Access control for client application
The NEF analyzes vulnerabilities and monitors application traffic to prevent unauthorized access and threats, enhancing 5G network security by closing access when risks are detected, thus reducing network risks and ensuring compliance.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)
- Filing Date
- 2024-12-23
- Publication Date
- 2026-07-02
AI Technical Summary
Current security mechanisms in 5G networks are inadequate to protect against various security threats, including Man-in-the-Middle attacks, session hijacking, brute force attacks, exploiting vulnerabilities in REST APIs, denial-of-service attacks, social engineering, application layer attacks, and data tampering, which can compromise the integrity and security of the network.
A method and function node, such as the Network Exposure Function (NEF), analyze the Security Test Report (STR) from external AF nodes, evaluate vulnerabilities against a database, and monitor application traffic for any security threats, closing network access when risks are detected, using TLS and network firewall for enhanced security.
This approach reduces risks to the 5G network by identifying and preventing unauthorized access, detecting anomalies in real-time, ensuring compliance with data protection regulations, and providing comprehensive logging and reporting, thereby preventing costly downtime and revenue loss.
Smart Images

Figure IN2024052421_02072026_PF_FP_ABST
Abstract
Description
[0001] ACCESS CONTROL FOR CLIENT APPLICATION TECHNICAL FIELD
[0002] Embodiments herein relate to a method performed by a function node for maintaining security in a wireless communications network, wherein the maintaining of security is related to an application in an external Application Function, AF, node.
[0003] Embodiments herein also relate to a function node adapted to maintain security in a wireless communications network, wherein the maintaining of security is related to an application in an external AF node.
[0004] BACKGROUND
[0005] In a typical wireless communication network, wireless devices, also known as wireless communication devices, mobile stations, stations (STA) and / or User Equipment (UE), communicate via a Wide Area Network or a Local Area Network such as a Wi-Fi network or a cellular network comprising a Radio Access Network (RAN) part and a Core Network (CN) part. The RAN covers a geographical area which is divided into service areas or cell areas, which may also be referred to as a beam or a beam group, with each service area or cell area being served by a radio network node such as a radio access node e.g., a Wi-Fi access point, a Base Station (BS) or a radio base station (RBS), which in some networks may also be denoted, for example, a Base Station (BS), a NodeB, eNodeB (eNB), or gNodeB (gNB) as denoted in Fifth Generation (5G) telecommunications. A service area or cell area is a geographical area where radio coverage is provided by the radio network node. The radio network node communicates over an air interface operating on a radio frequency with the wireless devices within the range of the radio network node.
[0006] 3rd Generation Partnership Project (3GPP) is the standardization body for specifying the standards for the cellular system evolution, e.g., including 3G, 4G, 5G and the future evolutions. Specifications for Evolved Universal Terrestrial Radio Access (E-UTRA) and Evolved Packet System (EPS) have been completed within the 3GPP. In 4G also called a Fourth Generation (4G) network, EPS is core network and E-UTRA is radio access network. In 5G, 5G Core (5GC) is core network, NR is radio access network. As a continued network evolution, the new release of 3GPP specifies a 5G network also referred to as 5G New Radio (NR) and 5GC.Frequency bands for 5G NR are being separated into two different frequency ranges, Frequency Range 1 (FR1) and Frequency Range 2 (FR2). FR1 comprises sub-6 GHz frequency bands. Some of these bands are bands traditionally used by legacy standards but have been extended to cover potential new spectrum offerings from 410 MHz to 7125 MHz. FR2 comprises frequency bands from 24.25 GHz to 52.6 GHz. Bands in this millimeter wave range have shorter range but higher available bandwidth than bands in the FR1.
[0007] Multi-antenna techniques may significantly increase the data rates and reliability of a wireless communication system. For a wireless connection between a single user, such as UE, and a base station (BS), the performance is in particular improved if both the transmitter and the receiver are equipped with multiple antennas, which results in a Multiple-Input Multiple-Output (MIMO) communication channel. This may be referred to as Single-User (SU)-MIMO. In the scenario where MIMO techniques is used for the wireless connection between multiple users and the base station, MIMO enables the users to communicate with the base station simultaneously using the same time-frequency resources by spatially separating the users, which increases further the cell capacity. This may be referred to as Multi-User (MU)-MIMO. Note that MU-MIMO may benefit when each UE only has one antenna. The cell capacity can be increased linearly with respect to the number of antennas at the BS side. Due to that, more and more antennas are employed in BS. Such systems and / or related techniques are commonly referred to as massive MIMO.
[0008] A secure, robust, developer-friendly access to exposed network services and 5G network capabilities is facilitated by a 5G Network Exposure Function (NEF), where a rich set of Application Programming Interfaces (APIs) allow third-party authorized applications to monitor and configure the network’s behaviour for a number of different subscribers, i.e. connected devices with different applications.
[0009] This access is provided by a set of northbound RESTful, or web-style, APIs from the network domain to both internal, i.e., within the network operator’s trust domain, and external applications. The NEF has appeared in the 5G standards as an intelligent, service-aware “border gateway” that will enable the external application function (AF) to communicate with the 5G Network Functions (NFs).
[0010] NEF provides both north bound API, 3GPP Spec TS 29.522, and south bound API, 3GPP Spec TS 29.591. A NEF 1 Northbound interface exists in between the NEF and AF whereas southbound interface exists in between the NEF and 5G NF. The NEF Northbound interface is used to expose certain functionalities that will be consumed byexternal AFs. NEF southbound interface consumes 5G service-based interfaces of different NFs of 5G. The security for this interface is based on Transport Layer Security (TLS) based encrypted communication with open authorization (OAUTH) based authentication and authorization built on top.
[0011] Following are examples of services exposed by NEF:
[0012] North Bound Services
[0013] Nnef_EventExposure service and Nnef_APISupportCapability service Nnef_Trigger service
[0014] Nnef_BDTPNegotiation service
[0015] Nnef_ParameterProvision service
[0016] Nnef_PFDManagement service
[0017] Nnef_Trafficlnfluence service
[0018] Nnef_ChargeableParty service
[0019] Nnef_AFsessionWithQoS service
[0020] Nnef_MSISDN-less_MO_SMS service
[0021] Nnef_NIDDConfiguration and Nnef_NIDD services
[0022] Nnef_AnalyticsExposure service
[0023] Nnef_ApplyPolicy service
[0024] Nnef_ECRestriction service
[0025] NnefJPTVConfiguration service
[0026] Nnef_ServiceParameter service
[0027] NnefJJCMFProvisioning service
[0028] Nnef_Location service
[0029] Nnef_AKMA service
[0030] Nnef_AM Influence service
[0031] Nnef_AMPolicyAuthorization service
[0032] Nnef_TimeSynchronization service
[0033] South Bound NEF services
[0034] Nnef_EventExposure
[0035] Nnef_PFDManagement
[0036] Nnef_SMContext
[0037] The 5G NEF is related to the 3GPP 5G Architecture. This function provides a means to securely expose the services and capabilities provided by 3GPP network functions, including for example third party, internal exposure / re-exposure. In 5G networks, it iscrucial to ensure secure communication between NEF and Third-Party Providers (3PP) to protect sensitive information and maintain the integrity of the network. Secure communication between NEF and 3PP is maintained by an external firewall which can establish a secure network connection between the two.
[0038] The current security mechanism between the NEF and 3PP Application Providers, who consume the APIs exposed by NEF, leverages OAUTH based authentication and Authorization. TLS based communication is put on top to ensure encryption and better secure communication between Application Provider’s AF and NEF.
[0039] Virtual Private Network (VPN) capabilities can also be added to NEF to authorize the network. The VPN connection is first established between Application provider’s and Content Security Policy (CSP’s) network and then the standard TLS / OAUTH based secure connection may be created on top of that resulting in a more secure communication establishment.
[0040] In the era of having too many vulnerabilities and having multiple security threats postures, the currently available security architecture is not enough to protect against the network. There are still many security risks associated with Representation State Transfer (REST) web based API access that are noted down in OWASP top 10 security risks. The situation could be more severe if someone takes control of the application and can impact the telecom operator network even if there TLS and other protocols are in place.
[0041] After the TLS handshake between the telecom operator network and partner network, where encryption and authentication are established between the client and server, a hacker can still impact the network and potentially compromise the security of a REST API in several ways:
[0042] • Man-in-the-Middle (MitM) Attacks: Despite the TLS handshake, a hacker can still attempt to intercept and manipulate the encrypted traffic between the client and server. While they cannot decrypt the traffic without the private key, they can act as a proxy, intercepting requests and responses, and potentially altering or injecting malicious content into the communication stream.
[0043] • Session Hijacking: If a hacker successfully compromises the session of an authenticated user, they can impersonate the user and perform actions on their behalf. While TLS protects the initial authentication process, session tokens or cookies exchanged between the client and server may be vulnerable to theft or session fixation attacks, allowing the hacker to take over an authenticated session.• Brute Force and Password Attacks: Hackers may attempt to brute force passwords or authentication tokens transmitted over TLS-protected connections. While TLS encryption prevents eavesdropping on communication, it does not protect against weak or easily guessable credentials. An attacker could launch a brute force attack against the authentication mechanism to gain unauthorized access to the REST API.
