Training node, query handler and methods for fine-tuning, selecting, and deploying machine learning models in a communication system

The training node and query handler system addresses vulnerabilities in language models by fine-tuning models with tailored robustness levels and using uncertainty scores to enhance security and adaptability in communication systems.

WO2026142479A1PCT designated stage Publication Date: 2026-07-02TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)
Filing Date
2024-12-23
Publication Date
2026-07-02

Smart Images

  • Figure SE2024051147_02072026_PF_FP_ABST
    Figure SE2024051147_02072026_PF_FP_ABST
Patent Text Reader

Abstract

Embodiments herein relate to methods and systems for fine-tuning, selecting, and deploying machine learning models in communication systems (100) to enhance security and robustness in interactions with communication devices (120) exhibiting varying levels of adversarial behavior. According to some embodiments, a method performed by a training node (111) is provided. Based on auditing a plurality of data segments, the training node (111) develops (503) a training plan for fine-tuning a first set of candidate models comprising a set of robust models, a set of default models, and a set of incomplete models. Based on the training plan, the training node (111) fine-tunes (504) a second set of candidate models comprising at least one robust model and at least one default model. The training node (111) deploys (505) the fine-tuned second set of candidate models in an execution environment (112).
Need to check novelty before this filing date? Find Prior Art

Description

[0001] TRAINING NODE, QUERY HANDLER AND METHODS FOR FINE-TUNING, SELECTING, AND DEPLOYING MACHINE LEARNING MODELS IN A COMMUNICATION SYSTEM

[0002] TECHNICAL FIELD

[0003] Embodiments herein relate to methods and systems relating to a training node and a query handler. In some aspects, embodiments herein relate to determining a training plan for fine-tuning models in a communication system and / or handling queries from a communication device in a communication system.

[0004] BACKGROUND

[0005] In a typical wireless communication network, wireless devices, also known as wireless communication devices, mobile stations, stations (STA) and / or Communication Device (UD), communicate via a Wide Area Network or a Local Area Network such as a Wi-Fi network or a cellular network comprising a Radio Access Network (RAN) part and a Core Network (CN) part. The RAN covers a geographical area which is divided into service areas or cell areas, which may also be referred to as a beam or a beam group, with each service area or cell area being served by a radio network node such as a radio access node e.g., a Wi-Fi access point, a Base Station (BS) or a radio base station (RBS), which in some networks may also be denoted, for example, a Base Station (BS), a NodeB, eNodeB (eNB), orgNodeB (gNB) as denoted in Fifth Generation (5G) telecommunications. A service area or cell area is a geographical area where radio coverage is provided by the radio network node. The radio network node communicates over an air interface operating on a radio frequency with the wireless devices within the range of the radio network node.

[0006] 3rd Generation Partnership Project (3GPP) is the standardization body for specifying the standards for the cellular system evolution, e.g., including 3G, 4G, 5G and the future evolutions. Specifications for Evolved Universal Terrestrial Radio Access (E-UTRA) and Evolved Packet System (EPS) have been completed within the 3GPP. In 4G also called a Fourth Generation (4G) network, EPS is core network and E-UTRA is radio access network. In 5G, 5G Core (5GC) is core network, NR is radio access network. As a continued network evolution, the new release of 3GPP specifies a 5G network also referred to as 5G New Radio (NR) and 5GC.Language models, particularly those based on deep learning architectures or better known these days as LLMs (Large-Language Models), are trained on vast datasets.

[0007] Language model training could take a forward training step, which is called fine-tuning, see. Figure 1 illustrates a base model trained on public data and is subsequently finetuned with non-public data to create the final language model. Note that a fine-tuning step could be performed multiple times.

[0008] Due to expertise and cost reasons, a language model that is deployed in production is most likely fine-tuned on a base model that is pre-trained, rather than being trained from scratch. In other words, an owner of a fine-tuned language model often operates their model with limited knowledge about the base model they are utilizing, which could cause potential future security issues.

[0009] In this context public data refers to datasets that a base model is trained on while non-public data refers to datasets that a fine-tuned model is trained on. Examples of nonpublic data include model owner’s sensitive information, such as the owner's trade secrets, confidential data, and proprietary data, along with others’ sensitive data such as personal identifiable data. Communication devices communicating with LM-based system, i.e., users of the model / system, usually have indirect access to the model via exposed APIs. It should be noted that the terms LM and LLM are used interchangeably herein.

[0010] Figure 2 illustrates an Intent-based Networking which may be considered as one example of a system powered by language models.

[0011] One way to interpret user intents is to leverage language models as a core component of the system. This approach is known as a Language Model-based system (LM-based system). In this context, intents outline what needs to be accomplished, while the language models interpret the user's intentions and determine how to achieve these goals based on their understanding of the user intents and the capabilities of the model's system. An intent does not need to include explicit instructions on how to achieve the goal. Instead, the system relies on the language models to autonomously generate the necessary steps to meet the intents.

[0012] Its applications include an intent-based system and an agent system. An intent refers to an abstract and high-level policy, covering requirements that a system must satisfy. The system receives a set of intents as input and is expected to fulfill the intents. In the present context, an intent refers to both natural human language and non-natural language.One example of such a system may be a software implementation in which the inner working is powered by language models. A system with only one or a few language models, e.g., an agent, is usually not capable of handling all requirements described by the intents, while the agent's APIs are open to both human users and software modules. In other words, a LM-based system can be usually implemented as a multi-agent system, where each agent is specialized in a specific function and operates autonomously, to fulfill all the received intents. It also means no agent has an overall knowledge of the system, which opens a potential vulnerability.

[0013] Intent-based networking and intelligent IT operations are two of the most popular real-world examples. In intent-based networking, the system understands network management commands and translates them into complex configurations across its network nodes. In intelligent IT operations, an agent can automate incident response by understanding reports or commands and resolving potential disruption or alerting the relevant team to take an appropriate action, all without manual intervention.

[0014] Privacy Enhancing Technologies

[0015] Privacy Enhancing Technologies (PETs) are a broad set of tools and methods aimed at providing ways to build products and functionality while protecting sensitive data. One example is anonymization tools.

[0016] One notable example to apply a PET to protect confidential training samples is Differential Privacy (DP). DP works by adding statistical noise to either the raw data before it is trained, by adding noise to the iterations of the ML algorithms, by adding noises to the loss function, or by adding noise to the output of the query. A critical aspect of utilizing PETs like DP is their parameters, which determines the level of privacy protection. In case of DP, its main parameters include the privacy budget (epsilon) and the probability that the DP may fail to protect the privacy (delta).

[0017] Within LM-based systems, PETs are critical for ensuring that an agent only retains the necessary information to perform its function, preventing unauthorized access to personal / sensitive data by adversaries. However, one potential issue with these techniques is that they often lead to performance degradation. Finding the right trade-off between performance and privacy protection is a difficult problem, thus the extent of the privacy protection parameters must be carefully balanced with the level of threat.Prior efforts within the present technical fields include the disclose US 2024 / 0054233 A1 which describes a protection unit for protecting machine learning engines, artificial intelligence engines, large language models, and deep learning engines. The engine consists of two parts. A so-called offline protection unit analyses the engines to be protected for vulnerabilities and changes operational parameters and properties to mitigate attacks. A so-called online protection unit analysis inputs to the protected and output of the protected engine. Based on the analysis operational parameters and properties are changed to mitigate attacks. Additionally, US 2019 / 0050564 A1 describes the detection of model retrieval attacks using run-time analysis. Preventive action is performed upon the detection of an attack.

[0018] SUMMARY

[0019] As part of developing embodiments herein, the inventors identified some problems that first will be described.

[0020] An asset that is needed to be protected may include any data samples that were used to fine-tune language models deployed into an LM-based system. These samples are considered as the model owner’s secret information, which could be confidential and proprietary. The data could also contain other sensitive information, such as customer’s personal identifiable information. Figure 3 illustrates data asset as one of the assets that need to be protected. Additional assets illustrate include the Service Level Agreement (SLA) and Intellectual Property Rights (I PR).

[0021] Technical challenges arise due to the fact that language models may not be necessarily securely designed, particularly against attackers performing privacy attacks utilizing Adversarial Machine Learning (AdvML) or Prompt Hacking techniques on a system that the models are deployed.

[0022] This threat is difficult to mitigate because 1) these attackers use the exposed APIs in a similar way as normal users do, i.e., similar way as non-adversary users do, leading to a period of uncertainty regarding whether the system is under attack or not, and 2) additionally, language models that are deployed in production are mostly fine-tuned on public base language models, rather than being trained from scratch. Since these basemodels may not be trainer for communication with adversarial either, weaknesses inherited from the base models could be exploited by adversaries using AdvML techniques to attack the fine-tuned models.

[0023] As one of these unprotected systems tries to satisfy their received intents, the system may eventually disclose sensitive data samples through such attacks. This vulnerability may also result in negative consequences related to personal data protection.

[0024] User within this context refer to any communication device sending queries and receiving their responses through the exposed API. They are semi-trusted because an attacker utilizing AdvML or Prompt Hacking could use the API in a similar way, while the attacker sends artificially crafted queries to replicate sensitive information. The term user and communication device are used interchangeably herein.

[0025] Protecting data assets presents challenges that can be particularly difficult when the LM-based system faces a situation that is potentially harmful, yet uncertain. In this scenario, there are indications or possibilities of threats (thus potentially harmful), but the information available is not conclusive enough to accurately assess the true intent of user or the extent of the threat (thus uncertain). This is due to uncertainty in language model revolves around 1) the model's memorization issues and 2) the model's ability to process ambiguous, incomplete, incorrect, or off-topic intents, which could lead to underreaction or overreaction. This vulnerability could be partly estimated by performing model auditing procedures (thus more expected threat).

[0026] Another challenge relating to the security of LM-based system lies in the difficulty of distinguishing between malicious and benign inputs, particularly in a scenario where the query is artificially crafted. One notable example is Prompt Injection, which is the manipulation of language model's responses by crafting inputs in a way that exploits its predictive mechanisms (e.g., overfitting), aiming to extract sensitive information. Unlike the general issue of uncertain intents, this type of attack could be unknown (thus less expected or unexpected threat) while posing a clear threat to data protection.

[0027] Handling these problems is critical since prematurely blocking a user or halting the service is not advisable because legitimate usages might be mistakenly identified as malicious. This false-positive alert could occur due to language models could haveresponded with information that is memorized from their training datasets. It would lead to negative consequences such as unwanted service disruption.

[0028] Conversely, delaying action until it reaches an absolute certainty about a user’s malicious intent could prove to be too risky thus equally impractical. Therefore, taking appropriate action with respect to the level of threat proportionally in a potentially harmful situation is a complex yet important problem.

[0029] Considering the severity of these attacks, various defense techniques against the threat have been researched. These techniques can be classified into three main solutions: 1) alignment approach, 2) enhancing model or data approach, and 3) detectionbased approach. However, each of these approaches has its own limitations.

[0030] Existing solution 1 and its limitations: Alignment approach is one of the major current defense approaches; however, it has its own limitations. An aligned language model in the system may mitigate some known threats, however, any aligned model could be easily overfitted, that is because the model rarely has full knowledge of the system inner workings, its components, other available language models, and human operators. Even if they do, the information may be soon outdated as time goes by, thus having them always updated to what to do could be quite an inefficient approach to maintain the system. Moreover, language model vulnerabilities are quite different from traditional system vulnerabilities. For example, an adversary may disclose sensitive data from language models by proposing that they will give a tip or by asking questions more politely. Mitigating such attacks in pro-active manner is very challenging from the defender’s perspective because such attacks are often unexpected, while an alignment approach is rather effective towards expected threats.

