

[0306] S603b, Network Function C sends a token request message to Network Function B.

[0307] S604a, Network Function A verifies the token request message and obtains the first verification result.

[0308] S604b, Network Function B verifies the token request message and obtains the first verification result.

[0309] S605a, if the first verification result is successful, network function A sends a token message to network function C.

[0310] S605b, if the first verification result is successful, network function B sends a token message to network function C.

[0311] The implementation process of S603a to S605a (i.e., the process by which network function A in SNPN1 authorizes the PLMN) can be found in the implementation schemes of S504 to S506 in the above embodiments (i.e. Figure 5 The process of network function A in SNPN1 authorizing SNPN2 in the embodiment; the implementation process of S603b to S605b (i.e., the process of network function B in SNPN2 authorizing PLMN) can be found in the implementation schemes of S504 to S506 in the above embodiment (i.e. Figure 5 The process by which network function A in SNPN1 authorizes SNPN2 in the embodiment will not be described here.

[0312] S606a, Network function C sends a second data request message to NWDAF network element A based on the first data request message.

[0313] S606b, network function C sends a second data request message to NWDAF network element B based on the first data request message.

[0314] S607a, NWDAF network element A obtains the first data according to the second data request message.

[0315] S607b, NWDAF network element B obtains the first data according to the second data request message.

[0316] S608a, NWDAF network element A sends the first data to network function A.

[0317] S608b, NWDAF network element B sends the first data to network function B.

[0318] S609a, Network Function A performs data protection processing on the first data to obtain the second data.

[0319] In S609b, network function B performs data protection processing on the first data to obtain the second data.

[0320] S610a, Network function A sends second data to network function C.

[0321] S610b, Network Function B sends second data to Network Function C.

[0322] The implementation process of S606a to S610a (i.e., the process of data exchange between SNPN1 and PLMN) can be found in the implementation scheme of S507 to S511 in the above embodiments (i.e. Figure 5 The process of data exchange between SNPN1 and SNPN2 in the embodiment; the implementation process of S606b to S610b (i.e., the process of data exchange between SNPN2 and PLMN) can be found in the implementation scheme of S504 to S506 in the above embodiment (i.e. Figure 5 The process of data exchange between SNPN1 and SNPN2 in the embodiment will not be described here.

[0323] S611, Network function C sends second data to NWDAF network element C.

[0324] The solution in this application embodiment can be applied to scenarios where the first network is a non-public network (or a distributed subnet) and the second network is a public network. It proposes a network function entity dedicated to data protection, namely the first network function. When the second data analysis function network element in the second network needs to request data from the first network, the first network function in the first network performs authorized access and data protection processing on the second network, reducing the probability of misconfiguration and the risk of network authorization during data exchange, and improving the security and reliability of the data exchange process.

[0325] Figure 7 Schematic diagram of the data processing apparatus provided in the embodiments of this application Figure 1 ,like Figure 7 As shown, the device includes: a memory, a transceiver, and a processor.

[0326] The memory 720 is used to store computer programs; the transceiver 700 is used to send and receive data under the control of the processor 710; the processor 710 is used to read the computer program stored in the memory 720 and perform the following operations:

[0327] Receive first data sent by the first data analysis function network element in the first network. The first data is data requested by the second data analysis function network element in the second network. The second network is a network authorized to access by the first network function in the first network. The first network function is a network function with network authorization capability and data protection processing capability.

[0328] The first data is processed for data protection to obtain the second data;

[0329] Send second data to the second network function in the second network.

[0330] In some embodiments, data protection processing is privacy processing.

[0331] In some embodiments, the processor is also configured to perform the following operations:

[0332] Receive token request messages sent by the second network function;

[0333] The token information is sent to the second network function according to the token request message. The token information is used to instruct the second network function to authorize access to the network for the first network function.

[0334] In some embodiments, the token request message includes at least one of the following:

[0335] The first data analysis function provides information on the type of network elements;

[0336] The type information of the second data analysis function network element; the second data analysis function network element is the network element in the second network that requests data.