[0044] • Exploiting Vulnerable Endpoints: If the REST API endpoints have vulnerabilities, such as injection flaws, broken authentication mechanisms, or insecure direct object references (IDOR), a hacker can exploit these weaknesses to gain unauthorized access to sensitive data or execute malicious actions. While TLS secures the communication channel, it does not protect against applicationlayer vulnerabilities.
[0045] • Denial-of-Service (DoS) Attacks: Although DoS attacks typically involve flooding a network or server with excessive traffic to disrupt its availability, a hacker may still attempt to launch DoS attacks against TLS-protected REST APIs. While they may not be able to intercept or manipulate encrypted traffic, they can overload the server with TLS-encrypted requests, exhausting its resources and causing service degradation or disruption.
[0046] • Social Engineering and Phishing: Even with TLS encryption in place, hackers may resort to social engineering tactics, such as phishing emails or fraudulent websites, to trick users into revealing sensitive information or credentials. Once obtained, these credentials can be used to access the REST API, bypassing TLS protections.
[0047] • Application Layer Attacks: Attackers can exploit vulnerabilities within the application itself. This includes injection attacks, such as SQL injection or NoSQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and other application-level vulnerabilities. These attacks can manipulate or compromise the integrity of data within the application, bypassing the encryption provided by TLS.
[0048] • Authorization Bypass: Attackers may attempt to exploit flaws in the application's authorization mechanism to gain access to unauthorized resources or perform privileged actions. This could involve manipulating parameters or exploiting logic flaws to bypass access controls and escalate privileges within the application.
[0049] • Data Tampering: Although TLS encrypts data in transit, it does not protect against data tampering once it reaches the application. Attackers may intercept and modify encrypted data or tamper with requests and responses to manipulate thebehavior of the application. This could lead to data corruption, injection of malicious content, or unauthorized modifications to sensitive information.
[0050] • Business Logic Flaws: Attackers may exploit weaknesses in the application's business logic to abuse functionality or perform unauthorized actions. This could involve manipulating input parameters, exploiting race conditions, or abusing functionality intended for legitimate use. Business logic flaws can result in unauthorized access, data leakage, or financial losses for the organization.
[0051] Today’s 3GPP Spec does not completely illustrate any functionality out-of-the-box in respect to securing and extending to the partner’s application from malicious actors. These malicious actors once introduced in the 5G network with the partner’s application, may damage the network with the network related security threats mentioned above.
[0052] One key aspect here is that API Client applications vulnerabilities can put the 5G network at risk since a hacked application will look like a legitimate application to the network exposure system.
[0053] SUMMARY
[0054] The embodiments proposed herein analyzes the application service provider and their application’s vulnerability to decide on the risks associated with API exposure to such applications. It also enables NEF in combination with the telecom operator’s network firewall and TLS for security, to analyze the traffic of the application for any abnormal pattern especially if application has too many networks related vulnerabilities.
[0055] An object of embodiments herein is to stop the access of the network for the application when any unwanted activity is caused by the application.
[0056] According to an aspect of embodiments herein, the object is achieved by a method performed by a function node for maintaining security in a wireless communications network, wherein the maintaining of security is related to an application in an external AF node.
[0057] It Is disclosed that the method comprises that the function node performs the actions of:
[0058] - obtaining a Security Test Report, STR, from the external AF node;
[0059] - evaluating the STR towards a vulnerability database;
[0060] - obtaining a result of the evaluation;
[0061] and when the result is associated with a risk:
[0062] monitoring the application for any activities causing a security threat; andclosing a network access of the application when any activity causing a security threat is detected.
[0063] When the result of the evaluation is not associated with a risk it is disclosed that the function node refrain from monitoring the application for activities causing a security threat as defined by the STR.
[0064] It is disclosed that the method may comprise that the function node performs the actions of:
[0065] - receiving, from the external AF node, a request for application registration of the application via the use of application programming interfaces, APIs, of the function node, the request including the application ID;
[0066] - requesting, from the external AF node, the STR for the application according to the application ID;
[0067] - obtaining, from the external AF node, the STR as requested, and an application identity, ID, associated with the application;
[0068] - evaluating, the STR towards the vulnerability database, where the vulnerability database comprises information about vulnerabilities that impacts the security of the wireless communications network;
[0069] - obtaining the result of the evaluation from the vulnerability database, which result comprises information whether a running of the application is associated with any vulnerability that impacts the security of the wireless communications network; - monitoring, by a traffic analyser system belonging to the function node, the traffic of the application when the result is associated with a risk;
[0070] - alerting the function node when any activities are found causing a security threat; - closing the network access of the application when alerted by the traffic analyser system; and
[0071] - informing the external AF node about closing the network access for the application.
[0072] It is disclosed that if or when the function node receives an updated STR from the external AF node, then the method may be repeated using the updated STR.
[0073] According to another aspect of embodiments herein, the object is achieved by a function node adapted to maintain security in a wireless communications network, wherein the maintaining of security is related to an application in an external AF node.
[0074] It is disclosed that the function node is adapted to:
[0075] - obtain from the external AF node, an STR;
[0076] - evaluate the STR towards a vulnerability database;- obtain a result of the evaluation;
[0077] and that, when the result is associated with a risk, the function node is adapted to:
[0078] - monitor the application for any activities causing a security threat;
[0079] - close a network access of the application when any activity causing a security threat is detected, and
[0080] - inform the external AF node about closing the network access.
[0081] It is further disclosed that, when the result is not associated with a risk, the function node is adapted to refrain from monitoring the application for activities causing a security threat as defined by the STR.
[0082] It is disclosed that the function node may be adapted to:
[0083] - receive, from the external AF node, a request for application registration of the application via the use of application programming interfaces, APIs, of the function node, the request including the application ID;
[0084] - request, from the external AF node, the STR for the application according to the application ID;
[0085] - obtain, from the external AF node, the STR as requested, and an application identity, ID, associated with the application;
[0086] - evaluate, the STR towards the vulnerability database, where the vulnerability database comprises information about vulnerabilities that impacts the security of the wireless communications network;
[0087] - obtain the result of the evaluation from the vulnerability database, which result comprises information whether a running of the application is associated with any vulnerability that impacts the security of the wireless communications network; - monitor, by a traffic analyser system belonging to the function node, the traffic of the application when the result is associated with a risk;
[0088] - alert the function node when any activities are found causing a security threat; - close the network access of the application when alerted by the traffic analyser system; and
[0089] - inform the external AF node about closing the network access for the application. According to one disclosed embodiment, the function node may be adapted receive an updated STR from the external AF node, and to repeat the disclosed actions 4 and onwards using the updated STR.
[0090] Thanks to that, any unwanted activity caused by an application can be identified, and the access of the network can be stopped for that application.
[0091] Embodiments herein may provide one or more of the following advantages:Risks for 5G network are reduced since applications with vulnerabilities are put under stricter security control.
[0092] The disclosed embodiments can detect unusual or suspicious activity in real-time, enabling rapid response to potential threats.
[0093] By monitoring baseline network behavior, an analyzer can detect anomalies that may indicate security incidents, such as data exfiltration or distributed denial-of-service (DDoS) attacks.
[0094] The disclosed Comprehensive Network Monitoring provides a detailed view of all network traffic, including internal and external communications. This visibility is crucial for understanding normal network behavior and identifying deviations.
[0095] The disclosed embodiments can identify all devices and applications on the network, providing insights into their activity and potential vulnerabilities.
[0096] By identifying and alerting on potential threats before they become significant issues, disclosed embodiments provide an early warning system that helps in proactive threat management.
[0097] The disclosed embodiments analyze the behavior of network entities to predict and prevent malicious activities based on patterns and trends.
[0098] The disclosed network traffic analyzer help ensure compliance with data protection regulations, e.g. General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), by monitoring the application’s traffic flows and real time reporting of potential abnormal activities, ensuring that sensitive data is handled properly, thus providing data protection and privacy.
[0099] The disclosed idea provides comprehensive logging and reporting capabilities, providing audit trails that are essential for regulatory audits and demonstrating compliance with security standards.
[0100] In the event of a security incident, network traffic analyzer provides detailed traffic analysis with records of network activity, which are essential for forensic analysis and understanding the scope and impact of the breach.
[0101] By identifying threats quickly, the disclosed embodiments help prevent costly network downtime and the associated loss of productivity and revenue.
[0102] BRIEF DESCRIPTION OF THE DRAWINGS
[0103] Examples of embodiments herein are described in more detail with reference to attached drawings in which:Figure 1 is a schematic block diagram illustrating embodiments of a communications network.
[0104] Figure 2 is a flowchart depicting an embodiment of a method in a Function node. Figure 3 is a schematic block diagram illustrating embodiments of a Function node. Figure 4 is a generalized block diagram of embodiments of a function node.
[0105] Figure 5 is a generalized block diagram of embodiments of a network node.