[0031] Existing solution 2 and its limitations: the “enhancing model or data approach” is another major defense approach, yet the approach has several issues. Determining the appropriate balance between performance and privacy protection is a challenging issue, which privacy parameters, DP’s privacy budget for example, must be carefully weighed against the level of threat, otherwise it could result in sacrificing the model’s accuracy in exchange for its robustness. It is difficult to determine the appropriate balance between performance and privacy protection, because its privacy parameters must be carefully weighed against the level of threat, yet the parameters are also dependent on each user and each product. While it is possible to prepare multiple robust models to explore different trade-off choices between robustness and accuracy, preparing a model for everypossible combination of robustness parameters would be impractical. That is because the size of such a combination is exponential.

[0032] Existing solution 3 and its limitations: Detection-based approach is one of the effective approaches against the threat, where an algorithm determines whether a user is an adversary or not based on the user’s query-response pairs. One example is perplexitybased, which is defined as the exponentiated average negative log-likelihood of a sequence. A prompt can be considered compromised if its perplexity score exceeds a specified threshold. However, this approach is limited, because it is designed for a normal situation and does not address how to react to an adversary. Relying on this method until achieving absolute certainty about a user’s malicious intent can be too risky thus impractical, particularly in uncertain scenarios.

[0033] An object of embodiments herein is to improve the security relating to LM-based systems.

[0034] Another object of embodiments herein is to improve development and deployment of training plans for fine-tuning models in a communication system.

[0035] Yet another object of embodiments herein is to improve the handling of queries from a communication device in a communication system.

[0036] According to an aspect of embodiments herein, the object is achieved by a method performed by a training node. The method is for determining a training plan for fine-tuning models in a communication system.

[0037] The training node selects models to be fine-tuned and a plurality of data segments on which the fine-tuned models will be trained. For each robustness level out of a number of robustness levels, the training node audits the respective data segments for security threats. Based on the auditing results, the training node develops a training plan for fine-tuning a first set of candidate models comprising a set of robust models, a set of default models, and a set of incomplete models.

[0038] A robust model is adapted for interaction with non-adversary communication devices. A default model is adapted for interaction with adversary communication devices. A incomplete model is adapted for fine-tuning based on a request from a query handler.

[0039] Based on the training plan, the training node fine-tunes a second set of candidate models comprising at least one robust model and at least one default model.The training node deploys the fine-tuned second set of candidate models in an execution environment such that each deployed model out of the second set of candidate models is invokable by the query handler.

[0040] According to an aspect of embodiments herein, the object is achieved by a method performed by a query handler. The method is for handling queries from a communication device in a communication system.

[0041] The training node receives a query from the communication device. The communication device being assigned an adversary uncertainty score. The training node invokes, based on the received query, a first fine-tuned model among a second set of candidate models deployed in an execution environment, and receives a first response. The first fine-tuned model is selected based on the adversary uncertainty score associated with the communication device. The second set of candidate models comprises at least one set of robust models adapted for interaction with non-adversary communication devices and at least one set of default models adapted for interaction with adversary communication devices. The training node updates the adversary uncertainty score based on the received query and the first response. The training node determines whether or not the first fine-tuned model is suitable for the communication device based on the updated adversary uncertainty score.

[0042] When the first model is not suitable, the training node determines whether or not any one model in the second set of candidate models is suitable for the communication device based on the updated adversary uncertainty score.

[0043] When all models in the second set of candidate model are unsuitable, the training node transmits a request to a training node for a specific candidate model based on the updated adversary uncertainty score.

[0044] According to another aspect of embodiments herein, the object is achieved by a training node configured to determine a training plan for fine-tuning models in a communication system. The training node being configured to:

[0045] - select models to be fine-tuned, a plurality of data segments on which the finetuned models will be trained,

[0046] - for each robustness level out of a number of robustness levels, audit the respective data segments for security threats,- based on the auditing results, develop a training plan for fine-tuning a first set of candidate models comprising a set of robust models, a set of default models, and a set of incomplete models,

[0047] - wherein a robust model is adapted for interaction with non-adversary communication devices, a default model is adapted for interaction with adversary communication devices, and an incomplete model is adapted for fine-tuning based on a request from a query handler,

[0048] - based on the training plan, fine-tune a second set of candidate models comprising at least one robust model and at least one default model, and

[0049] - deploy the fine-tuned second set of candidate models in an execution environment such that each deployed model out of the second set of candidate models is invokable by the query handler.

[0050] According to another aspect of embodiments herein, the object is achieved by a query handler configured to handle queries from a communication device in a communication system. The query handler further being configured to:

[0051] - receive a query from the communication device, said communication device being adapted to be assigned an adversary uncertainty score,

[0052] - invoke, based on the received query, a first fine-tuned model among a second set of candidate models deployed in an execution environment, and receive a first response, wherein the first fine-tuned model is adapted to be selected based on the adversary uncertainty score associated with the communication device, wherein the second set of candidate models is adapted to comprise at least one set of robust models adapted for interaction with non-adversary communication devices and at least one set of default models adapted for interaction with adversary communication devices,

[0053] - update the adversary uncertainty score based on the received query and the first response,

[0054] - determine whether or not the first fine-tuned model is suitable for the communication device based on the updated adversary uncertainty score,

[0055] - when the first model is not suitable: determine whether or not any one model in the second set of candidate models is suitable for the communication device based on the updated adversary uncertainty score; and- when all models in the second set of candidate model are unsuitable: transmit a request to a training node for a specific candidate model based on the updated adversary uncertainty score.

[0056] Embodiments herein may provide one or more of the following advantages:

[0057] Embodiments herein optimize resource allocation fortraining and deployment. By prioritizing the training of models based on the assessed risk and vulnerability for each training data segments, the system minimizes wasteful expenditure of computational and human resources on less critical data segments. This targeted strategy not only enhances the system’s efficiency but also ensures that resources are concentrated where they are most needed.

[0058] Embodiments herein facilitates continuous operation and reliability. Maintaining an intent-based system with higher level of robustness against privacy attacks that the system remains operational and reliable, even during periods of uncertain user intentions and in the face of unexpected privacy attack challenges. This continuous operation is crucial for maintaining user trust and ensuring that service quality does not degrade.

[0059] BRIEF DESCRIPTION OF THE DRAWINGS

[0060] Examples of embodiments herein are described in more detail with reference to attached drawings in which:

[0061] Figure 1 is a schematic block diagram illustrating prior art.

[0062] Figure 2 is a schematic block diagram illustrating prior art.

[0063] Figure 3 is a schematic block diagram illustrating prior art.

[0064] Figure 4 is a schematic block diagram depicting a communications system wherein embodiments herein may be implemented,

[0065] Figure 5 is a flowchart illustrating an example embodiment of a method herein.

[0066] Figure 6 is a flowchart illustrating an example embodiment of a method herein.

[0067] Figure 7 is a schematic block diagram depicting embodiments herein.

[0068] Figure 8 is a schematic block diagram depicting embodiments herein.

[0069] Figure 9 is a schematic block diagram depicting embodiments herein.

[0070] Figure 10 is a schematic block diagram depicting embodiments herein.

[0071] Figure 11 is a schematic block diagram depicting embodiments herein.

[0072] Figure 12 is a flowchart illustrating an example embodiment of a method herein.Figure 13 is a schematic block diagram illustrating an example embodiment of a method herein

[0073] Figure 14 is a schematic block diagram illustrating an example embodiment of a method herein.

[0074] Figure 15 is a schematic block diagram illustrating an example embodiment of a method herein.

[0075] Figure 16 is a schematic block diagram illustrating an example embodiment of a method herein.

[0076] Figure 17 is a schematic block diagram illustrating an example embodiment of a method herein

[0077] Figure 18 is a schematic block diagram illustrating an example embodiment of a method herein.

[0078] Figure 19 is a schematic block diagram illustrating an example embodiment of a method herein.

[0079] Figure 20 is a schematic block diagram illustrating an example embodiment of a method herein.

[0080] Figure 21 is a schematic block diagram illustrating an example embodiment of a method herein.

[0081] Figure 22 is a schematic block diagram illustrating an example embodiment of a method herein.

[0082] Figure 23 is a generalized block diagram of embodiments of a training node.

[0083] Figure 24 is a generalized block diagram of embodiments of a query handler.

[0084] Figure 25 schematically illustrates embodiments of a communication system.

[0085] Figure 26 is a generalized block diagram of embodiments of a communication diagram of a host.

[0086] Figure 27 is a generalized block diagram of embodiments of a UE.

[0087] Figure 28 is a generalized block diagram of embodiments of a virtualization environment.

[0088] DETAILED DESCRIPTION

[0089] Examples of embodiments herein relate to managing the security of LM-based systems by introducing several robust language models and incomplete models inresponse to varying privacy threats, with a focus on efficient robust model training process and query handling.

[0090] Figure 4 is a schematic overview depicting a communications system 100 wherein embodiments herein may be implemented. The illustrated communications system 100 comprises a training node 111, an execution environment 112, a query handler 113 and communication devices 120.

[0091] The training node 111 may include a database module 401, a auditing module 402, a planning module 403 and a training module 404

[0092] The database module 401 refers to a repository where data for the training process may be stored. The database module 401 may provide both the non-public data samples for the training process and the base models to be fine-tuned. In other words, the database module 401 may select base models to be fine-tuned and a plurality of data segments on which the fine-tuned models will be trained, as performed in action 501 discussed in relation to Figure 5.

[0093] The database module 401 may also provide additional data, such as monitored query-response pairs, for the auditing. The monitored query-response pairs may be historical data or the system may incorporate dynamic monitoring, which tracks real-time query-response pairs and model interactions. The monitoring advantageously looks for unexpected response and / or interaction patterns that may indicate emerging privacy vulnerabilities, such as attempts to extract personal / sensitive data, e.g., membership inference attacks, and update the auditing module 402 for each data segment about potential privacy issues.

[0094] The auditing module 402 may audit the respective data segments for security threats, as performed in action 502 discussed in relation to Figure 5. E.g., meaning that, the auditing module 402 may perform an examination of 1) fine-tuned models and 2) nonpublic datasets on which the fine-tuned models will be trained. This auditing module 402 may audit both AI / ML models and datasets automatically and assess the assets for potential privacy issues, such as the unintentional leakage of sensitive information. One method for evaluation may be done by performing simulated attacks on the models. Theauditing module 402 may transmit a report summarizing the evaluations to the planning module 403.

[0095] The planning module 403 may create a plan that details which model candidates should be prioritized to be trained. E.g., meaning that, the planning module 403 may, based on the auditing results, develop a training plan for fine-tuning a first set of candidate models comprising a set of robust models, a set of default models, and a set of incomplete models, as performed in action 503 discussed in relation to Figure 5. In other words, the planning module 403 may prioritize training efforts according to the risk associated with each data segment based on the auditing information and live network monitoring information.

[0096] In this context, a robust model refers to a model suitable for interaction with nonadversary communication devices, a default refers to a model suitable for interaction with adversary communication devices, and an incomplete model refers to a model suitable for fine-tuning based on a request from the query handler 113.