[0337] The service name requested by the network element for the second data analysis function;

[0338] The second data analysis function requests data type information from network elements;

[0339] The indication information is used to indicate whether the data requested by the second data analysis function network element belongs to the data related to the terminal.

[0340] In some embodiments, sending token information to a second network function according to a token request message includes:

[0341] Verify the token request message and obtain the first verification result;

[0342] If the first verification result is successful, a token message is sent to the second network function.

[0343] In some embodiments, the token information includes data type indication information, wherein:

[0344] The data type indication information is used to indicate the data type that the first network authorizes to access the second network.

[0345] In some embodiments, the first network is a non-public network or a distributed subnet;

[0346] The second network falls into one of the following categories: public network, non-public network, or distributed subnet.

[0347] Among them, Figure 7In this context, the bus architecture can include any number of interconnected buses and bridges, specifically linking various circuits together, represented by one or more processors (represented by a processor) and memory (represented by memory). The bus architecture can also link together various other circuits such as peripheral devices, voltage regulators, and power management circuits, which are well known in the art and therefore will not be described further herein. The bus interface provides the interface. The transceiver can be multiple components, including transmitters and receivers, providing a unit for communicating with various other devices over transmission media, including wireless channels, wired channels, optical fibers, etc. The processor is responsible for managing the bus architecture and general processing, and the memory can store data used by the processor 710 during operation.

[0348] Optionally, the processor 710 may be a central processing unit (CPU), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a complex programmable logic device (CPLD). The processor 710 may also adopt a multi-core architecture.

[0349] The processor 710 executes any of the methods provided in the embodiments of this application according to the obtained executable instructions by calling the program stored in the memory 720. The processor 710 and the memory 720 may also be physically separated.

[0350] It should be noted that the data processing apparatus provided in this application embodiment can implement all the method steps implemented in the above method embodiment and can achieve the same technical effect. Here, the parts that are the same as those in the method embodiment and the beneficial effects will not be described in detail.

[0351] Figure 8 Schematic diagram of the data processing apparatus provided in the embodiments of this application Figure 2 ,like Figure 8 As shown, the device includes: a memory, a transceiver, and a processor.

[0352] The memory 820 is used to store computer programs; the transceiver 800 is used to send and receive data under the control of the processor 810; the processor 810 is used to read the computer program stored in the memory 820 and perform the following operations:

[0353] The system receives a first data request message sent by a second data analysis function network element in the second network. The first data request message is used to request first data. The second network is a network authorized to access by a first network function in the first network. The first network function is a network function with network authorization capability and data protection processing capability.

[0354] Based on the first data request message, a second data request message is sent to the first data analysis function network element in the first network;

[0355] Receive second data sent by the first network function, wherein the second data is data obtained by performing data protection processing on the first data;

[0356] Send the second data to the second data analysis function network element.

[0357] In some embodiments, data protection processing is privacy processing.

[0358] In some embodiments, the second data request message includes at least one of the following:

[0359] Token information, used to instruct the second network to authorize access to the functions of the first network;

[0360] The identifier of the first data;

[0361] The identifier of the second network.

[0362] In some embodiments, the first data request message includes an identifier of the first data and / or an identifier of the second network.

[0363] In some embodiments, the processor is also configured to perform the following operations:

[0364] Send a token request message to the first network function;

[0365] Receive token information sent by the first network function, the token information being used to instruct the second network to authorize access to the network by the first network function.

[0366] In some embodiments, the token request message includes at least one of the following:

[0367] The first data analysis function provides information on the type of network elements;

[0368] The type information of the second data analysis function network element; the second data analysis function network element is the network element in the second network that requests data.

[0369] The service name requested by the network element for the second data analysis function;

[0370] The second data analysis function requests data type information from network elements;

[0371] The indication information is used to indicate whether the data requested by the second data analysis function network element belongs to the data related to the terminal.

[0372] In some embodiments, the token information includes data type indication information, wherein:

[0373] The data type indication information is used to indicate the data type that the first network authorizes to access the second network.