[0106] Figure 6 is a generalized block diagram of embodiments of a host.
[0107] Figure 7 is a generalized block diagram of embodiments of a virtualization environment.
[0108] DETAILED DESCRIPTION
[0109] Disclosed embodiments analyze the application service provider and their application’s vulnerability to decide on the risks associated with API exposure to such applications. It also enables a function node, i.e. a Network Exposure Function, NEF, in combination with the telecommunication’s network firewall and TLS for security, to analyze the traffic of the application for any abnormal pattern especially if application has too many networks related vulnerabilities.
[0110] The idea is to analyze the application and if identifies any unwanted activity in 5G network, NEF will stop the access of network for that application, which will be very beneficial since this results in lowering the API exposure security risks for the CSP.
[0111] Figure 1 is a schematic overview depicting a wireless communications network 100 wherein embodiments herein may be implemented. The wireless communications network 100 comprises one or more RANs, and one or more CNs. The communications network 100 may use 5G NR but may further use a number of other different technologies, such as, 6G, Wi-Fi, Long Term Evolution (LTE), LTE-Advanced, Wideband Code Division Multiple Access (WCDMA), Global System for Mobile communications / enhanced Data rate for GSM Evolution (GSM / EDGE), Worldwide Interoperability for Microwave Access (WiMax), or Ultra Mobile Broadband (UMB), just to mention a few possible implementations.
[0112] Base stations, such as a first base station 111 and a second base station 112, operate in the RAN the communications network 100. The base stations 111, 112, may each be a transmission and reception point e.g. a radio access network node such as a base station, e.g. a radio base station such as a NodeB, an evolved Node B (eNB, eNode B), an NR Node B (gNB), a base transceiver station, a radio remote unit, an Access Point Base Station, a base station router, a transmission arrangement of a radio base station, astand-alone access point, a Wireless Local Area Network (WLAN) access point or an Access Point Station (AP STA), an access controller, or any other network unit capable of communicating with UEs, such as a UE 121, within a cell, served by the respective base station 111, 112. The respective base station 111, 112 may be referred to as a serving radio network node and may communicate with the UE 121 with Downlink (DL) transmissions to the UE 121 and Uplink (UL) transmissions from the UE 121.
[0113] Methods according to embodiments herein are performed by the function node 130 i.e. the NEF. This node may be Distributed Nodes (DN)s and functionality, e.g. comprised in a cloud 101 as shown in Figure 1.
[0114] Generally, a Network Firewall is placed to secure a telecom operator’s network for any exposures to partner or external applications. In 5G, due to so many use cases around huge number of external AF, i.e. partner applications, it becomes important to have visibility of the client applications consuming the network APIs and, based on their vulnerabilities, to control their access within the system, e.g., limiting some critical API access.
[0115] The disclosed embodiments enables flexibility for the CSP to switch on additional security analysis for vulnerable applications and disallow any sensitive data or operations if any abnormal API traffic pattern is detected. This results in lowering the API exposure security risks for the CSP.
[0116] A number of embodiments will now be described, some of which may be seen as alternatives, while some may be used in combination.
[0117] Figure 2 shows exemplary embodiments of a method performed by the function node 130. The method is for maintaining security in a wireless communications network 100, wherein the maintaining of security is related to an application 141 in an external Application Function, AF, node 140.
[0118] The method comprises the function node 130 performing the following actions, which actions may be taken in any suitable order.
[0119] Action 3: obtaining 203 from the external AF node 140, a Security Test Report, STR;
[0120] Action 4: evaluating 204 the STR towards a vulnerability database 212;
[0121] Action 5: obtaining 205 a result of the evaluation;
[0122] It is disclosed that when the result is associated with a risk, the method comprises the function node 130 performing the following actions:
[0123] Action 6: monitoring (206) the application 141 for any activities causing a security threat; andAction 8: closing 208 a network access of the application 141 when any activity causing a security threat is detected;
[0124] It is also disclosed that when the result is not associated with a risk the method comprises the function node 130 performing the following action:
[0125] Action 10: refraining 210 from monitoring the application 141 for activities causing a security threat as defined by the STR.
[0126] Embodiments herein discloses that the different actions as described may be further specified, so that the method may comprise the function node 130 performing:
[0127] Action 1 : receiving 201 , from the external AF node 140, a request for application registration of the application 141 via the use of application programming interfaces, APIs, of the function node, the request including the application ID;
[0128] Action 2: requesting 202, from the external AF node 140, the STR for the application according to the application ID;
[0129] Action 3: obtaining 203, from the external AF node 140, the STR as requested, and an application identity, ID, associated with the application 141 ;
[0130] Action 4: evaluating 204, the STR towards the vulnerability database 212, where the vulnerability database comprises information about vulnerabilities that impacts the security of the wireless communications network 100;
[0131] Action 5: obtaining 205 the result of the evaluation from the vulnerability database 212, which result comprises information whether a running of the application is associated with any vulnerability that impacts the security of the wireless communications network 100;
[0132] Action 6: monitoring 206, by a traffic analyser system 213 belonging to the function node 130, the traffic of the application 141 when the result is associated with a risk;
[0133] Action 7: alerting 207, by a traffic analyser system 213, the function node 130 when any activities are found causing a security threat;
[0134] Action 8: closing 208 the network access of the application 141 when alerted by the traffic analyser system 213; and
[0135] Action 9: informing 209 the external AF node 140 about closing the network access for the application 141.
[0136] It is further disclosed that the method may comprise the function node receiving an updated STR from the external AF node 140, and repeating the previously disclosed action 4204 and onward using the updated STR.In this way by using the methods above, the function node 130 can identify any unwanted activity caused by the application 141 in the communications network 100, and the access of the network can be closed for that application 141 , thus enabling the protection of the CSP’s network from unwanted abnormal activities.
[0137] Embodiments herein such as the embodiments mentioned above will now be further described and exemplified. The text below is applicable to and may be combined with any suitable embodiment described above.
[0138] The following sections will explain the details of disclosed solutions with reference to flow diagram in the Figure 2. The function node 130 is exemplified by a NEF 214 in the Figure.
[0139] Introduction of new North Bound NEF interface Nnef-VulnerabilityDataBase The External AF 140 sends a request 201 to NEF 214 to get it registered to use the NEF APIs. This request 201 contains the application s of the application 141.
[0140] Upon receiving the request from AF, NEF asks 202 for the security test report, STR, from the AF 140 for the application {application s}. AF provides 203 the STR which may contain all the information about the architecture Flaws, vulnerabilities available in the system in the terms of vulnerability identifier, CVE-lds, severity etc., and other security threats etc.
[0141] It should be understood that what is here mentioned as a STR can be anything which contains detailed information about the potential vulnerabilities / threats available in the system / application.
[0142] The external AF 140 may provide 203 the STR to the NEF 214 for the application 141 together with the {application s}.
[0143] The NEF 214 may call the vulnerability data base 212 using the north bound interface Nnef-VulnerabilityDataBase. This vulnerability data base 212 can be any genuine source of vulnerability information like a national vulnerability data base (NVD).
[0144] This vulnerability data base 212 may contain the information in below templates:
[0145]
[0146]
[0147] Introduction of new North Bound NEF interface Nnef-TrafficAnalyzer
[0148] Nnef-VulnerabilityDataBase mentioned in step-1 responded “Yes” means that the vulnerability postures shared by AF in STR has vulnerabilities that can impact network.
[0149] Upon receiving “Yes” response, NEF sends request to Traffic analyzer system using the north bound interface Nnef-TrafficAnalyzer. The request parameter to this interface is application s, whose traffic has to be analyzed.
[0150] NEF 214 is equipped with rules 215 for traffic analysis and a traffic analyzer system 213 which is continuously monitor the application 141 for any network related security threats, and which, once find any activity which are mentioned in the rule, will generate an alert 207 to NEF 214.
[0151] Below is an exemplary template of how the rules 215 may be defined:
[0152] <>< >
[0153] <>
[0154]
[0155] &&
[0156] &
[0157] &
[0158] &
[0159]
[0160] &
[0161] &
[0162]
[0163] Upon finding the alert 207 from traffic analyzer system 213, NEF 214 will close 208 the network access of the application 141. NEF 214 informs the 209 the external AF 240 about blocking 208 the network access of the application 141.
[0164] Complete end to end flow with diagram.
[0165] Figure 3 shows sequence of actions to accomplish the complete solution. Each action is described below.
[0166] Action 1 : External AF sends 201 a request to NEF 214 to get it registered to use the NEF 214 APIs. This request contains the application s of the application. Action 2: Upon receiving the request from AF, the NEF 214 request 202 the STR for the application 141 {application s} from the AF.
[0167] Action 3: The external AF 140 provides 203 the STR to NEF 214 for the application 141 with {application s}
[0168] Action 4: NEF 214 calls 204 the vulnerability database 212 using the north bound interface Nnef-VulnerabilityDataBase.