[0097] The training module 404 may take the plan developed from the planning module 403 and apply it to train the AI / ML models. Advantageously, the training module 404 finetunes a second set of candidate models comprising at least one robust model and at least one default model based on the training plan, as performed in action 504 discussed in relation to Figure 5.

[0098] In some embodiments, the training module 404 may further fine-tune at least one incomplete model to be subsequently fine-tuned for deployment in response to a request for a specific candidate model to be deployed from the query handler 113.

[0099] The execution environment 112 refers to a location where the trained models are deployed. It may serve as the operational infrastructure that supports the execution of AI / ML models in a live environment. Meaning that, the execution environment 112 may be seen as responsible for deploying the fine-tuned second set of candidate models such that each deployed model out of the second set of candidate models is invokable by the query handler 113, as performed in action 505 discussed in relation to Figure 5.

[0100] The query handler 113 processes queries according to the communication device intent and selects an appropriate AI / ML model(s) to process. It is responsible fortransmitting appropriate responses to the queries it receives. The query handler 113 manages incoming queries to the system and is responsible for ensuring that the response transmitted to the communication device 120 does not leak private information.

[0101] Example embodiments of how the query handler 113 processes queries are elaborated upon in relation to Figure 6.

[0102] The communication devices 120 are sending queries to the query handler. It should be understood by the skilled in the art that “communication device (UD)” is a nonlimiting term which means any terminal, client, mobile client, IMS client, wireless communication terminal, user equipment, Device to Device (D2D) terminal, or node e.g. smart phone, laptop, mobile phone, sensor, relay, mobile tablets or even a car or any small base station communicating within a cell.

[0103] The term “candidate model” refers to a hypothetical language models that have been fine-tuned using a specific set of robustness levels for the plurality of data segment such that respective data segment in respective candidate model is associated with a specific robustness level.

[0104] A number of embodiments will now be described, some of which may be seen as alternatives, while some may be used in combination.

[0105] A method according to embodiments herein will first be described as seen from the view of the training node 111 together with Figure 5, then as seen from the view of the query handler 113 together with Figure 6.

[0106] Figure 5 shows examples of embodiments of a method performed by the training node 111. The method is for determining a training plan for fine-tuning models in the communication system 100.

[0107] The method comprises the following actions, which actions may be taken in any suitable order.

[0108] Action 501The training node 111 selects models to be fine-tuned. To fine-tune may mean to train the base model on an additional data segment. The models to be fine-tuned may be selected by one or more criteria, such as overall performance metrics, domain relevance, or benchmark performance on similar tasks.

[0109] The training node 111 further selects a plurality of data segments on which the finetuned models will be trained. The plurality of data segments may be selected by domain coverage, data diversity, or estimated impact on performance.

[0110] This action may be performed by the database module 401 assigned to the training node 111 as described above.

[0111] Action 502

[0112] For each robustness level out of a number of robustness levels, the training node 111 audits the respective data segments for security threats.

[0113] A robustness level may e.g. mean a defined metric or threshold to measure how effectively a model can handle adversarial inputs. Due to the inherent trade-offs between accuracy and robustness, multiple robustness levels may be used to accommodate varying robustness requirements. For example, a higher robust level may be used when the risk of adversarial machine learning attacks is getting higher, even if that choice potentially reduces overall accuracy. A security threat may e.g. be a possible breach of confidentiality and privacy of a system and its data. Such threats can include membership inference attacks.

[0114] This action may be performed by the auditing module 402 assigned to the training node 111 as described above.

[0115] Action 503

[0116] Based on the auditing results, the training node 111, develops a training plan for fine-tuning a first set of candidate models. The first set of candidate models comprises a set of robust models, a set of default models, and a set of incomplete models.

[0117] This action may be performed by the planning module 403 assigned to the training node 111.

[0118] A robust model is adapted for interaction with non-adversary communication devices, a default model is adapted for interaction with adversary communication devices. An incomplete model is adapted for fine-tuning based on a request from a query handlerAction 504

[0119] Based on the training plan, the training node 111 fine-tunes a second set of candidate models comprising at least one robust model and at least one default model.

[0120] This is performed to enable coverage of different accuracy-robustness trade-offs, ensuring the system can adapt to the various robustness levels while optimising the number of candidate models to remain within available resources and time constraints. This action may be performed by the training module 404 assigned to the training node 111.

[0121] In some embodiments, the training node 111 further fine-tunes at least one incomplete model to be subsequently fine-tuned for deployment in response to a request for a specific candidate model to be deployed from the query handler 113. This may be to reduce on-demand training time and resource usage, allowing incomplete models to be quickly adapted for new risk mitigation requirements.

[0122] Action 505

[0123] The training node 111 deploys the fine-tuned second set of candidate models in an execution environment 112 such that each deployed model out of the second set of candidate models is invokable by the query handler 113.

[0124] This action may be performed by an execution environment 112 assigned to the training node 111.

[0125] Action 506

[0126] In some embodiments, the training node 111 receives a request from the query handler 113. The request requests a specific candidate model to be deployed.

[0127] The wording “request for specific candidate model” in this context may refer to a request for any model fulfilling certain criteria, such as values relating to a certain data leakage vulnerability score, uncertainty score and / or accuracy score. Meaning that the request for a specific candidate module may be formulated such that a plurality of candidate module could be chosen, e.g., the specific candidate module could be any module with an accuracy score above a threshold and a data leakage vulnerability score below another threshold. In other words, the term specific candidate model refers to any model that enables the system to adapt to evolving security requirements.Action 507

[0128] In some embodiments, the training node 111, based on the request, selects an incomplete model for fine-tuning among the set of incomplete models. This may be to effectively adapt an incomplete model, which is partially trained, to meet specific requirements outlined in the request within the query handler 113, reducing the time and computational; resources needed for full model training.

[0129] This action may be performed by a planning module 403 assigned to the training node 111.

[0130] Action 508

[0131] In some embodiments, the training node 111 fine-tunes the selected incomplete model to form a fine-tuned robust model. This is performed to finalize the model training quickly and dynamically when needed. This enhances the model’s adaptability to potential less probable vulnerability, ensuring consistent performance under varying conditions.

[0132] This action may be performed by a training module 404 assigned to the training node 111.

[0133] Action 509.

[0134] In some embodiments, the training nodes 111 further deploys at least one further fine-tuned incomplete model in the execution environment 112 such that the further fined-tuned model is invokable by the query handler 113.

[0135] Figure 6 shows examples of embodiments of a method performed by the query handler 113. The method is for handling queries from a communication device 120 in the communication system 100.

[0136] The method comprises the following actions, which actions may be taken in any suitable order.

[0137] Action 601

[0138] The query handler 113 receives a query from the communication device 120. The communication device 120 being assigned an adversary uncertainty score.A query when used herein e.g. means any request, user intent, instruction, or data transmitted from the communication device 120. Such a query can range from a simple data retrieval request to a complex user intention requiring intelligent decision-making.

[0139] Action 602

[0140] The query handler 113 invokes a first fine-tuned model based on the received query. The first fine-tuned model is invoked among a second set of candidate models deployed in an execution environment 112. This e.g., means that if the received query must meet certain performance requirements, the query handler 113 selects the best-suited model from the available candidate models. The query handler 113 may then select the best model based on their robustness levels and estimated performance.

[0141] The second set of candidate models comprises at least one set of robust models adapted for interaction with non-adversary communication devices and at least one set of default models adapted for interaction with adversary communication devices,

[0142] In embodiments, the second set of candidate models additionally comprise incomplete models, wherein the incomplete models are further to be fine-tuned candidate models.

[0143] Action 603

[0144] The query handler 113 receives a first response. In the first response, the first finetuned model has been selected based on the adversary uncertainty score associated with the communication device 120. This e.g., means that the adversary uncertainty score helps determine the model’s robustness against potential adversarial risks or uncertainties to the intention of the communication device 120.

[0145] The first fine-tuned model may have been selected by the query handler 113.

[0146] Action 604

[0147] The query handler 113 updates the adversary uncertainty score based on the received query and the first response. This is an advantage since updating the adversary uncertainty score allows the system to continuously assess and dynamically adapt to potential adversarial machine learning risks or uncertainties specific to the communication device 120.

[0148] Action 605The query handler 113 determines whether or not the first fine-tuned model is suitable for the communication device 120 based on the updated adversary uncertainty score.

[0149] To be suitable for the communication device 120, may e.g. mean that a fine-tuned model meets pre-defined criteria, such as accuracy and adversarial robustness threshold for the query.

[0150] Action 606

[0151] When the first fine-tuned model is not suitable, the query handler 113, determines whether or not any one model in the second set of candidate models is suitable for the communication device 120 based on the updated adversary uncertainty score.

[0152] In some embodiments, the query handler 113 determines whether or not any one model in the second set of candidate models is suitable by performing the following actions:

[0153] - Invoking 6061 a first evaluation group of candidate models amongst the second set of candidate models and receiving a first evaluation set of responses,

[0154] - determining 6062 whether or not any one response in the first evaluation set of responses is suitable for transmission to the communication device 120, and when all responses in the first evaluation set of responses are unsuitable:

[0155] - invoking 6063 a second evaluation group of candidate models amongst the second set of candidate models and receiving a second evaluation set of responses, - determining 6064 whether or not any one response in the second evaluation set of responses is suitable for transmission to the communication device 120.

[0156] Action 607

[0157] When all models in the second set of candidate models are unsuitable, the query handler 113 transmits a request to the training node 111 for a specific candidate model based on the updated adversary uncertainty score.

[0158] In this way by using the methods above, the embodiments herein achieve several significant advantages, including:

[0159] - Enhanced Model Adaptability: Dynamic fine-tuning based on adversarial uncertainty scores ensures adaptability to changing security contexts.- Granular Model Deployment: Tailored deployment of robust, default, and incomplete models optimizes performance for diverse interaction types.

[0160] - Minimized Overfitting Risks: Use of well-audited data segments and dynamic fine- tuning reduces overfitting and improves generalizability.

[0161] - Improved Security Against Emerging Threats: Auditing data segments for vulnerabilities enhances resilience to sophisticated attacks.

[0162] - Enhanced User Privacy Protection: Adversary uncertainty scores ensure that models interacting with potentially malicious queries prioritize privacy.

[0163] - Reduced Latency in Query Handling: Efficient selection and invocation of models minimize processing delays.

[0164] - Scalable System Design: Modular deployment of models allows the system to handle increased query volume and diverse device interactions.

[0165] - Continuous Operation and Reliability: Robustness against privacy attacks ensures system availability and service quality even during adversarial challenges.

[0166] - Proactive Query Adaptation: Real-time determination of model suitability and on- demand model training maintain operational adaptability.

[0167] - Resource Effective Model Management: By preparing the appropriate models, such as robust or default models, and being ready to quickly adapt to unforeseen threats with incomplete models, the system optimizes computational resources, ensuring cost-efficiency in deployment.

[0168] Embodiments herein such as the embodiments mentioned above will now be further described and exemplified. The text below is applicable to and may be combined with any suitable embodiment described above.

[0169] Figure 7 shows a block diagram including a database, i.e., a database module 401, a trainer, i.e., the training module 404, the auditing module 402, a planning module 403, a query handler 113, and execution environment 112 according to one example embodiment.

[0170] AI / ML Model Training System refers to a system in which AI / ML models are trained and encompasses the entire training process from data selection to model training.LM-based System refers to a system in which the trained models are used to interpret user intentions and to carry out desired tasks.