[0374] In some embodiments, the first network is a non-public network or a distributed subnet;

[0375] The second network falls into one of the following categories: public network, non-public network, or distributed subnet.

[0376] Among them, Figure 8 In this context, the bus architecture can include any number of interconnected buses and bridges, specifically linking various circuits represented by one or more processors (represented by a processor) and memory (represented by memory). The bus architecture can also link various other circuits, such as peripheral devices, voltage regulators, and power management circuits, which are well known in the art and therefore will not be described further herein. The bus interface provides the interface. The transceiver can be multiple components, including transmitters and receivers, providing a unit for communicating with various other devices over transmission media, including wireless channels, wired channels, optical fibers, etc. The processor is responsible for managing the bus architecture and general processing, and the memory can store data used by the processor 810 during operation.

[0377] The processor 810 can be a CPU, ASIC, FPGA or CPLD, and the processor can also adopt a multi-core architecture.

[0378] The processor 810 executes any of the methods provided in the embodiments of this application by calling a computer program stored in memory, according to the obtained executable instructions. The processor 810 and the memory 820 may also be physically separated.

[0379] It should be noted that the data processing apparatus provided in this application embodiment can implement all the method steps implemented in the above method embodiment and can achieve the same technical effect. Here, the parts that are the same as those in the method embodiment and the beneficial effects will not be described in detail.

[0380] Figure 9 Schematic diagram of the data processing apparatus provided in the embodiments of this application Figure 3 ,like Figure 9 As shown, the device includes: a memory, a transceiver, and a processor.

[0381] The memory 920 is used to store computer programs; the transceiver 900 is used to send and receive data under the control of the processor 910; the processor 910 is used to read the computer program stored in the memory 920 and perform the following operations:

[0382] Receives a second data request message sent by a second network function in a second network; the second network is a network authorized for access by a first network function in a first network, and the first network function is a network function with network authorization capability and data protection processing capability;

[0383] Obtain the first data according to the second data request message;

[0384] Send the first data to the first network function in the first network.

[0385] In some embodiments, the second data request message includes at least one of the following:

[0386] Token information, used to instruct the second network to authorize access to the functions of the first network;

[0387] The identifier of the first data;

[0388] The identifier of the second network.

[0389] In some embodiments, the token information includes data type indication information, wherein:

[0390] The data type indication information is used to indicate the data type that the first network authorizes to access the second network.

[0391] In some embodiments, obtaining first data according to a second data request message includes:

[0392] The second data request message is verified to obtain the second verification result.

[0393] If the second verification result is successful, obtain the first data.

[0394] In some embodiments, the first network is a non-public network or a distributed subnet;

[0395] The second network falls into one of the following categories: public network, non-public network, or distributed subnet.

[0396] Among them, Figure 9In this context, the bus architecture can include any number of interconnected buses and bridges, specifically linking various circuits together, represented by one or more processors (represented by a processor) and memory (represented by memory). The bus architecture can also link together various other circuits such as peripheral devices, voltage regulators, and power management circuits, which are well known in the art and therefore will not be described further herein. The bus interface provides the interface. The transceiver can be multiple components, including transmitters and receivers, providing units for communicating with various other devices over transmission media, including wireless channels, wired channels, optical fibers, etc. The processor is responsible for managing the bus architecture and general processing, and the memory can store data used by the processor 910 during operation.

[0397] The processor 910 can be a CPU, ASIC, FPGA or CPLD, and the processor can also adopt a multi-core architecture.

[0398] The processor 910 executes any of the methods provided in the embodiments of this application by calling a computer program stored in the memory, according to the obtained executable instructions. The processor 910 and the memory 920 may also be physically separated.

[0399] It should be noted that the data processing apparatus provided in this application embodiment can implement all the method steps implemented in the above method embodiment and can achieve the same technical effect. Here, the parts that are the same as those in the method embodiment and the beneficial effects will not be described in detail.