[0169] This vulnerability database 212 may contain the information in below templates:
[0170]
[0171] Action 5: A response 205 “Yes” from the Nnef-VulnerabilityDataBase means that the vulnerability postures shared by AF in STR has vulnerabilities that can impact the network. This decision is taken based on the data analysis mentioned in Action: 4.
[0172] Action 6: Upon receiving “Yes” response in Action: 5, NEF 214 sends a request 206 to the Traffic analyzer system 213 using the north bound interface Nnef- TrafficAnalyzer. The request parameter to this interface may be the application s pertaining to the application 141 whose traffic has to be analyzed.
[0173] Action 7: NEF 214 is equipped with rules 215 for traffic analysis and when the traffic analyzer system, which is continuously monitor the application for any network related security threats, once find any activity which are mentioned in the rule, an alert to is generated to NEF 214. Below is an example of how a template of the rules may be defined, with Rule I D / Alert ID in the second column:
[0174]
[0175] <>< >
[0176] <>
[0177] &&
[0178] &
[0179] &
[0180]
[0181] &
[0182] &
[0183] &
[0184]
[0185] Action 8: Upon finding the alert from traffic analyzer system 213, NEF 214 will close the network access of the application 141.Action 9: NEF 214 informs 209 AF 140 about blocking the network access for the application 141.
[0186] Action 10: When the vulnerability fixed, the external AF 140 may submit 210 a new STR, whereafter the procedure may be repeated, if no vulnerabilities monitoring stopped.
[0187] To perform the method actions above it is disclosed that the function node 130 is adapted to maintain security in a wireless communications network 100, wherein the maintaining of security is related to an application 141 in an external Application Function, AF, node 140.
[0188] It is disclosed that the function node 130 is adapted to perform:
[0189] Action 3: obtain 203 from the external AF node 140, a Security Test Report, STR, Action 4: evaluate 204 the STR towards a vulnerability database 212,
[0190] Action 5: obtain 205 a result of the evaluation.
[0191] It is disclosed that when the result is associated with a risk, the function node 130 is adapted to:
[0192] Action 6: monitor 206 the application 141 for any activities causing a security threat,
[0193] Action 8: close 208 a network access of the application 141 when any activity causing a security threat is detected, and
[0194] Action 9: inform 209 the external AF node 140 about closing the network access. It is further disclosed that when the result is not associated with a risk, the function node 130 is adapted to:
[0195] Action 10: refrain 210 from monitoring the application 141 for activities causing a security threat as defined by the STR.
[0196] Embodiments herein discloses that the function node 130 may be further adapted to:
[0197] Action 1 : receive 201 , from the external AF node 140, a request for application registration of the application 141 via the use of application programming interfaces, APIs, of the function node, the request including the application ID;
[0198] Action 2: request 202, from the external AF node 140, the STR for the application according to the application ID;
[0199] Action 3: obtain 203, from the external AF node 140, the STR as requested, and an application identity, ID, associated with the application 141 ;Action 4: evaluate 204, the STR towards the vulnerability database 212, where the vulnerability database comprises information about vulnerabilities that impacts the security of the wireless communications network 100;
[0200] Action 5: obtain 205 the result of the evaluation from the vulnerability database 212, which result comprises information whether a running of the application is associated with any vulnerability that impacts the security of the wireless communications network 100;
[0201] Action 6: monitor 206, by a traffic analyser system 213 belonging to the function node 130, the traffic of the application 141 when the result is associated with a risk;
[0202] Action 7: alert 207 the function node 130 when any activities are found causing a security threat;
[0203] Action 8: close 208 the network access of the application 141 when alerted by the traffic analyser system 213; and
[0204] Action 9: inform 209 the external AF node 140 about closing the network access for the application 141.
[0205] Disclosed embodiments shows that the function node 130 may be adapted to receive an updated STR from the external AF node 140, and to repeat the previously disclosed actions 4204 and onwards using the updated STR.
[0206] Embodiments herein may be implemented through a processor or one or more processors, such as the processor 310 of a processing circuitry in the function node 130 depicted in Figure 3, together with computer program code for performing the functions and actions of the embodiments herein. The program code mentioned above may also be provided as a computer program product, for instance in the form of a data carrier carrying computer program code for performing the embodiments herein when being loaded into the function node 130. One such carrier may be in the form of a CD ROM disc. It is however feasible with other data carriers such as a memory stick. The computer program code may furthermore be provided as pure program code on a server and downloaded to the function node 130.
[0207] The function node 130 may further comprise a memory 320 comprising one or more memory units. The memory 320 comprises instructions executable by the processor in the function node 130. The memory 320 is arranged to be used to store e.g., media functions, indications, tags, information, data, configurations, communication data, and applications to perform the methods herein when being executed in the function node130. The function node 130 may further comprise an input / output interface 300 for communication.
[0208] In some embodiments, a computer program 330 comprises instructions, which when executed by the at least one processor 310, cause the at least one processor of the function node 130 to perform the actions above.
[0209] In some embodiments, a carrier 340 comprises the computer program 330, wherein the carrier 340 is one of an electronic signal, an optical signal, an electromagnetic signal, a magnetic signal, an electric signal, a radio signal, a microwave signal, or a computer-readable storage medium.
[0210] Those skilled in the art will appreciate that units in the Function node 130 described above may refer to a combination of analog and digital circuits, and / or one or more processors configured with software and / or firmware, e.g. stored in the function node 130, that when executed by the one or more processors such as the processors described above. One or more of these processors, as well as the other digital hardware, may be included in a single Application-Specific Integrated Circuitry ASIC, or several processors and various digital hardware may be distributed among several separate components, whether individually packaged or assembled into a System-on-a-Chip (SoC).
[0211] ADDITIONAL EXPLANATION
[0212] Some of the embodiments contemplated herein will now be described more fully with reference to the accompanying drawings. Embodiments are provided by way of example to convey the scope of the subject matter to those skilled in the art.
[0213] Figure 4 shows an example of a communication system QQ100 in accordance with some embodiments.
[0214] In the example, the communication system QQ100 includes a telecommunication network QQ102 that includes an access network QQ104, such as a radio access network (RAN), and a core network QQ106, which includes one or more core network nodes QQ108. The access network QQ104 includes one or more access network nodes, such as network nodes QQ110a and QQ110b (one or more of which may be generally referred to as network nodes QQ110), or any other similar 3rdGeneration Partnership Project (3GPP) access nodes or non-3GPP access points. Moreover, as will be appreciated by those of skill in the art, a network node is not necessarily limited to an implementation in which a radio portion and a baseband portion are supplied and integrated by a single vendor. Thus, it will be understood that network nodes include disaggregated implementations or portions thereof. For example, in some embodiments, the telecommunication network QQ102 includes one or more Open-RAN (ORAN) networknodes. An ORAN network node is a node in the telecommunication network QQ102 that supports an ORAN specification (e.g., a specification published by the O-RAN Alliance, or any similar organization) and may operate alone or together with other nodes to implement one or more functionalities of any node in the telecommunication network QQ102, including one or more network nodes QQ110 and / or core network nodes QQ108.
[0215] Examples of an ORAN network node include an open radio unit (O-RU), an open distributed unit (O-DU), an open central unit (O-CU), including an O-CU control plane (O-CU-CP) or an O-CU user plane (O-CU-UP), a RAN intelligent controller (near-real time or non-real time) hosting software or software plug-ins, such as a near-real time control application (e.g., xApp) or a non-real time control application (e.g., rApp), or any combination thereof (the adjective “open” designating support of an ORAN specification). The network node may support a specification by, for example, supporting an interface defined by the ORAN specification, such as an A1 , F1 , W1 , E1 , E2, X2, Xn interface, an open fronthaul user plane interface, or an open fronthaul management plane interface. Moreover, an ORAN access node may be a logical node in a physical node. Furthermore, an ORAN network node may be implemented in a virtualization environment (described further below) in which one or more network functions are virtualized. For example, the virtualization environment may include an O-Cloud computing platform orchestrated by a Service Management and Orchestration Framework via an 0-2 interface defined by the O-RAN Alliance or comparable technologies. The network nodes QQ110 facilitate direct or indirect connection of user equipment (UE), such as by connecting UEs QQ112a, QQ112b, QQ112c, and QQ112d (one or more of which may be generally referred to as UEs QQ112) to the core network QQ106 over one or more wireless connections.
[0216] Example wireless communications over a wireless connection include transmitting and / or receiving wireless signals using electromagnetic waves, radio waves, infrared waves, and / or other types of signals suitable for conveying information without the use of wires, cables, or other material conductors. Moreover, in different embodiments, the communication system QQ100 may include any number of wired or wireless networks, network nodes, UEs, and / or any other components or systems that may facilitate or participate in the communication of data and / or signals whether via wired or wireless connections. The communication system QQ100 may include and / or interface with any type of communication, telecommunication, data, cellular, radio network, and / or other similar type of system.