[0171] The database module 401 of the training node 111, refers to a repository where data for the training process is stored.

[0172] - Select: The training node 111 such as its database 401 provides both the nonpublic data samples for the training process and the base models to be fine-tuned. The database 401 also provides additional data, such as monitored query-response pairs, for the auditing. Note that public datasets may not be known to the owner of the system. This is related to and may be combined with Action 501 as described above. - Update: The system also incorporates dynamic monitoring from the intent-based system, which tracks real-time query-response pairs and model interactions. The monitoring looks for unexpected response / interaction patterns that could indicate emerging privacy vulnerabilities, such as attempts to extract sensitive data, through e.g., membership inference attacks, and update the training node 111 such as its auditing module 402 for each data segment about potential privacy issues.

[0173] The training node 111 such as its auditing module 402 performs a thorough examination of 1) fine-tuned AI / ML models and 2) non-public datasets on which the finetuned models will be trained. This module 402 audits both AI / ML models and datasets automatically and assesses the assets for potential privacy issues, such as the unintentional leakage of sensitive information. One method for evaluation can be done by performing simulated attacks on the models.

[0174] - Report: The training node 111, such as its auditing module 402, transmits a report summarizing the evaluations to the training node 111 such as its planning module 403.

[0175] The training node 111 such as its planning module 403 creates a plan that details which model candidates should be prioritized to be trained. Based on the auditing information and live query monitoring information to prioritize training efforts according to the risk associated with each data segment.

[0176] Figure 8 shows a similar a block diagram including a database, i.e., a database module 401, a trainer (i.e., a training module 404), an auditing module 402, a planningmodule 403, a query handler 113, and execution environment 112 according to one example embodiment.

[0177] The training node 111 such as its training module 404, illustrated as trainer in Figure 8, referred to as training module 404 in figure 4, takes the plan developed from the auditing process and applies it to train the AI / ML models. This includes training robust models that are designed to handle specific vulnerability levels determined by the training node 111 such as its auditing module 402.

[0178] - Deploy: The trained models are deployed into an intent-based system where they can start performing real-world tasks, the deployed modules may include:

[0179] 1) Robust models for the expected threats.

[0180] 2) Incomplete models for the less expected threats.

[0181] 3) Default models for the unexpected threats.

[0182] The execution environment 112 refers to where the trained models are deployed. It serves as the operational infrastructure that supports the execution of AI / ML models in a live environment.

[0183] The query handler 113 processes queries according to the user’s intent and selects an appropriate AI / ML model(s) to process. It is responsible for generating appropriate responses to the queries it receives. The query handler 113 manages incoming queries to the system and is responsible for ensuring that the model’s response does not leak private information. In the illustrated example, it is assumed that the query handler 113 has a sub-module to measure an estimated AdvML attack performance and keep attack progress for each user.

[0184] - Query: The communication device 120 (e.g., a user or another system) sends a command or a question to the LM-based system, commanding the executing of a task or seeking the information.

[0185] - Response: the query handler 113 returns the action report or the correct output to the UD 120 after their query is processed and its intent behind it is determined.

[0186] - Invoke: the query handler 113 to ensures that an appropriate AI / ML model is used to process the query.

[0187] In the illustrated example, the interaction between the LM-based system and a communication device is cyclical and ongoing, allowing the system to continuously serve the needs of the communication device as the system is designed, while the queryhandler 113 selects an appropriate model to respond depending on the communication device’s adversary uncertainty score.

[0188] Embodiments provided herein e.g., involves dividing a non-public dataset into data segments, allowing each data segment to be fine-tuned continuously yet separately with different robustness levels, designed to minimize the risk of data leakage without much sacrifice of the model performance.

[0189] Each non-public data segment has different vulnerability and different importance, thus, ideally, an AdvML attack could be mitigated by a robust model trained with distinct robustness parameters tailored to each data segment’s vulnerability against the attack. This is a difficult condition for a fine-tuned model without fine-tuning it multiple times, because that fine-tuning will apply the same parameter setting over all data samples, while the attack target specific vulnerability. Thus, a fine-tuned model with a single fine-tuning step, as in Figure 1, may either be trained with too much privacy protection or the other way around.

[0190] Figure 9 shows how the model effectively may mitigate the AdvML attack scenarios by tailoring a robust model to handle a threat for each data segment. Ideally, a list of robust models, that are trained with robustness parameters specifically calibrated for different data segments, can effectively mitigate various risks across varying threat levels. This strategy is particularly useful in scenarios where different data segments of training data face threats of uncertain and potentially harmful situations, thus enhancing overall system resilience against a broad spectrum of risks.

[0191] The number of robust models to handle such various AdvML attack scenarios, however, increases exponentially with each additional data segment, leading to computational intractability. Specifically, the total number of combinations to train the models would be MN with N non-public data segments and M robustness levels. For example, if the total number of non-public data segment N is 3 and the robustness level M is 4 (NORMAL, LOW, MEDIUM, HIGH), then the total number of model candidates to train is 64 (= 43). This complexity makes developing robust language models not only difficult but also both computationally expensive and practically intractable.

[0192] Threat levels may be described in several different ways. In some embodiment, all threats may be classified into one of the following threat levels:- Expected Threat: The threat level is known after performing auditing and monitoring query-responses thus corresponding preventive measures are also expected to be in place.

[0193] - Less Expected Threat: The threat level is less expected, but potential threats have been identified after performing auditing and monitoring query-responses.

[0194] - Unexpected Threat: Unforeseen threats that are difficult to predict and prepare for.

[0195] Embodiments herein resolve the inherent complexity associated with exponential increase in the number of robust models required by:

[0196] - prioritizing the most useful robust model candidates to be trained for both 1) the Expected Threats and 2) the Unexpected Threats; and,

[0197] - providing a scalable approach to training robust models tailored to the risk profile of each data segment for 3) the Less Expected Threats.

[0198] All in all, the proposed solution does not only make the system more robust but also helps in making the training process computationally manageable. On top of that, the embodiments herein updates the plan by applying newly updated monitoring pairresponse pairs, thus bridging the gap between real-world threats and estimated threats effectively. As a result, the embodiments herein handles both harmful situations and potentially harmful situations, while the system could continue to be up and running.

[0199] Figure 10 illustrates an example embodiment relating to the auditing module 402 of the training node 111. The training node 111 such as the auditing module 402 of the training node 111 aims to measure how much of the non-public dataset, which the fully fine-tuned model is trained on, can unintentionally leak. After the auditing, the process results in a report estimating a set of composite and aggregated metrics, along with data leakage vulnerability for each non-public data segment.

[0200] This is similar to and may be combined with Action 502 described above.

[0201] Database module 401

[0202] The training node 111 such as its database module 401 comprises the base models, the non-public data and the monitored query-response pairs.- Base models: The foundational models which have been trained on public datasets. From the service owner’s point of view, the base model serves as the starting point and more training is needed to be applied using non-public datasets.

[0203] - Non-public Data: These datasets represent any additional datasets to fine-tune the base model to improve or customize for the owner’s specific tasks. In this document, the dataset is divided into multiple data segments.

[0204] - Monitored Query-responses: The monitored query-response pairs could be converted into data leakage vulnerabilities for all data segments.

[0205] Auditing submodules

[0206] The assessment submodule of the auditing module 402 assesses the vulnerability estimation and its uncertainty scores associated with each non-public data segment. It uses both 1) the model and the data from the database module 401 of the training node 111 and 2) monitored data leakage information from the query handler 113. As a result, each non-public data segment has its own associated data leakage vulnerability metrics in terms of both unintentional leakage and attacks. Vulnerability percentage indicates the likelihood of data being extracted, while uncertainty percentage reflects the confidence in the vulnerability assessment.

[0207] Two examples of ways to estimate the vulnerability of data leakage are 1) to measure the percentage of memorized data samples for each non-public data segment and 2) to perform simulated attacks on the fine-tuned model. An expected data leakage vulnerability is around 0.01 (=1%). It is important to note that each estimated vulnerability score comes with its own uncertainty, which indicates the reliability of the estimate. In this example, Non-public Data 1 (Vulnerability score 1%) is one of the least vulnerable training data segments, and Non-public Data 4 is both slightly more vulnerable and more uncertain compared to Non-public Data 1. Non-public Data 2 (Vulnerability score 40%) is the top-most vulnerable data segment. The Non-public Data 3 (Vulnerability score 1%) is another least vulnerable data segment, yet less certain about the estimation (Uncertainty score 70%).

[0208] Since the privacy threat landscape is constantly evolving, e.g., new prompt injection attacks, both the vulnerability scores and its respective uncertainty scores are advantageously always changing over time as well. Therefore, it is advantageous that the training node 111 such as its auditing module 402 ensures that it always updates andmaintains these scores to accurately reflect the measured threats, to minimize the gap between auditing data and monitored attacks. One way to maintain a vulnerability score for each non-public data segment is to use Bayesian updating, which is having the ML auditing performance as prior values and updating the priors with the live network data to estimate data leak vulnerability scores as their posteriors.

[0209] Report submodule

[0210] The report submodule of the auditing module 402 compiles and aggregates metrics as a report. The report uses outputs from the assessment submodule and aims to provide a set of composite metrics to be used in the training node 111 such as its planning module 403.

[0211] In other words, the report submodule is designed to produce composite metrics to evaluate each model candidate. The primary objective is to decide whether to train each candidate based on their performance metrics, such as accuracy and the vulnerability of the associated data segments.

[0212] A key metric developed by this report submodule may be intended to rank robust model candidates in order of their metrics for the planned training schedule. For example, a metric to sort model candidates starting from the most promising one to the least. One way to calculating this metric considers both the accuracy of the models and their vulnerability to data leakage, providing a balanced view of their overall effectiveness as follows:

[0213] Total Score = (Wtax Total Accuracy) - (Wtvx Total Vulnerability)

[0214] Where Total Accuracy is the estimated accuracy performance of the final fine-tuned model and Total Vulnerability is the estimated data leakage vulnerability of the final finetuned model. Wta and Wtvare weights for the vulnerabilities. A higher weight means the segment’s data leakage could have a more severe impact. For example, for a candidate with accuracy of 0.9 and data leakage score 0.2 with Wta= Wtv= 1, the candidate’s Total Score is 0.7. Total Score metric reflects a model’s performance both accuracy and robustness against expected and probable threats. A higher Total Score indicates a model candidate that is not only accurate but also robust against a threat, making it highly valuable. A lower Total Score indicates that while the model candidate may perform good on some occasions, it sacrifices much of either robustness or accuracy, making the model less practical.It is advantageous to normalize the weights and vulnerability scores, and one way to calculate the data segment vulnerability v can be calculated by: (memorized samples in the ithdata segments) I (the total sample number of data samples in the fhdata segments).

[0215] Total Accuracy = Z(W x a;) I Z(W x dj)

[0216] Total Vulnerability = Z(W x Vj) / Z(W x dj)

[0217] Where N is the total number of data segments, is the weight or importance of the ithdata segment, ai is the accuracy score of the ithdata segment, Vj is the vulnerability score of the ithdata segment, and dj is the number of samples of the i*hdata segment. The weights Wj is determined based on the criticality of each data segment to the overall.