[0400] Figure 10 Schematic diagram of the data processing apparatus provided in the embodiments of this application Figure 4 .like Figure 10 As shown, the data processing device 1000 includes:

[0401] The first receiving module 1010 is used to receive first data sent by the first data analysis function network element in the first network. The first data is data requested by the second data analysis function network element in the second network. The second network is a network authorized to access by the first network function. The first network function is a network function with network authorization capability and data protection processing capability.

[0402] Processing module 1020 is used to perform data protection processing on the first data to obtain the second data;

[0403] The first transmitting module 1030 is used to transmit second data to the second network function in the second network.

[0404] In some embodiments, data protection processing is privacy processing.

[0405] In some embodiments,

[0406] The first receiving module 1010 is also used to receive a token request message sent by the second network function;

[0407] The first sending module 1030 is also used to send token information to the second network function according to the token request message. The token information is used to instruct the second network to authorize the first network function to access the network.

[0408] In some embodiments, the token request message includes at least one of the following:

[0409] The first data analysis function provides information on the type of network elements;

[0410] The type information of the second data analysis function network element; the second data analysis function network element is the network element in the second network that requests data.

[0411] The service name requested by the network element for the second data analysis function;

[0412] The second data analysis function requests data type information from network elements;

[0413] The indication information is used to indicate whether the data requested by the second data analysis function network element belongs to the data related to the terminal.

[0414] In some embodiments, the first sending module 1030 is further configured to:

[0415] Verify the token request message and obtain the first verification result;

[0416] If the first verification result is successful, a token message is sent to the second network function.

[0417] In some embodiments, the token information includes data type indication information, wherein:

[0418] The data type indication information is used to indicate the data type that the first network authorizes to access the second network.

[0419] In some embodiments, the first network is a non-public network or a distributed subnet;

[0420] The second network falls into one of the following categories: public network, non-public network, or distributed subnet.

[0421] It should be noted that the data processing device 1000 provided in this application can implement all the method steps implemented by the first network function in the above method embodiment and can achieve the same technical effect. Here, the parts and beneficial effects that are the same as those in the method embodiment will not be described in detail.

[0422] Figure 11 Schematic diagram of the data processing apparatus provided in the embodiments of this application Figure 5 .like Figure 11 As shown, the data processing device 1100 includes:

[0423] The second receiving module 1110 is used to receive a first data request message sent by the second data analysis function network element in the second network. The first data request message is used to request first data. The second network is a network authorized to access the first network function in the first network. The first network function is a network function with network authorization capability and data protection processing capability.

[0424] The second sending module 1120 is used to send a second data request message to the first data analysis function network element in the first network according to the first data request message;

[0425] The third receiving module 1130 is used to receive second data sent by the first network function, the second data being data obtained by performing data protection processing on the first data;

[0426] The third sending module 1140 is used to send the second data to the second data analysis function network element.

[0427] In some embodiments, data protection processing is privacy processing.

[0428] In some embodiments, the second data request message includes at least one of the following:

[0429] Token information, used to instruct the second network to authorize access to the functions of the first network;

[0430] The identifier of the first data;

[0431] The identifier of the second network.

[0432] In some embodiments, the first data request message includes an identifier of the first data and / or an identifier of the second network.

[0433] In some embodiments,

[0434] The second sending module 1120 is also used to send a token request message to the first network function;

[0435] The third receiving module 1130 is also used to receive token information sent by the first network function, the token information being used to instruct the second network to authorize the first network function to access the network.

[0436] In some embodiments, the token request message includes at least one of the following:

[0437] The first data analysis function provides information on the type of network elements;

[0438] The type information of the second data analysis function network element; the second data analysis function network element is the network element in the second network that requests data.

[0439] The service name requested by the network element for the second data analysis function;

[0440] The second data analysis function requests data type information from network elements;

[0441] The indication information is used to indicate whether the data requested by the second data analysis function network element belongs to the data related to the terminal.

[0442] In some embodiments, the token information includes data type indication information, wherein:

[0443] The data type indication information is used to indicate the data type that the first network authorizes to access the second network.