[0217] The UEs QQ112 may be any of a wide variety of communication devices, including wireless devices arranged, configured, and / or operable to communicate wirelessly withthe network nodes QQ110 and other communication devices. Similarly, the network nodes QQ110 are arranged, capable, configured, and / or operable to communicate directly or indirectly with the UEs QQ112 and / or with other network nodes or equipment in the telecommunication network QQ102 to enable and / or provide network access, such as wireless network access, and / or to perform other functions, such as administration in the telecommunication network QQ102.
[0218] In the depicted example, the core network QQ106 connects the network nodes QQ110 to one or more host computing systems, such as host QQ116. These connections may be direct or indirect via one or more intermediary networks or devices. In other examples, network nodes may be directly coupled to hosts. The core network QQ106 includes one more core network nodes (e.g., core network node QQ108) that are structured with hardware and software components. Features of these components may be substantially similar to those described with respect to the UEs, network nodes, and / or hosts, such that the descriptions thereof are generally applicable to the corresponding components of the core network node QQ108. Example core network nodes include functions of one or more of a Mobile Switching Center (MSC), Mobility Management Entity (MME), Home Subscriber Server (HSS), Access and Mobility Management Function (AMF), Session Management Function (SMF), Authentication Server Function (AUSF), Subscription Identifier De-concealing function (SIDF), Unified Data Management (UDM), Security Edge Protection Proxy (SEPP), Network Exposure Function (NEF), and / or a User Plane Function (UPF).
[0219] The host QQ116 may be under the ownership or control of a service provider other than an operator or provider of the access network QQ104 and / or the telecommunication network QQ102. The host QQ116 may host a variety of applications to provide one or more service. Examples of such applications include live and pre-recorded audio / video content, data collection services such as retrieving and compiling data on various ambient conditions detected by a plurality of UEs, analytics functionality, social media, functions for controlling or otherwise interacting with remote devices, functions for an alarm and surveillance center, or any other such function performed by a server.
[0220] As a whole, the communication system QQ100 of Figure 4 enables connectivity between the UEs, network nodes, and hosts. In that sense, the communication system may be configured to operate according to predefined rules or procedures, such as specific standards that include, but are not limited to: Global System for Mobile Communications (GSM); Universal Mobile Telecommunications System (UMTS); Long Term Evolution (LTE), and / or other suitable 2G, 3G, 4G, 5G standards, or any applicablefuture generation standard (e.g., 6G); wireless local area network (WLAN) standards, such as the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standards (WiFi); and / or any other appropriate wireless communication standard, such as the Worldwide Interoperability for Microwave Access (WiMax), Bluetooth, Z-Wave, Near Field Communication (NFC) ZigBee, LiFi, and / or any low-power wide-area network (LPWAN) standards such as LoRa and Sigfox.
[0221] In some examples, the telecommunication network QQ102 is a cellular network that implements 3GPP standardized features. Accordingly, the telecommunications network QQ102 may support network slicing to provide different logical networks to different devices that are connected to the telecommunication network QQ102. For example, the telecommunications network QQ102 may provide Ultra Reliable Low Latency Communication (URLLC) services to some UEs, while providing Enhanced Mobile Broadband (eMBB) services to other UEs, and / or Massive Machine Type Communication (mMTC) / Massive loT services to yet further UEs.
[0222] In some examples, the UEs QQ112 are configured to transmit and / or receive information without direct human interaction. For instance, a UE may be designed to transmit information to the access network QQ104 on a predetermined schedule, when triggered by an internal or external event, or in response to requests from the access network QQ104. Additionally, a UE may be configured for operating in single- or multi-RAT or multi-standard mode. For example, a UE may operate with any one or combination of Wi-Fi, NR (New Radio) and LTE, i.e. being configured for multi-radio dual connectivity (MR-DC), such as E-UTRAN (Evolved-UMTS Terrestrial Radio Access Network) New Radio - Dual Connectivity (EN-DC).
[0223] In the example, the hub QQ114 communicates with the access network QQ104 to facilitate indirect communication between one or more UEs (e.g., UE QQ112c and / or QQ112d) and network nodes (e.g., network node QQ110b). In some examples, the hub QQ114 may be a controller, router, content source and analytics, or any of the other communication devices described herein regarding UEs. For example, the hub QQ114 may be a broadband router enabling access to the core network QQ106 for the UEs. As another example, the hub QQ114 may be a controller that sends commands or instructions to one or more actuators in the UEs. Commands or instructions may be received from the UEs, network nodes QQ110, or by executable code, script, process, or other instructions in the hub QQ114. As another example, the hub QQ114 may be a data collector that acts as temporary storage for UE data and, in some embodiments, may perform analysis or other processing of the data. As another example, the hub QQ114may be a content source. For example, for a UE that is a VR device, display, loudspeaker, or other media delivery device, the hub QQ114 may retrieve VR assets, video, audio, or other media or data related to sensory information via a network node, which the hub QQ114 then provides to the UE either directly, after performing local processing, and / or after adding additional local content. In still another example, the hub QQ114 acts as a proxy server or orchestrator for the UEs, in particular if one or more of the UEs are low energy loT devices.
[0224] The hub QQ114 may have a constant / persistent or intermittent connection to the network node QQ110b. The hub QQ114 may also allow for a different communication scheme and / or schedule between the hub QQ114 and UEs (e.g., UE QQ112c and / or QQ112d), and between the hub QQ114 and the core network QQ106. In other examples, the hub QQ114 is connected to the core network QQ106 and / or one or more UEs via a wired connection. Moreover, the hub QQ114 may be configured to connect to an M2M service provider over the access network QQ104 and / or to another UE over a direct connection. In some scenarios, UEs may establish a wireless connection with the network nodes QQ110 while still connected via the hub QQ114 via a wired or wireless connection. In some embodiments, the hub QQ114 may be a dedicated hub - that is, a hub whose primary function is to route communications to / from the UEs from / to the network node QQ110b. In other embodiments, the hub QQ114 may be a non-dedicated hub - that is, a device which is capable of operating to route communications between the UEs and network node QQ110b, but which is additionally capable of operating as a communication start and / or end point for certain data channels.
[0225] Figure 5 shows a UE QQ200 in accordance with some embodiments. The UE QQ200 presents additional details of some embodiments of the UE QQ112 of Figure 1. As used herein, a UE refers to a device capable, configured, arranged and / or operable to communicate wirelessly with network nodes and / or other UEs. Examples of a UE include, but are not limited to, a smart phone, mobile phone, cell phone, voice over IP (VoIP) phone, wireless local loop phone, desktop computer, personal digital assistant (PDA), wireless cameras, gaming console or device, music storage / playback device, wearable terminal device, wireless endpoint, mobile station, tablet, laptop, laptop-embedded equipment (LEE), laptop-mounted equipment (LME), an Augmented Reality (AR) or Virtual Reality (VR) device, wireless customer-premise equipment (CPE), vehicle, vehiclemounted or vehicle embedded / integrated wireless device, etc. Other examples include any UE identified by the 3rd Generation Partnership Project (3GPP), including a narrowband internet of things (NB-loT) UE, a machine type communication (MTC) UE, and / or an enhanced MTC (eMTC) UE.
[0226] A UE may support device-to-device (D2D) communication, for example by implementing a 3GPP standard for sidelink communication, Dedicated Short-Range Communication (DSRC), vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), or vehicle-to-everything (V2X). In other examples, a UE may not necessarily have a user in the sense of a human user who owns and / or operates the relevant device. Instead, a UE may represent a device that is intended for sale to, or operation by, a human user but which may not, or which may not initially, be associated with a specific human user (e.g., a smart sprinkler controller). Alternatively, a UE may represent a device that is not intended for sale to, or operation by, an end user but which may be associated with or operated for the benefit of a user (e.g., a smart power meter).
[0227] The UE QQ200 includes processing circuitry QQ202 that is operatively coupled via a bus QQ204 to an input / output interface QQ206, a power source QQ208, a memory QQ210, a communication interface QQ212, and / or any other component, or any combination thereof. Certain UEs may utilize all or a subset of the components shown in Figure 5. The level of integration between the components may vary from one UE to another UE. Further, certain UEs may contain multiple instances of a component, such as multiple processors, memories, transceivers, transmitters, receivers, etc.
[0228] The processing circuitry QQ202 is configured to process instructions and data and may be configured to implement any sequential state machine operative to execute instructions stored as machine-readable computer programs in the memory QQ210. The processing circuitry QQ202 may be implemented as one or more hardware-implemented state machines (e.g., in discrete logic, field-programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), etc.); programmable logic together with appropriate firmware; one or more stored computer programs, general-purpose processors, such as a microprocessor or digital signal processor (DSP), together with appropriate software; or any combination of the above. For example, the processing circuitry QQ202 may include multiple central processing units (CPUs).