[0218] | Data ^samples Uncertainty #sampie i

[0219] | Segment (vulnerable) [0-11 _ (total) _ |

[0220] 1 10 111 |Tooo |

[0221] 2400 0.1 ( 1000 |

[0222] 3 10 0.7 | 1000 |

[0223] 4 50 0.3 j 1000 |

[0224]

[0225] | Robust Level i Accuracy Modifier Vulnerability Modifier i

[0226] | (for a segment) | (for a segment) [0-1] (for a segment) [0-1] |

[0227] NORMAL | 1 1 |

[0228] LOW 10.90 0.60 |

[0229] MEDIUM | 0.75 0.25 |

[0230] p— i p_

[0231] 0?01 |

[0232]

[0233] Table 1

[0234] Table 1 shows one example of each data segment and the system’s determined Robust Levels. With 4 non-public data segments and 4 robust levels, the total number of model candidates is 256 (= 44).

[0235] In this example, a model candidate’s Total Score with all NORMAL robust level is: 0.8825, with Total Accuracy 1 (= 0.25 x 1 + 0.25 x 1 + 0.25 x 1 + 0.25 x 1) and Total Vulnerability 0.1175 (10 / 1000 x 1 + 400 / 1000 x 1 + 10 / 1000 x 1 + 50 / 1000 x 1). Likewise, a model candidate’s Total Score with all NORMAL robust level except Data Segment 2 with LOW robust level is: 0.8975, with Total Accuracy 0.975 (= 0.25 x 1 + 0.25 x 0.9 +0.25 x 1 + 0.25 x 1) and Total Vulnerability 0.0775 (10 / 1000 x 1 + 400 / 1000 x 0.6 + 10 / 1000 x 1 + 50 / 1000 x 1).

[0236] In this example, all weight values (Wta, Wtv, Wj) are 1 and the size of data segments are the same. Also, table 1’s accuracy calculation is based on the assumption that the test data equally represents each non-public data segment and that all segments are of equal size and importance. However, this may not reflect real-world conditions where data segments can vary both in size and importance.

[0237] As a result of auditing, the following models are being planned:

[0238] - Robust models: Fully trained models that incorporate advanced robustness parameters against Expected Threats, illustrated in Table 2.

[0239] - Default models: Fully trained models that incorporate advanced robustness parameters against Unexpected Threats, illustrated in Table 3

[0240] - Incomplete models: Partially trained models that have been prepared up to a certain point but require final fine-tuning against Less Expected Threats, illustrated in Table 4.

[0241] Selecting Robust models in the Planning

[0242] Robust models refers to fully trained language models that incorporate advanced robustness parameters to mitigate the risk of data leakage and to ensure user privacy. A innovative aspect of this method lies in its ability to prioritize model training effectively, ensuring that resources are directed towards training model candidates that are more desired, i.e., a balance of accuracy and privacy.Threshold: 8.877 Candidate 1: SELECTED as ROBUST MODEL - Total Score: 8.8975 (Total Accuracy ~ Total Vulnerability) - Total Accuracy: 8.975, Total Vulnerability: 8,8775 - Segment 1: Rbst Lv ~ NORMAL, Est. Vol. = 18 / 1888, Org. Est. Vol. ~ 18 / 1888 (line: 3.1) ~ Segment 2: Rbst Lv ~ LOW, Est. Vol, - 248.8 / 1888, Org. Est, Vol. ~ 488 / 1388 (Vnc:8,l) - Segment 3: Rbst Lv * NORMAL, Est. Vol. - 18 / 1888, Org. fist, Vul. « 18 / 1838 (Unc:3.7) - Segment 4: Rbst Lv = NORMAL, Est. Vul, « 58 / 1808, Org. Est, Vol. « 58 / 1838 (! Jnc:8.3) Candidate 2: SELECTED as ROBUST MODEL ■■ Total Score: 8.895 (Total Accuracy ■■ Total Vulnerability) - Total Accuracy: 8,9375, Total Vulnerability: 8.8425 - Segment 1: Rbst Lv » NORMAL, Est. Vul. » 18 / 1838, Org, Est. Vul. » 18 / 1888 (Unc:8,l) ~ Segment 2; Rbst lv - MEDOT, Est, Vul. « 188,8 / 1888, Org, Est. Vul. - 488 / 1888 (Unc:0»l) - Segment 3: Rbst Lv » NORMAL, Est. Vul. = IS / 1838, Org, Est. Vul. « 18 / 1888 (Unc:8.7) - Segment 4: Rbst Lv - NORMAL, Est. Vul. ~ 58 / 1808, Org. Est. Vul. ~ 58 7 1888 (Unc;8.3) Candidate 3: SELECTED as ROBUST MODEL - Total Score: 3.8825 (Total Accuracy -• Total Vulnerability) - Total Accuracy: 1.8, Total Vulnerability: 8.1175 - Segment 1: Rbst Lv - NORMAL, Est. Vul. - 18 / 1888, Org. Est. Vul. - 18 I 1838 (Unc:3.i) - Segment 2: Rbst Lv * NORMAL, Est. Vul. « 488 / 1883, Org. Est. Vul. » 488 / 1888 (Unc:8,l > - Segment 3: Rbst Lv = NORMAL, Est. Vul. = 18 / 1888, Org. Est:. Vul. « 18 / 1838 (l)nc:6.7) - Segment 4: Rbst Lv » NORMAL, Est, Vul, - 58! 1888, Org. Est. Vul. - 58 / 1388 (Unc:8.3) Candidate 4: SELECTED as ROBUST MODEL - Total Score: 8,8815 (Total Accuracy - Total Vulnerability > - Total Accuracy: 8,9, Total Vulnerability: 8,3185 ~ Segment 1: Rbst lv « NORMAL, Est. Vul. « 18 / 1838, Org, Est. Vul. « 18 / 1888 (Unc:8.1) - Segment 2: Rbst Lv = HIGH, Est. Vul. » 4.8 / 1883, Org. Est. Vul. = 488 / 1888 (Ufic:8.1) - Segment 3: Rbst Lv - NORMAL, Est. Vul. ~ 18 / 1838, Org. Est. Vul. - 18 / 1888 (Unc:8.7) - Segment 4: Rbst Lv « NORMAL, Est. Vul. = 58 / 1888, Org. Est. Vul. ~ 58 7 1888 (Unc:3.3) Candidate 5: SELECTED as ROBUST MODEL - Total Score: 8.8775 (Total Accuracy - Total Vulnerability) ~ Total Accuracy: 3.95, Total Vulnerability: 6.8725 - Segment 1: Rbst Lv = NORMAL, Est. Vul. » 18 / 1888, Org. Est. Vul. = 18 / 1838 (linc:3.1) - Segment 2: Rbst Lv » LOW, Est. Vul. - 248.8 7 1808, Org, Est. Vul. ~ 488 7 1388 (Unc:8.1) - Segment 3: Rbst Lv = NORMAL, Est, Vul. ~ 18 / 1888, Org. Est. Vul. = 18 / 1388 (Unc:8.7) - Segment 4: Rbst lv ~ LOW, Est. Vul. - 38,3 7 1888, Ore. Est. Vul. - 58 / 1888 (Unc:8.3) Candidate 6: NOT SELECTED - Total Score: 8,875 (Total Accuracy ~ Total Vulnerability) - Total Accuracy: 8,9125, Total Vulnerability: 8.8375 ~ Segment 1: Rbst Lv » NORMAL, Est:. Vul. ~ 18 / 1838, Org. Est. Vul. » IS / 1888 (Utic:8.1) - Segment 2: Rbst Lv - MEDIUM, Est. Vul. - 188.8 / 1388, Org. Est. Vul. - 488 I 1838 (0nc:8.1) - Segment 3: Rbst Lv == NORMAL, Est. Vul. == 18 / 1888, Org. Est, Vul. ~ 18 7 1838 (Onc:8.7) - Segment 4: Rbst Lv ~ LOW, Est. Vul, ~ 33.8 / 1388, Org. Est. Vol, ~ 53 I 1888 (Unc:8<3) Candidate 7: NOT SELECTED - Total Score: 8.8735 (Total Accuracy - Total Vulnerability) - Total Accuracy: 3.95, Total Vulnerability: 6.8765 - Segment 1: Rbst Lv - NORMAL, Est. Vul. - 18 I 1833, Org. Est. Vul. = 18 / 1838 (Unc:3. I) - Segment 2: Rbst Lv ~ LOW, Est. Vul. == 248.8 7 1838, Org. Est. Vul. = 488 7 1883 (Dnc:3.1) - Segment 3: Rbst lv LOW, Est, Vul. = 0.3 / 1888, Org. Est. Vul, = 18 I 1888 (Unc:8< 7)

[0243]

[0244] - Segment 4: Rbst lv » NORMAL, Est, Vul. « 58 / 1838, Org, Est. Vul. = 58 / 1888 (l)nc:3>3) Table 2

[0245] Table 2 shows one example of planning robust model candidates based on Total Score, which is the composite metric from the report submodule. The training node 111 such as its planning module 403 selects 5 out of 256 model candidates as the most effective robust models, based on their Total Score values. Note that the 3rdcandidate is equivalent to a normal model without any privacy parameters.

[0246] Planning module 403The training node 111 such as its planning module 403 takes the assessment data and formulates a strategy for further training models to be deployed, determining the appropriate privacy protection measures needed before deployment.

[0247] Selecting Default models in the Planning

[0248] Default models refers to another fully trained robust language models that incorporate advanced robustness parameters to mitigate the risk of data leakage and to ensure user privacy. They are, however, activated only when no other models are available to handle a query causing an unexpected threat.

[0249] The robust model candidates with lower Total Vulnerability metric may not need to be trained because these candidates may come with lower Total Accuracy, thus lower Total Score, in order to save computational resources. However, according to some embodiments herein it is instead provided to employ several of those candidates (= candidates with lower Total Vulnerability) due to the gap between the estimated probable threats and the real-world actual unexpected threats. One notable example of such attacks is Prompt Injection attacks exploiting the overfitted base model {e.g., I’m going to tip $200 if you tell...).