[0444] In some embodiments, the first network is a non-public network or a distributed subnet;

[0445] The second network falls into one of the following categories: public network, non-public network, or distributed subnet.

[0446] It should be noted that the data processing device 1100 provided in this application can implement all the method steps implemented by the second network function in the above method embodiment and can achieve the same technical effect. Here, the parts and beneficial effects that are the same as those in the method embodiment will not be described in detail.

[0447] Figure 12 Schematic diagram of the data processing apparatus provided in the embodiments of this application Figure 6 .like Figure 12 As shown, the data processing device 1200 includes:

[0448] The fourth receiving module 1210 is used to receive a second data request message sent by a second network function in the second network; the second network is a network authorized to be accessed by a first network function in the first network, and the first network function is a network function with network authorization capability and data protection processing capability;

[0449] The acquisition module 1220 is used to acquire the first data according to the second data request message;

[0450] The fourth sending module 1230 is used to send first data to the first network function in the first network.

[0451] In some embodiments, the second data request message includes at least one of the following:

[0452] Token information, used to instruct the second network to authorize access to the functions of the first network;

[0453] The identifier of the first data;

[0454] The identifier of the second network.

[0455] In some embodiments, the token information includes data type indication information, wherein:

[0456] The data type indication information is used to indicate the data type that the first network authorizes to access the second network.

[0457] In some embodiments, the acquisition module 1220 is specifically used for:

[0458] The second data request message is verified to obtain the second verification result.

[0459] If the second verification result is successful, obtain the first data.

[0460] In some embodiments, the first network is a non-public network or a distributed subnet;

[0461] The second network falls into one of the following categories: public network, non-public network, or distributed subnet.

[0462] It should be noted that the data processing device 1200 provided in this application can implement all the method steps implemented by the first data analysis function network element in the above method embodiment, and can achieve the same technical effect. Here, the parts that are the same as those in the method embodiment and the beneficial effects will not be described in detail.

[0463] It should be noted that the division of units in the embodiments of this application is illustrative and only represents one logical functional division. In actual implementation, other division methods may be used. Furthermore, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated units described above can be implemented in hardware or as software functional units.

[0464] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a processor-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) or processor to execute all or part of the steps of the methods of the various embodiments of this application.

[0465] It should be noted that the apparatus provided in this application embodiment can implement all the method steps implemented in the above method embodiment and can achieve the same technical effect. Here, the parts that are the same as those in the method embodiment and the beneficial effects will not be described in detail.

[0466] This application also provides a processor-readable storage medium storing a computer program for causing the processor to execute all the method steps in the above method embodiments.

[0467] Non-transiently readable storage media can be any available medium or data storage device that the processor can access, including but not limited to magnetic storage (e.g., floppy disks, hard disks, magnetic tapes, magneto-optical disks (MOs), etc.), optical storage (e.g., CDs, DVDs, BDs, HVDs, etc.), and semiconductor storage (e.g., ROMs, EPROMs, EEPROMs, non-volatile memory (NAND flash), solid-state drives (SSDs)).

[0468] This application also provides a computer program product, including a computer program that, when executed by a processor, implements any of the methods described in the above-described method embodiments.

[0469] Processor-readable storage media can be any available medium or data storage device that the processor can access, including but not limited to magnetic storage (e.g., floppy disks, hard disks, magnetic tapes, magneto-optical disks (MOs), etc.), optical storage (e.g., CDs, DVDs, BDs, HVDs, etc.), and semiconductor storage (e.g., ROMs, EPROMs, EEPROMs, non-volatile memory (NAND flash), solid-state drives (SSDs)).

[0470] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product implemented on one or more computer-usable storage media (including, but not limited to, disk storage and optical storage) containing computer-usable program code.

[0471] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer-executable instructions. These computer-executable instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart... Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0472] These processor-executable instructions may also be stored in a processor-readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the processor-readable memory produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0473] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.