[0229] In the example, the input / output interface QQ206 may be configured to provide an interface or interfaces to an input device, output device, or one or more input and / or output devices. Examples of an output device include a speaker, a sound card, a video card, a display, a monitor, a printer, an actuator, an emitter, a smartcard, another output device, or any combination thereof. An input device may allow a user to capture information into the UE QQ200. Examples of an input device include a touch-sensitive orpresence-sensitive display, a camera (e.g., a digital camera, a digital video camera, a web camera, etc.), a microphone, a sensor, a mouse, a trackball, a directional pad, a trackpad, a scroll wheel, a smartcard, and the like. The presence-sensitive display may include a capacitive or resistive touch sensor to sense input from a user. A sensor may be, for instance, an accelerometer, a gyroscope, a tilt sensor, a force sensor, a magnetometer, an optical sensor, a proximity sensor, a biometric sensor, etc., or any combination thereof. An output device may use the same type of interface port as an input device. For example, a Universal Serial Bus (USB) port may be used to provide an input device and an output device.
[0230] In some embodiments, the power source QQ208 is structured as a battery or battery pack. Other types of power sources, such as an external power source (e.g., an electricity outlet), photovoltaic device, or power cell, may be used. The power source QQ208 may further include power circuitry for delivering power from the power source QQ208 itself, and / or an external power source, to the various parts of the UE QQ200 via input circuitry or an interface such as an electrical power cable. Delivering power may be, for example, for charging of the power source QQ208. Power circuitry may perform any formatting, converting, or other modification to the power from the power source QQ208 to make the power suitable for the respective components of the UE QQ200 to which power is supplied.
[0231] The memory QQ210 may be or be configured to include memory such as random access memory (RAM), read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), magnetic disks, optical disks, hard disks, removable cartridges, flash drives, and so forth. In one example, the memory QQ210 includes one or more application programs QQ214, such as an operating system, web browser application, a widget, gadget engine, or other application, and corresponding data QQ216. The memory QQ210 may store, for use by the UE QQ200, any of a variety of various operating systems or combinations of operating systems.
[0232] The memory QQ210 may be configured to include a number of physical drive units, such as redundant array of independent disks (RAID), flash memory, USB flash drive, external hard disk drive, thumb drive, pen drive, key drive, high-density digital versatile disc (HD-DVD) optical disc drive, internal hard disk drive, Blu-Ray optical disc drive, holographic digital data storage (HDDS) optical disc drive, external mini-dual in-line memory module (DIMM), synchronous dynamic random access memory (SDRAM), external micro-DIMM SDRAM, smartcard memory such as tamper resistant module in theform of a universal integrated circuit card (UICC) including one or more subscriber identity modules (SIMs), such as a USIM and / or IS IM , other memory, or any combination thereof. The UICC may for example be an embedded UICC (eUlCC), integrated UICC (iUICC) or a removable UICC commonly known as ‘SIM card.’ The memory QQ210 may allow the UE QQ200 to access instructions, application programs and the like, stored on transitory or non-transitory memory media, to off-load data, or to upload data. An article of manufacture, such as one utilizing a communication system may be tangibly embodied as or in the memory QQ210, which may be or comprise a device-readable storage medium.
[0233] The processing circuitry QQ202 may be configured to communicate with an access network or other network using the communication interface QQ212. The communication interface QQ212 may comprise one or more communication subsystems and may include or be communicatively coupled to an antenna QQ222. The communication interface QQ212 may include one or more transceivers used to communicate, such as by communicating with one or more remote transceivers of another device capable of wireless communication (e.g., another UE or a network node in an access network). Each transceiver may include a transmitter QQ218 and / or a receiver QQ220 appropriate to provide network communications (e.g., optical, electrical, frequency allocations, and so forth). Moreover, the transmitter QQ218 and receiver QQ220 may be coupled to one or more antennas (e.g., antenna QQ222) and may share circuit components, software or firmware, or alternatively be implemented separately.
[0234] In the illustrated embodiment, communication functions of the communication interface QQ212 may include cellular communication, Wi-Fi communication, LPWAN communication, data communication, voice communication, multimedia communication, short-range communications such as Bluetooth, near-field communication, location-based communication such as the use of the global positioning system (GPS) to determine a location, another like communication function, or any combination thereof.
[0235] Communications may be implemented in according to one or more communication protocols and / or standards, such as IEEE 802.11, Code Division Multiplexing Access (CDMA), Wideband Code Division Multiple Access (WCDMA), GSM, LTE, New Radio (NR), UMTS, WiMax, Ethernet, transmission control protocol / internet protocol (TCP / IP), synchronous optical networking (SONET), Asynchronous Transfer Mode (ATM), QUIC, Hypertext Transfer Protocol (HTTP), and so forth.
[0236] Regardless of the type of sensor, a UE may provide an output of data captured by its sensors, through its communication interface QQ212, via a wireless connection to a network node. Data captured by sensors of a UE can be communicated through awireless connection to a network node via another UE. The output may be periodic (e.g., once every 15 minutes if it reports the sensed temperature), random (e.g., to even out the load from reporting from several sensors), in response to a triggering event (e.g., when moisture is detected an alert is sent), in response to a request (e.g., a user initiated request), or a continuous stream (e.g., a live video feed of a patient).
[0237] As another example, a UE comprises an actuator, a motor, or a switch, related to a communication interface configured to receive wireless input from a network node via a wireless connection. In response to the received wireless input the states of the actuator, the motor, or the switch may change. For example, the UE may comprise a motor that adjusts the control surfaces or rotors of a drone in flight according to the received input or to a robotic arm performing a medical procedure according to the received input.
[0238] A UE, when in the form of an Internet of Things (loT) device, may be a device for use in one or more application domains, these domains comprising, but not limited to, city wearable technology, extended industrial application and healthcare. Non-limiting examples of such an loT device are a device which is or which is embedded in: a connected refrigerator or freezer, a TV, a connected lighting device, an electricity meter, a robot vacuum cleaner, a voice controlled smart speaker, a home security camera, a motion detector, a thermostat, a smoke detector, a door / window sensor, a flood / moisture sensor, an electrical door lock, a connected doorbell, an air conditioning system like a heat pump, an autonomous vehicle, a surveillance system, a weather monitoring device, a vehicle parking monitoring device, an electric vehicle charging station, a smart watch, a fitness tracker, a wearable for tactile augmentation or sensory enhancement, a water sprinkler, an animal- or item-tracking device, a sensor for monitoring a plant or animal, an industrial robot, an Unmanned Aerial Vehicle (UAV), and any kind of medical device, like a heart rate monitor or a remote controlled surgical robot. A UE in the form of an loT device comprises circuitry and / or software in dependence of the intended application of the loT device in addition to other components as described in relation to the UE QQ200 shown in Figure 5.
[0239] As yet another specific example, in an loT scenario, a UE may represent a machine or other device that performs monitoring and / or measurements, and transmits the results of such monitoring and / or measurements to another UE and / or a network node. The UE may in this case be an M2M device, which may in a 3GPP context be referred to as an MTC device. As one particular example, the UE may implement the 3GPP NB-loT standard. In other scenarios, a UE may represent a vehicle, such as a car, a bus, a truck,a ship and an airplane, or other equipment that is capable of monitoring and / or reporting on its operational status or other functions associated with its operation.
[0240] In practice, any number of UEs may be used together with respect to a single use case. For example, a first UE might be or be integrated in a drone and provide the drone’s speed information (obtained through a speed sensor) to a second UE that is a remote controller operating the drone. When the user makes changes from the remote controller, the first UE may adjust the throttle on the drone (e.g. by controlling an actuator) to increase or decrease the drone’s speed. The first and / or the second UE can also include more than one of the functionalities described above. For example, a UE might comprise the sensor and the actuator, and handle communication of data for both the speed sensor and the actuators.
[0241] Figure 6 shows a network node QQ300 in accordance with some embodiments. As used herein, network node refers to equipment capable, configured, arranged and / or operable to communicate directly or indirectly with a UE and / or with other network nodes or equipment, in a telecommunication network. Examples of network nodes include, but are not limited to, access points (APs) (e.g., radio access points), base stations (BSs) (e.g., radio base stations, Node Bs, evolved Node Bs (eNBs) and NR NodeBs (gNBs)), O-RAN nodes or components of an O-RAN node (e.g., O-RU, O-DU, O-CU).
[0242] Base stations may be categorized based on the amount of coverage they provide (or, stated differently, their transmit power level) and so, depending on the provided amount of coverage, may be referred to as femto base stations, pico base stations, micro base stations, or macro base stations. A base station may be a relay node or a relay donor node controlling a relay. A network node may also include one or more (or all) parts of a distributed radio base station such as centralized digital units, distributed units (e.g., in an O-RAN access node) and / or remote radio units (RRUs), sometimes referred to as Remote Radio Heads (RRHs). Such remote radio units may or may not be integrated with an antenna as an antenna integrated radio. Parts of a distributed radio base station may also be referred to as nodes in a distributed antenna system (DAS).
[0243] Other examples of network nodes include multiple transmission point (multi-TRP) 5G access nodes, multi-standard radio (MSR) equipment such as MSR BSs, network controllers such as radio network controllers (RNCs) or base station controllers (BSCs), base transceiver stations (BTSs), transmission points, transmission nodes, multi-cell / multicast coordination entities (MCEs), Operation and Maintenance (O&M) nodes, Operations Support System (OSS) nodes, Self-Organizing Network (SON) nodes,positioning nodes (e.g., Evolved Serving Mobile Location Centers (E-SMLCs)), and / or Minimization of Drive Tests (MDTs).