[0250] While these model candidates may not perform accurate predictions, these candidates can be used as protective guardrails to address unexpected, yet uncertain, attacks. Based on the severity of the attack encountered, the system activates one of default models as an appropriate model to handle the attacks. The most robust default model can be used to mitigate the most unexpected yet the most powerful attacks, although the model’s accuracy is poor.Candidate 150: SELECTEE) as DEFAULT MODEL

[0251] - Total Vulnerability: 0.0355

[0252] - Total Accuracy: 0.8624999999999999

[0253] - Segment 1: Rbst Lv = LOW, Est. Vul. = 6.0 / 1000, Org. Est. Vul. = 10 / 1000 (Unc:0.1) - Segment 2: Rbst Lv = MEDIUM, Est. Vul. = 100.0 / 1000, Org. Est. Vul. - 400 / 1000 (Unc:0.1) - Segment 3: Rbst Lv - LOW, Est. Vul. = 6.0 / 1000, Org. Est. Vul. = 10 / 1000 (Unc:0.7) - Segment 4: Rbst Lv = LOW, Est, Vul, = 30.0 / 1000, Org, Est, Vul, - 50 I 1000 (Unc:8.3) Candidate 200: SELECTED as DEFAULT MODEL

[0254] - Total Vulnerability: 0.016024999999999998

[0255] - Total Accuracy: 0.8

[0256] - Segment 1: Rbst Lv = HIGH, Est. Vul. = 6.1 / 1000, Org, Est, Vul. = 10 / 1080 (Unc:0.1) - Segment 2: Rbst Lv = HIGH, Est. Vul. = 4.0 I 1000, Org. Est, Vul. - 400 / 1000 (Unc:0.1) - Segment 3: Rbst Lv = NORMAL, Est. Vul. = 10 / 1000, Org. Est. Vul. = 10 / 1000 (Unc:0.7) - Segment 4: Rbst Lv - NORMAL, Est. Vul. - 50 / 1008, Org. Est. Vul. - 50 / 1008 (Unc:0.3) Candidate 230: SELECTED as DEFAULT MODEL

[0257] - Total Vulnerability: 0.007125

[0258] - Total Accuracy: 0.7875

[0259] - Segment 1: Rbst Lv = LOW, Est. Vul. = 6.0 / 1000, Org. Est. Vul, = 10 / 1000 (Unc:8.1) - Segment 2: Rbst Lv = HIGH, Est, Vul, = 4,8 / 1000, Org. Est. Vul. = 480 / 1008 (Unc:0.1) - Segment 3: Rbst Lv = LOW, Est. Vul. = 6.0 / 1008, Org. Est. Vul. = 10 / 1008 (Unc:8.7) - Segment 4: Rbst Lv = MEDIUM, Est. Vul. - 12.5 / 1080, Org, Est. Vul, = 50 / 1080 (Unc:8,3) Candidate 256: SELECTED as DEFAULT MODEL

[0260] - Total Vulnerability: 8.8811749999999999998

[0261] - Total Accuracy: 8.6

[0262] - Segment 1: Rbst Lv = HIGH, Est. Vul. = 0.1 / 1088, Org. Est. Vul. = 10 / 1080 (Unc:0.1) - Segment 2: Rbst Lv = HIGH, Est. Vul. = 4.0 / 1008, Org. Est. Vul. = 400 / 1080 (Unc:0.1) - Segment 3: Rbst Lv - HIGH, Est. Vul. - 0,1 / 1000, Org. Est. Vul. - 10 / 1008 (Unc:0.7) - Segment 4: Rbst Lv = HIGH, Est. Vul, = 8.5 / 1800, Org. Est. Vul. = 58 / 1000 (Unc:0.3) Table 3

[0263] Table 3 shows one example of planning the default models. It plans to have 4 default models with the 150th, the 200th, the 230th, and the 256thof model candidates that are sorted based on their respective Total Vulnerability scores. The last one is the strongest possible robust model with a Total Vulnerability score of 0.001 that the system prepares for the most unexpected threat. Note that this last model barely have 0.6 accuracy at the cost of being trained with the strongest privacy parameters.

[0264] Selecting Incomplete models in the Planning

[0265] Incomplete models refers to partially trained models that have been prepared up to a certain point but require final fine-tuning. This design allows them to be rapidly adapted and deployed in response to less expected yet uncertain privacy threats, thus offering a balance between readiness and flexibility.

[0266] While the robust models and the default models aim to defend against expected and unexpected threats, there are less expected yet uncertain threats. Considering dynamic nature of threat landscape and the need of handling less expected situations, an adaptable methodology for preparing and deploying a model with an appropriate security level is important. In order to prepare for such unexpected scenarios, some embodiments herein provide incomplete models.Figure 11, as an example, shows uncertainty scores for the estimated values for the four different non-public data segments after the auditing process. Note that the figure is equivalent to Table 1, but visually abstracted in different way by focusing on uncertainty scores. In this example, the non-public data segment 3’s estimated vulnerability score is just 1% (= 10 / 1000), however, the estimation’s uncertainty score is 70%. This suggests that the vulnerability score may suddenly increase in future. Note that an uncertainty score refers to an uncertainty of its estimated vulnerability score.

[0267] Some embodiments provide preparing partially trained models which can be quickly finalized if the need arises. This provides a flexible approach to model deployment, allowing the system to respond dynamically to varying levels of data privacy risks, without the overhead of maintaining many fully trained models. As an example, Figure 11 shows one threshold, which serves as guidelines for filtering segments for incomplete models, and the incomplete model will be planned with only non-public data segment 1, 3, and 4, not 2.

[0268] Threshold: 0.84

[0269] Candidate 1: SELECTED as INCOMPLETE MODEL

[0270] - Total Score: 0.8666666667 (Total Accuracy - Total Vulnerability)

[0271] - Total Accuracy: 8.9666666666666666, Total Vulnerability: 8.1

[0272] - Segment 1: Rbst Lv = NORMAL, Est. Vul. = 10 / 1008, Org. Est. Vul. = 18 / 1880 (One: 8.1) - Segment 2: Rbst Lv - LOW, Est. Vul. = 248.0 / 1008, Org. Est. Vul. - 480 / 1800 (Unc:0, l) - Segment 3: Rbst Lv = NORMAL, Est. Vul. « 50 / 1008, Org. Est. Vul. = 58 / 1080 (Unc:8.3) Candidate 2: SELECTED as INCOMPLETE MODEL

[0273] - Total Score: 0.8633333333 (Total Accuracy - Total Vulnerability)

[0274] - Total Accuracy: 0.9166666666666665, Total Vulnerability: 0.85333333333333334

[0275] - Segment 1: Rbst Lv = NORMAL, Est. Vul. - 10 / 1880, Org. Est. Vul. = 10 / 1008 (Unc:0.1) - Segment 2: Rbst Lv - MEDIUM, Est. Vul. - 180.8 / 1880, Org. Est. Vul. = 408 / 1080 (Unc:0.1) - Segment 3: Rbst Lv = NORMAL, Est. Vul. = 58 / 1080, Org, Est. Vul. = 50 / 1008 (Unc:0.3) Candidate 3: SELECTED as INCOMPLETE MODEL

[0276] - Total Score: 8,8466666667 (Total Accuracy - Total Vulnerability)

[0277] ~ Total Accuracy: 1.0, Total Vulnerability: 0.15333333333333332

[0278] - Segment 1: Rbst Lv = NORMAL, Est. Vul. - 18 / 1088, Org. Est. Vul. = 10 / 1808 (One: 8.1} - Segment 2: Rbst Lv = NORMAL, Est. Vul. = 408 / 1080, Org. Est. Vul. = 400 / 1880 (Unc:0. 1) -■ Segment 3: Rbst Lv - NORMAL, Est. Vul. = 58 / 1000, Org. Est, Vul. = 50 / 1800 (One: 8.3) Candidate 4: SELECTED as INCOMPLETE MODEL

[0279] - Total Score: 0.8453333333 {Total Accuracy - Total Vulnerability)

[0280] - Total Accuracy: 0.8666666666666667, Total Vulnerability: 0.021333333333333333

[0281] - Segment 1: Rbst Lv = NORMAL, Est. Vul. » 10 I 1808, Org. Est. Vul. » 18 / 1080 (Unc:0.1) - Segment 2: Rbst Lv ~ HIGH, Est. Vul. = 4.8 / 1080, Org. Est. Vul. ~ 408 / 1080 (Unc:0.1) -■ Segment 3: Rbst Lv = NORMAL, Est. Vul. — 50 / 1800, Org. Est. Vul. = 50 / 1080 (Unc:0.3) Candidate 5: NOT SELECTED

[0282] - Total Score: 0,84 (Total Accuracy - Total Vulnerability)

[0283] - Total Accuracy: 0.9333333333333333, Total Vulnerability: 8,89333333333333334

[0284] - Segment 1: Rbst Lv - NORMAL, Est. Vul. - 18 I 1080, Org. Est. Vul. - 10 / 1808 (Unc:0.1) - Segment 2: Rbst Lv = LOW, Est. Vul. » 240.8 / 1080, Org. Est. Vul. « 400 / 1088 (Unc:0.1) - Segment 3: Rbst Lv = LOW, Est. Vul. = 38.0 / 1008, Org. Est. Vul. - 58 I 1880 (Unc:0.3) Table 4

[0285] Table 4 shows one example of how each incomplete model candidate’ s can be selected. Like Robust Models, their model candidates are sorted based on Total Scorevalues, but the candidates excluded Non-public Data 2 (See Figure 11) as the data segment's uncertainty value is above the threshold.

[0286] Query handler 113

[0287] In the examples related to figure table 2 to 4, the system’s model registry contains 13 (= 5 robust + 4 default + 4 incomplete) models, which is 5% of all possible model candidate number of 256.

[0288] The query handler 113 measures a user's e.g., the communication devices 120 adversary uncertainty score. One way to measure such a score can be perplexity-based, which is defined as the exponentiated average negative log-likelihood of a sequence. A prompt can be considered more anomalous if its perplexity score exceeds a specified threshold.

[0289] Figure 12 shows a flowchart of one way of handling a privacy attack based embodiments herein.

[0290] - At 100, the query handler 113 receives a query from one user to the system. - At 200, the query handler 113 checks its response from the currently assigned model for the user, and updates the user's adversary uncertainty score, which is the belief of whether the user who sent the incoming query is a potential adversary. If there is no assigned model for the user yet, the query handler 113 assigns the top candidate model to the user. The service also sends the update to the training node 111 such as its database module 401, so that eventually the training node 111 such as its planning module 403 could determine whether this is a situation which the service needs to adapt i.e., the new plan based on the new auditing is different from the previous plan. - At 300, the query handler 113 checks whether or not the currently assigned model is appropriate to the user’s query based on the user's adversary uncertainty level. - At 350, the query handler 113 provides the response from the currently assigned robust model to the incoming query.

[0291] - At 400, the query handler 113 determines that the system needs an appropriate model based on the user's adversary level and sends an invoke to the system to check if its model registry has a desired robust model.

[0292] - At 500, the query handler 113 receives an answer for the request, which is a list of available appropriate robust models, or default models, with their respective responses for the query. The query handler 113 determines which one is the most appropriate model. If the system does not have any appropriate robust model, then the serviceinitiates to train a new desired robust model. The system may use an incomplete model to meet this request.

[0293] - At 550, the query handler 113 provides a response from an appropriate robust model to the incoming query, and then, assigns the model to the user.

[0294] - At 600, the query handler 113 provides a response from an appropriate default model to the incoming query. The query handler 113 may assign the model to the user.

[0295] 6G intent based management integration

[0296] As of the year 2024, Integration of intent-based management into 3GPP is currently in progress and not everything has been fully specified yet. Figure 13 shows some parts of a potential integration of IMF in 6G. IMF is the intent management function (IMF) and takes in the management space an intent that is then translated for the next lower layer.

[0297] A LLM may in one scenario takes an intent in natural language and translates this to a more formal intent usable by the IMF in the management layer. There are three possible ways how a LLM could be integrated into a 6G architecture. Embodiments herein relate to part of a LLM-based system and may be incorporated in the way any LLM would be integrated into the 5G / 6G architecture.

[0298] Currently three ways can be envisioned how a LLM could be integrated into the 5G / 6G architecture:

[0299] - The first way, illustrated in Figure 14, is to hide the LLM inside the management IMF and thus have defence mechanism according to embodiments herein as part of the management IMF.

[0300] - The second possibility illustrated in Figure 15 is to have the LLM within the CSP domain but outside the management IMF, so the LLM is communicating with the management IMF via some interface.

[0301] - The third possibility, illustrated in Figure 16, is to have the LLM outside the CSP domain being an application function (AF) which communicates via the network exposure function (NEF) with the management IMF.