Claims

1. A data processing method, characterized in that, A first network function applied in a first network, wherein the first network function is a network function with network authorization capability and data protection processing capability, the method includes: Receive first data sent by the first data analysis function network element in the first network, wherein the first data is data requested by the second data analysis function network element in the second network, and the second network is the network authorized to be accessed by the first network function. The first data is subjected to data protection processing to obtain the second data; The second data is sent to the second network function in the second network.

2. The method according to claim 1, characterized in that, The data protection process described herein is a privacy-preserving process.

3. The method according to claim 1 or 2, characterized in that, The method further includes: Receive the token request message sent by the second network function; The token information is sent to the second network function according to the token request message. The token information is used to instruct the second network to authorize the first network function to access the network.

4. The method according to claim 3, characterized in that, The token request message includes at least one of the following: The type information of the first data analysis function network element; The type information of the second data analysis function network element, where the second data analysis function network element is the network element in the second network that requests data; The service name requested by the network element for the second data analysis function; The second data analysis function requests data type information from network elements; The indication information is used to indicate whether the data requested by the second data analysis function network element belongs to the data related to the terminal.

5. The method according to claim 3 or 4, characterized in that, Sending token information to the second network function according to the token request message includes: The token request message is verified to obtain a first verification result; If the first verification result is successful, the token information is sent to the second network function.

6. The method according to any one of claims 3-5, characterized in that, The token information includes data type indication information, wherein: The data type indication information is used to indicate the data type that the first network authorizes to access the second network.

7. The method according to any one of claims 1-6, characterized in that, The first network is a non-public network or a distributed subnet; The second network belongs to one of the following categories: public network, non-public network, distributed subnet.

8. A data processing method, characterized in that, The method, which applies a second network function to a second network, includes: The system receives a first data request message sent by a second data analysis function network element in the second network. The first data request message is used to request first data. The second network is a network authorized to access a first network function in the first network. The first network function is a network function with network authorization capability and data protection processing capability. Based on the first data request message, a second data request message is sent to the first data analysis function network element in the first network; Receive second data sent by the first network function, wherein the second data is data obtained by performing data protection processing on the first data; The second data is sent to the second data analysis function network element.

9. The method according to claim 8, characterized in that, The data protection process described herein is a privacy-preserving process.

10. The method according to claim 8 or 9, characterized in that, The second data request message includes at least one of the following: Token information, used to indicate to the second network that the first network has authorized access to the network's functions; The identifier of the first data; The identifier of the second network.

11. The method according to any one of claims 8-10, characterized in that, The first data request message includes an identifier for the first data and / or an identifier for the second network.

12. The method according to any one of claims 8-11, characterized in that, The method further includes: Send a token request message to the first network function; The system receives a token from the first network function, the token being used to instruct the second network to authorize access to the network by the first network function.

13. The method according to claim 12, characterized in that, The token request message includes at least one of the following: The type information of the first data analysis function network element; The type information of the second data analysis function network element, where the second data analysis function network element is the network element in the second network that requests data; The service name requested by the network element for the second data analysis function; The second data analysis function requests data type information from network elements; The indication information is used to indicate whether the data requested by the second data analysis function network element belongs to the data related to the terminal.

14. The method according to claim 12 or 13, characterized in that, The token information includes data type indication information, wherein: The data type indication information is used to indicate the data type that the first network authorizes to access the second network.

15. The method according to any one of claims 8-14, characterized in that, The first network is a non-public network or a distributed subnet; The second network belongs to one of the following categories: public network, non-public network, distributed subnet.

16. A data processing method, characterized in that, The method, applied to a first data analysis function network element in a first network, includes: Receive a second data request message sent by a second network function in a second network; the second network is a network authorized to be accessed by a first network function in a first network, and the first network function is a network function with network authorization capability and data protection processing capability; Obtain the first data according to the second data request message; Send the first data to the first network function in the first network.

17. The method according to claim 16, characterized in that, The second data request message includes at least one of the following: Token information, used to indicate to the second network that the first network has authorized access to the network's functions; The identifier of the first data; The identifier of the second network.