[0244] The network node QQ300 includes a processing circuitry QQ302, a memory QQ304, a communication interface QQ306, and a power source QQ308. The network node QQ300 may be composed of multiple physically separate components (e.g., a NodeB component and a RNC component, or a BTS component and a BSC component, etc.), which may each have their own respective components. In certain scenarios in which the network node QQ300 comprises multiple separate components (e.g., BTS and BSC components), one or more of the separate components may be shared among several network nodes. For example, a single RNC may control multiple NodeBs. In such a scenario, each unique NodeB and RNC pair, may in some instances be considered a single separate network node. In some embodiments, the network node QQ300 may be configured to support multiple radio access technologies (RATs). In such embodiments, some components may be duplicated (e.g., separate memory QQ304 for different RATs) and some components may be reused (e.g., a same antenna QQ310 may be shared by different RATs). The network node QQ300 may also include multiple sets of the various illustrated components for different wireless technologies integrated into network node QQ300, for example GSM, WCDMA, LTE, NR, WiFi, Zigbee, Z-wave, LoRaWAN, Radio Frequency Identification (RFID) or Bluetooth wireless technologies. These wireless technologies may be integrated into the same or different chip or set of chips and other components within network node QQ300.
[0245] The processing circuitry QQ302 may comprise a combination of one or more of a microprocessor, controller, microcontroller, central processing unit, digital signal processor, application-specific integrated circuit, field programmable gate array, or any other suitable computing device, resource, or combination of hardware, software and / or encoded logic operable to provide, either alone or in conjunction with other network node QQ300 components, such as the memory QQ304, to provide network node QQ300 functionality.
[0246] In some embodiments, the processing circuitry QQ302 includes a system on a chip (SOC). In some embodiments, the processing circuitry QQ302 includes one or more of radio frequency (RF) transceiver circuitry QQ312 and baseband processing circuitry QQ314. In some embodiments, the radio frequency (RF) transceiver circuitry QQ312 and the baseband processing circuitry QQ314 may be on separate chips (or sets of chips), boards, or units, such as radio units and digital units. In alternative embodiments, part orall of RF transceiver circuitry QQ312 and baseband processing circuitry QQ314 may be on the same chip or set of chips, boards, or units.
[0247] The memory QQ304 may comprise any form of volatile or non-volatile computer-readable memory including, without limitation, persistent storage, solid-state memory, remotely mounted memory, magnetic media, optical media, random access memory (RAM), read-only memory (ROM), mass storage media (for example, a hard disk), removable storage media (for example, a flash drive, a Compact Disk (CD) or a Digital Video Disk (DVD)), and / or any other volatile or non-volatile, non-transitory device-readable and / or computer-executable memory devices that store information, data, and / or instructions that may be used by the processing circuitry QQ302. The memory QQ304 may store any suitable instructions, data, or information, including a computer program, software, an application including one or more of logic, rules, code, tables, and / or other instructions capable of being executed by the processing circuitry QQ302 and utilized by the network node QQ300. The memory QQ304 may be used to store any calculations made by the processing circuitry QQ302 and / or any data received via the communication interface QQ306. In some embodiments, the processing circuitry QQ302 and memory QQ304 is integrated.
[0248] The communication interface QQ306 is used in wired or wireless communication of signaling and / or data between a network node, access network, and / or UE. As illustrated, the communication interface QQ306 comprises port(s) / terminal(s) QQ316 to send and receive data, for example to and from a network over a wired connection. The communication interface QQ306 also includes radio front-end circuitry QQ318 that may be coupled to, or in certain embodiments a part of, the antenna QQ310. Radio front-end circuitry QQ318 comprises filters QQ320 and amplifiers QQ322. The radio front-end circuitry QQ318 may be connected to an antenna QQ310 and processing circuitry QQ302. The radio front-end circuitry may be configured to condition signals communicated between antenna QQ310 and processing circuitry QQ302. The radio front-end circuitry QQ318 may receive digital data that is to be sent out to other network nodes or UEs via a wireless connection. The radio front-end circuitry QQ318 may convert the digital data into a radio signal having the appropriate channel and bandwidth parameters using a combination of filters QQ320 and / or amplifiers QQ322. The radio signal may then be transmitted via the antenna QQ310. Similarly, when receiving data, the antenna QQ310 may collect radio signals which are then converted into digital data by the radio front-end circuitry QQ318. The digital data may be passed to the processing circuitry QQ302. Inother embodiments, the communication interface may comprise different components and / or different combinations of components.
[0249] In certain alternative embodiments, the network node QQ300 does not include separate radio front-end circuitry QQ318, instead, the processing circuitry QQ302 includes radio front-end circuitry and is connected to the antenna QQ310. Similarly, in some embodiments, all or some of the RF transceiver circuitry QQ312 is part of the communication interface QQ306. In still other embodiments, the communication interface QQ306 includes one or more ports or terminals QQ316, the radio front-end circuitry QQ318, and the RF transceiver circuitry QQ312, as part of a radio unit (not shown), and the communication interface QQ306 communicates with the baseband processing circuitry QQ314, which is part of a digital unit (not shown).
[0250] The antenna QQ310 may include one or more antennas, or antenna arrays, configured to send and / or receive wireless signals. The antenna QQ310 may be coupled to the radio front-end circuitry QQ318 and may be any type of antenna capable of transmitting and receiving data and / or signals wirelessly. In certain embodiments, the antenna QQ310 is separate from the network node QQ300 and connectable to the network node QQ300 through an interface or port.
[0251] The antenna QQ310, communication interface QQ306, and / or the processing circuitry QQ302 may be configured to perform any receiving operations and / or certain obtaining operations described herein as being performed by the network node. Any information, data and / or signals may be received from a UE, another network node and / or any other network equipment. Similarly, the antenna QQ310, the communication interface QQ306, and / or the processing circuitry QQ302 may be configured to perform any transmitting operations described herein as being performed by the network node. Any information, data and / or signals may be transmitted to a UE, another network node and / or any other network equipment.
[0252] The power source QQ308 provides power to the various components of network node QQ300 in a form suitable for the respective components (e.g., at a voltage and current level needed for each respective component). The power source QQ308 may further comprise, or be coupled to, power management circuitry to supply the components of the network node QQ300 with power for performing the functionality described herein. For example, the network node QQ300 may be connectable to an external power source (e.g., the power grid, an electricity outlet) via an input circuitry or interface such as an electrical cable, whereby the external power source supplies power to power circuitry of the power source QQ308. As a further example, the power source QQ308 may comprisea source of power in the form of a battery or battery pack which is connected to, or integrated in, power circuitry. The battery may provide backup power should the external power source fail.
[0253] Embodiments of the network node QQ300 may include additional components beyond those shown in Figure 6 for providing certain aspects of the network node’s functionality, including any of the functionality described herein and / or any functionality necessary to support the subject matter described herein. For example, the network node QQ300 may include user interface equipment to allow input of information into the network node QQ300 and to allow output of information from the network node QQ300. This may allow a user to perform diagnostic, maintenance, repair, and other administrative functions for the network node QQ300. In some embodiments providing a core network node, such as core network node 108 of FIG. QQ1, some components, such as the radio front-end circuitry QQ318 and the RF transceiver circuitry QQ312 may be omitted.
[0254] Figure 7 is a block diagram illustrating a virtualization environment QQ400 in which functions implemented by some embodiments may be virtualized. In the present context, virtualizing means creating virtual versions of apparatuses or devices which may include virtualizing hardware platforms, storage devices and networking resources. As used herein, virtualization can be applied to any device described herein, or components thereof, and relates to an implementation in which at least a portion of the functionality is implemented as one or more virtual components. Some or all of the functions described herein may be implemented as virtual components executed by one or more virtual machines (VMs) implemented in one or more virtual environments QQ400 hosted by one or more of hardware nodes, such as a hardware computing device that operates as a network node, UE, core network node, or host. Further, in embodiments in which the virtual node does not require radio connectivity (e.g., a core network node or host), then the node may be entirely virtualized. In some embodiments, the virtualization environment QQ400 includes components defined by the O-RAN Alliance, such as an O-Cloud environment orchestrated by a Service Management and Orchestration Framework via an 0-2 interface. Virtualization may facilitate distributed implementations of a network node, UE, core network node, or host.
[0255] Applications QQ402 (which may alternatively be called software instances, virtual appliances, network functions, virtual nodes, virtual network functions, etc.) are run in the virtualization environment Q400 to implement some of the features, functions, and / or benefits of some of the embodiments disclosed herein.Hardware QQ404 includes processing circuitry, memory that stores software and / or instructions executable by hardware processing circuitry, and / or other hardware devices as described herein, such as a network interface, input / output interface, and so forth. Software may be executed by the processing circuitry to instantiate one or more virtualization layers QQ406 (also referred to as hypervisors or virtual machine monitors (VMMs)), provide VMs QQ408a and QQ408b (one or more of which may be generally referred to as VMs QQ408), and / or perform any of the functions, features and / or benefits described in relation with some embodiments described herein. The virtualization layer QQ406 may present a virtual operating platform that appears like networking hardware to the VMs QQ408.