[0302] O-RAN Implementation

[0303] The process of specifying intent based management systems has just started, thus it is not fully specified yet how the architecture will look finally. However, it could be said that there are two important components. The RAN Management Intent Owner (RMIO) and the RAN Management Intent Handler (RMIH). The RMIO is responsible forformulating the Intents and is an authorized SMO service consumer. The RMIH is an authorized SMO service producer which understands, can process and ensures fulfilment of the Intents. Figure 17 shows how the architecture is currently specified. The RMIO and RMIH can be hierarchically ordered and can provide a special function like, a LLM RMIO.

[0304] There are several options how an embodiment herein could be integrated into this architecture.

[0305] In the first option as shown in Figure 18, the intent functionality is not exposed and there is a dedicated LLM RMIO with a LLM-based system according to embodiments herein which talks to another RMIO that is then responsible to hand the intent over to the RMIH. Both RMIOs could also be just one RMIO.

[0306] The second option as shown in Figure 19 has a northbound LLM RMIO with LLM-based system according to embodiments herein and is implemented as a rAPP.

[0307] The third option is shown in Figure 20 where the LLM-based system according to embodiments herein is a rAPP that implements the RMIO role and is directly communicating with the RMIH in the Non-Real Time RIC.

[0308] The fourth option is shown in Figure 21 where there are two RMIOs implemented as rAPPs. One is a LLM-based system according to embodiments herein and the other is providing the intent to the RMIH.

[0309] The fifth option is shown in Figure 22 where there are RMIO and RMIH rAPPs. The RMIH rAPPs is communicating with the RMIH in the Non-Real Time RIC. The RMIO rAPP contains a LLM-based system according to embodiments herein. A variation of this one would be to have two rAPPs as RMIO (as in Figure 21) but where the RMIO not containing a LLM-based system according to embodiments herein communicates with the RMIH rAPP.

[0310] To perform the method actions above, the training node 111 is configured to determine a training plan for fine-tuning models in a communication system 100.

[0311] The training node 111 may comprise an arrangement depicted in Figure 23. The training node 111 may comprise an input and output interface 2400 configured to communicate in the communications system 100, e.g., with the execution environment 112 and the query handler 113. The input and output interface 800 may comprise a wireless receiver not shown, and a wireless transmitter not shown.The training node 111 is further configured to select models to be fine-tuned, and a plurality of data segments on which the fine-tuned models will be trained,

[0312] The training node 111 is further configured to, for each robustness level out of a number of robustness levels, audit the respective data segments for security threats.

[0313] The training node 111 is further being configured to, based on the auditing results, develop a training plan for fine-tuning a first set of candidate models comprising a set of robust models, a set of default models, and a set of incomplete models,

[0314] The training node 111 is further being configured to wherein a robust model is adapted for interaction with non-adversary communication devices, a default model is adapted for interaction with adversary communication devices, and an incomplete model is adapted for fine-tuning based on a request from a query handler 113,

[0315] The training node 111 is further being configured to based on the training plan, finetune a second set of candidate models comprising at least one robust model and at least one default model, and

[0316] The training node 111 is further being configured to deploy the fine-tuned second set of candidate models in an execution environment 112 such that each deployed model out of the second set of candidate models is invokable by the query handler 113.

[0317] In some embodiments, the training node 111 is further being configured to:

[0318] - receive from the query handler 113 a request for a specific candidate model to be deployed,

[0319] - based on the request, select, an incomplete model for fine-tuning among the set of incomplete models,

[0320] - fine-tune the selected incomplete model to form a fine-tuned robust model, and - deploy the fine-tuned robust model in the execution environment 112 to be invokable by the query handler 113.

[0321] In embodiments, the training node 111 is further configured to fine-tune at least one incomplete model to be subsequently fine-tuned for deployment in response to a request for a specific candidate model to be deployed from the query handler 113.

[0322] In some embodiments, the training node 111 is configured to deploy at the least one further fine-tuned incomplete model in the execution environment 112 such that the further fined-tuned model is invokable by the query handler 113.To perform the method actions above, the query handler 113 is configured to handle queries from a communication device 120 in a communication system 100. The query handler 113 further being configured to:

[0323] - receive a query from the communication device 120, said communication device 120 being adapted to be assigned an adversary uncertainty score,

[0324] - invoke, based on the received query, a first fine-tuned model among a second set of candidate models deployed in an execution environment 112, and receive a first response, wherein the first fine-tuned model is adapted to be selected based on the adversary uncertainty score associated with the communication device 120, wherein the second set of candidate models is adapted to comprise at least one set of robust models adapted for interaction with non-adversary communication devices and at least one set of default models adapted for interaction with adversary communication devices,

[0325] - update the adversary uncertainty score based on the received query and the first response,

[0326] - determine whether or not the first fine-tuned model is suitable for the communication device 120 based on the updated adversary uncertainty score, - when the first model is not suitable: determine whether or not any one model in the second set of candidate models is suitable for the communication device 120 based on the updated adversary uncertainty score; and

[0327] - when all models in the second set of candidate model are unsuitable: transmit a request to a training node 111 for a specific candidate model based on the updated adversary uncertainty score.

[0328] According to some embodiments, the second set of candidate models additionally is adapted to comprise incomplete models, wherein the incomplete models are further to be fine-tuned candidate models.

[0329] In embodiments, the query handler 113 is configured to further being configured to determine whether or not any one model in the second set of candidate models is suitable by:

[0330] - invoking a first evaluation group of candidate models amongst the second set of candidate models and receiving a first evaluation set of responses,

[0331] - determining whether or not any one response in the first evaluation set of responses is suitable for transmission to the communication device 120, and

[0332] - when all responses in the first evaluation set of responses are unsuitable:- invoking a second evaluation group of candidate models amongst the second set of candidate models and receiving a second evaluation set of responses, and

[0333] - determining whether or not any one response in the second evaluation set of responses is suitable for transmission to the communication device 120.

[0334] Embodiments herein may be implemented through a respective processor or one or more processors, such as the respective processor 2310 of a processing circuitry in the training node 111 depicted in Figure 23, processor 2410 of a processing circuitry in the query handler 113 depicted in Figure 24, together with respective computer program code for performing the functions and actions of the embodiments herein. The program code mentioned above may also be provided as a computer program product, for instance in the form of a data carrier carrying computer program code for performing the embodiments herein when being loaded into the respective training node 111 and query handler 113. One such carrier may be in the form of a CD ROM disc. It is however feasible with other data carriers such as a memory stick. The computer program code may furthermore be provided as pure program code on a server and downloaded to the respective training node 111 and query handler 113.

[0335] The training node 111 and query handler 113 may further comprise a respective memory 2320, memory 2420 comprising one or more memory units. The respective memory 2320 and memory 2420 comprises instructions executable by the processor in the respective training node 111 and query handler 113. The respective memory 2320 and memory 2420 are arranged to be used to store e.g., media functions, indications, tags, information, data, configurations, communication data, and applications to perform the methods herein when being executed in the respective training node 111 and query handler 113.

[0336] In some embodiments, a respective computer program 2330, computer program 2430 comprises instructions, which when executed by the respective at least one processor 2310 and processor 2410, cause the at least one processor of respective training node 111 and query handler 113 to perform the actions above.

[0337] In some embodiments, a respective carrier 2340 and carrier 2440 comprises the respective computer program 2330, computer program 2430, wherein the respective carrier 2340 and carrier 2440 is one of an electronic signal, an optical signal, an electromagnetic signal, a magnetic signal, an electric signal, a radio signal, a microwave signal, or a computer-readable storage medium.Those skilled in the art will appreciate that units in the respective training node 111 and query handler 113 described above may refer to a combination of analog and digital circuits, and / or one or more processors configured with software and / or firmware, e.g. stored in the respective training node 111 and query handler 113, that when executed by the respective one or more processors such as the processors described above. One or more of these processors, as well as the other digital hardware, may be included in a single Application-Specific Integrated Circuitry ASIC, or several processors and various digital hardware may be distributed among several separate components, whether individually packaged or assembled into a System-on-a-Chip (SoC).

[0338] Figure 25 shows an example of a communication system QQ100 in accordance with some embodiments.

[0339] In the example, the communication system QQ100 such as the communications system 100 includes a telecommunication network QQ102 that includes an access network QQ104, such as a radio access network (RAN), and a core network QQ106, which includes one or more core network nodes QQ108. The access network QQ104 includes one or more access network nodes, such as network nodes QQ110a and QQ110b (one or more of which may be generally referred to as network nodes QQ110), or any other similar 3rd Generation Partnership Project (3GPP) access nodes or non-3GPP access points. Moreover, as will be appreciated by those of skill in the art, a network node is not necessarily limited to an implementation in which a radio portion and a baseband portion are supplied and integrated by a single vendor. Thus, it will be understood that network nodes include disaggregated implementations or portions thereof. For example, in some embodiments, the telecommunication network QQ102 includes one or more Open-RAN (ORAN) network nodes. An ORAN network node is a node in the telecommunication network QQ102 that supports an ORAN specification (e.g., a specification published by the O-RAN Alliance, or any similar organization) and may operate alone or together with other nodes to implement one or more functionalities of any node in the telecommunication network QQ102, including one or more network nodes QQ110 and / or core network nodes QQ108.

[0340] Examples of an ORAN network node include an open radio unit (0-Rll), an open distributed unit (0-Dll), an open central unit (O-CU), including an O-CU control plane (O-CLI-CP) or an O-CU user plane (O-CU-UP), a RAN intelligent controller (near-real time ornon-real time) hosting software or software plug-ins, such as a near-real time control application (e.g., xApp) or a non-real time control application (e.g., rApp), or any combination thereof (the adjective “open” designating support of an ORAN specification). The network node may support a specification by, for example, supporting an interface defined by the ORAN specification, such as an A1, F1, W1, E1, E2, X2, Xn interface, an open fronthaul user plane interface, or an open fronthaul management plane interface. Moreover, an ORAN access node may be a logical node in a physical node. Furthermore, an ORAN network node may be implemented in a virtualization environment (described further below) in which one or more network functions are virtualized. For example, the virtualization environment may include an O-Cloud computing platform orchestrated by a Service Management and Orchestration Framework via an 0-2 interface defined by the O-RAN Alliance or comparable technologies. The network nodes QQ110 facilitate direct or indirect connection of user equipment (UE), such as by connecting UEs QQ112a, QQ112b, QQ112c, and QQ112d (one or more of which may be generally referred to as UEs QQ112) to the core network QQ106 over one or more wireless connections.

[0341] Example wireless communications over a wireless connection include transmitting and / or receiving wireless signals using electromagnetic waves, radio waves, infrared waves, and / or other types of signals suitable for conveying information without the use of wires, cables, or other material conductors. Moreover, in different embodiments, the communication system QQ100 may include any number of wired or wireless networks, network nodes, UEs, and / or any other components or systems that may facilitate or participate in the communication of data and / or signals whether via wired or wireless connections. The communication system QQ100 may include and / or interface with any type of communication, telecommunication, data, cellular, radio network, and / or other similar type of system.