18. The method according to claim 17, characterized in that, The token information includes data type indication information, wherein: The data type indication information is used to indicate the data type that the first network authorizes to access the second network.

19. The method according to any one of claims 16-18, characterized in that, The step of obtaining the first data according to the second data request message includes: The second data request message is verified to obtain a second verification result; If the second verification result is successful, the first data is obtained.

20. The method according to any one of claims 16-19, characterized in that, The first network is a non-public network or a distributed subnet; The second network belongs to one of the following categories: public network, non-public network, distributed subnet.

21. A data processing apparatus, characterized in that, A first network function applied in a first network, wherein the first network function is a network function with network authorization capability and data protection processing capability, the device comprising: The first receiving module is used to receive first data sent by the first data analysis function network element in the first network, wherein the first data is data requested by the second data analysis function network element in the second network, and the second network is the network authorized for access by the first network function. The processing module is used to perform data protection processing on the first data to obtain the second data; The first sending module is used to send the second data to the second network function in the second network.

22. A data processing apparatus, characterized in that, The apparatus includes a second network function applied in a second network. The second receiving module is used to receive a first data request message sent by the second data analysis function network element in the second network. The first data request message is used to request first data. The second network is a network authorized to access the first network function in the first network. The first network function is a network function with network authorization capability and data protection processing capability. The second sending module is used to send a second data request message to the first data analysis function network element in the first network according to the first data request message; The third receiving module is used to receive the second data sent by the first network function, wherein the second data is data obtained by performing data protection processing on the first data; The third sending module is used to send the second data to the second data analysis function network element.

23. A data processing apparatus, characterized in that, The device, which is applied to a first data analysis function network element in a first network, includes: The fourth receiving module is used to receive a second data request message sent by a second network function in the second network; the second network is a network authorized to be accessed by a first network function in the first network, and the first network function is a network function with network authorization capability and data protection processing capability; The acquisition module is used to acquire the first data based on the second data request message; The fourth sending module is used to send the first data to the first network function in the first network.

24. A data processing apparatus, characterized in that, Includes memory, transceiver, and processor: A memory for storing computer programs; a transceiver for sending and receiving data under the control of the processor; and a processor for reading the computer programs from the memory and performing the following operations: Receive first data sent by a first data analysis function network element in a first network, the first data being data requested by a second data analysis function network element in a second network, the second network being a network authorized to access by a first network function in the first network, the first network function being a network function with network authorization capability and data protection processing capability; The first data is subjected to data protection processing to obtain the second data; The second data is sent to the second network function in the second network.

25. A data processing apparatus, characterized in that, Includes memory, transceiver, and processor: A memory for storing computer programs; a transceiver for sending and receiving data under the control of the processor; and a processor for reading the computer programs from the memory and performing the following operations: The system receives a first data request message sent by a second data analysis function network element in the second network. The first data request message is used to request first data. The second network is a network authorized to access a first network function in the first network. The first network function is a network function with network authorization capability and data protection processing capability. Based on the first data request message, a second data request message is sent to the first data analysis function network element in the first network; Receive second data sent by the first network function, wherein the second data is data obtained by performing data protection processing on the first data; The second data is sent to the second data analysis function network element.

26. A data processing apparatus, characterized in that, Includes memory, transceiver, and processor: A memory for storing computer programs; a transceiver for sending and receiving data under the control of the processor; and a processor for reading the computer programs from the memory and performing the following operations: Receive a second data request message sent by a second network function in a second network; the second network is a network authorized to be accessed by a first network function in a first network, and the first network function is a network function with network authorization capability and data protection processing capability; Obtain the first data according to the second data request message; Send the first data to the first network function in the first network.

27. A non-transiently readable storage medium, characterized in that, The non-transiently readable storage medium stores a computer program that causes a processor to perform the method according to any one of claims 1 to 7, or the computer program causes a processor to perform the method according to any one of claims 8 to 15, or the computer program causes a processor to perform the method according to any one of claims 16 to 20.