[0256] The VMs QQ408 comprise virtual processing, virtual memory, virtual networking or interface and virtual storage, and may be run by a corresponding virtualization layer QQ406. Different embodiments of the instance of a virtual appliance QQ402 may be implemented on one or more of VMs QQ408, and the implementations may be made in different ways. Virtualization of the hardware is in some contexts referred to as network function virtualization (NFV). NFV may be used to consolidate many network equipment types onto industry standard high volume server hardware, physical switches, and physical storage, which can be located in data centers, and customer premise equipment.
[0257] In the context of NFV, a VM QQ408 may be a software implementation of a physical machine that runs programs as if they were executing on a physical, non-virtualized machine. Each of the VMs QQ408, and that part of hardware QQ404 that executes that VM, be it hardware dedicated to that VM and / or hardware shared by that VM with others of the VMs, forms separate virtual network elements. Still in the context of NFV, a virtual network function is responsible for handling specific network functions that run in one or more VMs QQ408 on top of the hardware QQ404 and corresponds to the application QQ402.
[0258] Hardware QQ404 may be implemented in a standalone network node with generic or specific components. Hardware QQ404 may implement some functions via virtualization. Alternatively, hardware QQ404 may be part of a larger cluster of hardware (e.g. such as in a data center or CPE) where many hardware nodes work together and are managed via management and orchestration QQ410, which, among others, oversees lifecycle management of applications QQ402. In some embodiments, hardware QQ404 is coupled to one or more radio units that each include one or more transmitters and one or more receivers that may be coupled to one or more antennas. Radio units may communicate directly with other hardware nodes via one or more appropriate networkinterfaces and may be used in combination with the virtual components to provide a virtual node with radio capabilities, such as a radio access node or a base station. In some embodiments, some signaling can be provided with the use of a control system QQ412 which may alternatively be used for communication between hardware nodes and radio units.
[0259] Although the computing devices described herein (e.g., UEs, network nodes) may include the illustrated combination of hardware components, other embodiments may comprise computing devices with different combinations of components. It is to be understood that these computing devices may comprise any suitable combination of hardware and / or software needed to perform the tasks, features, functions and methods disclosed herein. Determining, calculating, obtaining or similar operations described herein may be performed by processing circuitry, which may process information by, for example, converting the obtained information into other information, comparing the obtained information or converted information to information stored in the network node, and / or performing one or more operations based on the obtained information or converted information, and as a result of said processing making a determination. Moreover, while components are depicted as single boxes located within a larger box, or nested within multiple boxes, in practice, computing devices may comprise multiple different physical components that make up a single illustrated component, and functionality may be partitioned between separate components. For example, a communication interface may be configured to include any of the components described herein, and / or the functionality of the components may be partitioned between the processing circuitry and the communication interface. In another example, non-computationally intensive functions of any of such components may be implemented in software or firmware and computationally intensive functions may be implemented in hardware.
[0260] In certain embodiments, some or all of the functionality described herein may be provided by processing circuitry executing instructions stored on in memory, which in certain embodiments may be a computer program product in the form of a non-transitory computer-readable storage medium. In alternative embodiments, some or all of the functionality may be provided by the processing circuitry without executing instructions stored on a separate or discrete device-readable storage medium, such as in a hard-wired manner. In any of those particular embodiments, whether executing instructions stored on a non-transitory computer-readable storage medium or not, the processing circuitry can be configured to perform the described functionality. The benefits provided by such functionality are not limited to the processing circuitry alone or to other components of thecomputing device, but are enjoyed by the computing device as a whole, and / or by end users and a wireless network generally.
[0261] When using the word "comprise" or “comprising” it shall be interpreted as nonlimiting, i.e. meaning "consist at least of".
[0262] The embodiments herein are not limited to the preferred embodiments described above. Various alternatives, modifications and equivalents may be used.
[0263] Abbreviations
[0264] 3PP Third-party provider
[0265] 5G NR 5G New Radio
[0266] AF Application Function
[0267] API Application Programming Interface
[0268] EPS Evolved Packet System
[0269] LTE Long Term Evolution
[0270] MitM Man-in-the Middle
[0271] NEF Network Exposure Function
[0272] NF Network Function
[0273] OAUTH Open AUTHorization
[0274] REST Representation State Transfer
[0275] STR Security Test Report
[0276] TLS Transport Layer Security
[0277] VPN Virtual Private Network
Claims
CLAIMS1. A method performed by a function node (130) for maintaining security in a wireless communications network (100), wherein the maintaining of security is related to an application (141) in an external Application Function, AF, node (140), the method comprising the function node performing:Action 3: obtaining (203) from the external AF node (140), a Security Test Report,STR;Action 4: evaluating (204) the STR towards a vulnerability database (212);Action 5: obtaining (205) a result of the evaluation;and when the result is associated with a risk;Action 6: monitoring (206) the application (141) for any activities causing a security threat; andAction 8: closing (208) a network access of the application (141) when any activity causing a security threat is detected;and when the result is not associated with a risk:Action 10: refraining (210) from monitoring the application (141) for activities causing a security threat as defined by the STR.
2. The method according to claim 1 , the method comprising the function node (130) performing:Action 1 : receiving (201 ), from the external AF node (140), a request for application registration of the application (141) via the use of application programming interfaces, APIs, of the function node, the request including the application ID;Action 2: requesting (202), from the external AF node (140), the STR for the application according to the application ID;Action 3: obtaining (203), from the external AF node (140), the STR as requested, and an application identity, ID, associated with the application (141); Action 4: evaluating (204), the STR towards the vulnerability database (212), where the vulnerability database comprises information about vulnerabilities that impacts the security of the wireless communications network (100);Action 5: obtaining (205) the result of the evaluation from the vulnerability database (212), which result comprises information whether a running of theapplication is associated with any vulnerability that impacts the security of the wireless communications network (100);Action 6: monitoring (206), by a traffic analyser system (213) belonging to the function node (130), the traffic of the application (141) when the result is associated with a risk;Action 7: alerting (207) the function node (130) when any activities are found causing a security threat;Action 8: closing (208) the network access of the application (141) when alerted by the traffic analyser system (213); andAction 9: informing (209) the external AF node (140) about closing the network access for the application (141).
3. The method according to claim 1 or 2, the method comprising the function node receiving an updated STR from the external AF node (140), and repeating actions 4 and onwards according to claim 1 or 2 using the updated STR.
4. A function node (130) adapted to maintain security in a wireless communications network (100), wherein the maintaining of security is related to an application (141) in an external Application Function, AF, node (140), the function node (130) being adapted to perform:Action 3: obtain (203) from the external AF node (140), a Security Test Report, STR,Action 4: evaluate (204) the STR towards a vulnerability database (212), Action 5: obtain (205) a result of the evaluation,and wherein the function node is adapted to, when the result is associated with a risk;Action 6: monitor (206) the application (141) for any activities causing a security threat,Action 8: close (208) a network access of the application (141) when any activity causing a security threat is detected, andAction 9: inform (209) the external AF node (140) about closing the network access,and wherein the function node is adapted to, when the result is not associated with a risk:Action 10: refrain (210) from monitoring the application (141) for activities causing a security threat as defined by the STR.
5. The function node (130) according to claim 4, the function node being adapted to perform:Action 1 : receive (201), from the external AF node (140), a request for application registration of the application (141) via the use of application programming interfaces, APIs, of the function node, the request including the application ID;Action 2: request (202), from the external AF node (140), the STR for the application according to the application ID;Action 3: obtain (203), from the external AF node (140), the STR as requested, and an application identity, ID, associated with the application (141);Action 4: evaluate (204), the STR towards the vulnerability database (212), where the vulnerability database comprises information about vulnerabilities that impacts the security of the wireless communications network (100);Action 5: obtain (205) the result of the evaluation from the vulnerability database (212), which result comprises information whether a running of the application is associated with any vulnerability that impacts the security of the wireless communications network (100);Action 6: monitor (206), by a traffic analyser system (213) belonging to the function node (130), the traffic of the application (141) when the result is associated with a risk;Action 7: alert (207) the function node (130) when any activities are found causing a security threat;Action 8: close (208) the network access of the application (141) when alerted by the traffic analyser system (213); andAction 9: inform (209) the external AF node (140) about closing the network access for the application (141).
6. The function node () according to claim 4 or 5, the function node being adapted receive an updated STR from the external AF node (140), and to repeat actions 4 and onwards of claim 4 or 5 using the updated STR.
7. A computer program (330) comprising instructions, which when executed by a processor (310), causes the processor (310) to perform actions according to any of the claims 1 , 2 and 3.
8. A carrier (340) comprising the computer program (330) of claim 7, wherein the carrier (340) is one of an electronic signal, an optical signal, an electromagnetic signal, a magnetic signal, an electric signal, a radio signal, a microwave signal, or a computer readable storage medium.