[0342] The UEs QQ112 may be any of a wide variety of communication devices, including wireless devices arranged, configured, and / or operable to communicate wirelessly with the network nodes QQ110 and other communication devices. Similarly, the network nodes QQ110 are arranged, capable, configured, and / or operable to communicate directly or indirectly with the UEs QQ112 and / or with other network nodes or equipment in the telecommunication network QQ102 to enable and / or provide network access, such as wireless network access, and / or to perform other functions, such as administration in the telecommunication network QQ102.In the depicted example, the core network QQ106 connects the network nodes QQ110 to one or more host computing systems, such as host QQ116. These connections may be direct or indirect via one or more intermediary networks or devices. In other examples, network nodes may be directly coupled to hosts. The core network QQ106 includes one more core network nodes (e.g., core network node QQ108) that are structured with hardware and software components. Features of these components may be substantially similar to those described with respect to the UEs, network nodes, and / or hosts, such that the descriptions thereof are generally applicable to the corresponding components of the core network node QQ108. Example core network nodes include functions of one or more of a Mobile Switching Center (MSC), Mobility Management Entity (MME), Home Subscriber Server (HSS), Access and Mobility Management Function (AMF), Session Management Function (SMF), Authentication Server Function (ALISF), Subscription Identifier De-concealing function (SIDF), Unified Data Management (UDM), Security Edge Protection Proxy (SEPP), Network Exposure Function (NEF), and / or a User Plane Function (UPF).

[0343] The host QQ116 may be under the ownership or control of a service provider other than an operator or provider of the access network QQ104 and / or the telecommunication network QQ102. The host QQ116 may host a variety of applications to provide one or more service. Examples of such applications include live and pre-recorded audio / video content, data collection services such as retrieving and compiling data on various ambient conditions detected by a plurality of UEs, analytics functionality, social media, functions for controlling or otherwise interacting with remote devices, functions for an alarm and surveillance center, or any other such function performed by a server.

[0344] As a whole, the communication system QQ100 enables connectivity between the UEs, network nodes, and hosts. In that sense, the communication system may be configured to operate according to predefined rules or procedures, such as specific standards that include, but are not limited to: Global System for Mobile Communications (GSM); Universal Mobile Telecommunications System (UMTS); Long Term Evolution (LTE), and / or other suitable 2G, 3G, 4G, 5G standards, or any applicable future generation standard (e.g., 6G); wireless local area network (WLAN) standards, such as the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standards (WiFi); and / or any other appropriate wireless communication standard, such as the Worldwide Interoperability for Microwave Access (WiMax), Bluetooth, Z-Wave, Near FieldCommunication (NFC) ZigBee, LiFi, and / or any low-power wide-area network (LPWAN) standards such as LoRa and Sigfox.

[0345] In some examples, the telecommunication network QQ102 is a cellular network that implements 3GPP standardized features. Accordingly, the telecommunications network QQ102 may support network slicing to provide different logical networks to different devices that are connected to the telecommunication network QQ102. For example, the telecommunications network QQ102 may provide Ultra Reliable Low Latency Communication (URLLC) services to some UEs, while providing Enhanced Mobile Broadband (eMBB) services to other UEs, and / or Massive Machine Type Communication (mMTC) / Massive loT services to yet further UEs.

[0346] In some examples, the UEs QQ112, also referred to as communication devices 120, are configured to transmit and / or receive information without direct human interaction. For instance, a UE may be designed to transmit information to the access network QQ104 on a predetermined schedule, when triggered by an internal or external event, or in response to requests from the access network QQ104. Additionally, a UE may be configured for operating in single- or multi-RAT or multi-standard mode. For example, a UE may operate with any one or combination of Wi-Fi, NR (New Radio) and LTE, i.e. being configured for multi-radio dual connectivity (MR-DC), such as E-UTRAN (Evolved-UMTS Terrestrial Radio Access Network) New Radio - Dual Connectivity (EN-DC).

[0347] In the example, the hub QQ114 communicates with the access network QQ104 to facilitate indirect communication between one or more UEs (e.g., UE QQ112c and / or QQ112d) and network nodes (e.g., network node QQ110b). In some examples, the hub QQ114 may be a controller, router, content source and analytics, or any of the other communication devices described herein regarding UEs. For example, the hub QQ114 may be a broadband router enabling access to the core network QQ106 for the UEs. As another example, the hub QQ114 may be a controller that sends commands or instructions to one or more actuators in the UEs. Commands or instructions may be received from the UEs, network nodes QQ110, or by executable code, script, process, or other instructions in the hub QQ114. As another example, the hub QQ114 may be a data collector that acts as temporary storage for UE data and, in some embodiments, may perform analysis or other processing of the data. As another example, the hub QQ114 may be a content source. For example, for a UE that is a VR device, display, loudspeaker, or other media delivery device, the hub QQ114 may retrieve VR assets, video, audio, or other media or data related to sensory information via a network node, which the hubQQ114 then provides to the UE either directly, after performing local processing, and / or after adding additional local content. In still another example, the hub QQ114 acts as a proxy server or orchestrator for the UEs, in particular if one or more of the UEs are low energy loT devices.

[0348] The hub QQ114 may have a constant / persistent or intermittent connection to the network node QQ110b. The hub QQ114 may also allow for a different communication scheme and / or schedule between the hub QQ114 and UEs (e.g., UE QQ112c and / or QQ112d), and between the hub QQ114 and the core network QQ106. In other examples, the hub QQ114 is connected to the core network QQ106 and / or one or more UEs via a wired connection. Moreover, the hub QQ114 may be configured to connect to an M2M service provider over the access network QQ104 and / or to another UE over a direct connection. In some scenarios, UEs may establish a wireless connection with the network nodes QQ110 while still connected via the hub QQ114 via a wired or wireless connection. In some embodiments, the hub QQ114 may be a dedicated hub - that is, a hub whose primary function is to route communications to / from the UEs from / to the network node QQ110b. In other embodiments, the hub QQ114 may be a non-dedicated hub - that is, a device which is capable of operating to route communications between the UEs and network node QQ110b, but which is additionally capable of operating as a communication start and / or end point for certain data channels.

[0349] Figure 26 shows a UE QQ200 in accordance with some embodiments. The UE QQ200 presents additional details of some embodiments of the UE QQ112 of Figure 25. As used herein, a UE refers to a device capable, configured, arranged and / or operable to communicate wirelessly with network nodes such as e.g training node 111 and query handler 113 and / or other UEs such as e.g communication device 120. Examples of a UE include, but are not limited to, a smart phone, mobile phone, cell phone, voice over IP (VoIP) phone, wireless local loop phone, desktop computer, personal digital assistant (PDA), wireless cameras, gaming console or device, music storage / playback device, wearable terminal device, wireless endpoint, mobile station, tablet, laptop, laptop-embedded equipment (LEE), laptop-mounted equipment (LME), an Augmented Reality (AR) or Virtual Reality (VR) device, wireless customer-premise equipment (CPE), vehicle, vehicle-mounted or vehicle embedded / integrated wireless device, etc. Other examples include any UE identified by the 3rd Generation Partnership Project (3GPP), including anarrow band internet of things (NB-loT) UE, a machine type communication (MTC) UE, and / or an enhanced MTC (eMTC) UE.

[0350] A UE or UD may support device-to-device (D2D) communication, for example by implementing a 3GPP standard for sidelink communication, Dedicated Short-Range Communication (DSRC), vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), or vehicle-to-everything (V2X). In other examples, a UE may not necessarily have a user in the sense of a human user who owns and / or operates the relevant device. Instead, a UE may represent a device that is intended for sale to, or operation by, a human user but which may not, or which may not initially, be associated with a specific human user (e.g., a smart sprinkler controller). Alternatively, a UE may represent a device that is not intended for sale to, or operation by, an end user but which may be associated with or operated for the benefit of a user (e.g., a smart power meter).

[0351] The UE QQ200 includes processing circuitry QQ202 that is operatively coupled via a bus QQ204 to an input / output interface QQ206, a power source QQ208, a memory QQ210, a communication interface QQ212, and / or any other component, or any combination thereof. Certain UEs may utilize all or a subset of the components shown in 10. The level of integration between the components may vary from one UE to another UE. Further, certain UEs may contain multiple instances of a component, such as multiple processors, memories, transceivers, transmitters, receivers, etc.

[0352] The processing circuitry QQ202 is configured to process instructions and data and may be configured to implement any sequential state machine operative to execute instructions stored as machine-readable computer programs in the memory QQ210. The processing circuitry QQ202 may be implemented as one or more hardware-implemented state machines (e.g., in discrete logic, field-programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), etc.); programmable logic together with appropriate firmware; one or more stored computer programs, general-purpose processors, such as a microprocessor or digital signal processor (DSP), together with appropriate software; or any combination of the above. For example, the processing circuitry QQ202 may include multiple central processing units (CPUs).

[0353] In the example, the input / output interface QQ206 may be configured to provide an interface or interfaces to an input device, output device, or one or more input and / or output devices. Examples of an output device include a speaker, a sound card, a video card, a display, a monitor, a printer, an actuator, an emitter, a smartcard, another output device, or any combination thereof. An input device may allow a user to captureinformation into the UE QQ200. Examples of an input device include a touch-sensitive or presence-sensitive display, a camera (e.g., a digital camera, a digital video camera, a web camera, etc.), a microphone, a sensor, a mouse, a trackball, a directional pad, a trackpad, a scroll wheel, a smartcard, and the like. The presence-sensitive display may include a capacitive or resistive touch sensor to sense input from a user. A sensor may be, for instance, an accelerometer, a gyroscope, a tilt sensor, a force sensor, a magnetometer, an optical sensor, a proximity sensor, a biometric sensor, etc., or any combination thereof. An output device may use the same type of interface port as an input device. For example, a Universal Serial Bus (USB) port may be used to provide an input device and an output device.

[0354] In some embodiments, the power source QQ208 is structured as a battery or battery pack. Other types of power sources, such as an external power source (e.g., an electricity outlet), photovoltaic device, or power cell, may be used. The power source QQ208 may further include power circuitry for delivering power from the power source QQ208 itself, and / or an external power source, to the various parts of the UE QQ200 via input circuitry or an interface such as an electrical power cable. Delivering power may be, for example, for charging of the power source QQ208. Power circuitry may perform any formatting, converting, or other modification to the power from the power source QQ208 to make the power suitable for the respective components of the UE QQ200 to which power is supplied.

[0355] The memory QQ210 may be or be configured to include memory such as random access memory (RAM), read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), magnetic disks, optical disks, hard disks, removable cartridges, flash drives, and so forth. In one example, the memory QQ210 includes one or more application programs QQ214, such as an operating system, web browser application, a widget, gadget engine, or other application, and corresponding data QQ216. The memory QQ210 may store, for use by the UE QQ200, any of a variety of various operating systems or combinations of operating systems.

[0356] The memory QQ210 may be configured to include a number of physical drive units, such as redundant array of independent disks (RAID), flash memory, USB flash drive, external hard disk drive, thumb drive, pen drive, key drive, high-density digital versatile disc (HD-DVD) optical disc drive, internal hard disk drive, Blu-Ray optical disc drive, holographic digital data storage (HDDS) optical disc drive, external mini-dual in-linememory module (DIMM), synchronous dynamic random access memory (SDRAM), external micro-DIMM SDRAM, smartcard memory such as tamper resistant module in the form of a universal integrated circuit card (IIICC) including one or more subscriber identity modules (SIMs), such as a IISIM and / or ISIM, other memory, or any combination thereof. The IIICC may for example be an embedded IIICC (elllCC), integrated IIICC (illlCC) or a removable IIICC commonly known as ‘SIM card.’ The memory QQ210 may allow the UE QQ200 to access instructions, application programs and the like, stored on transitory or non-transitory memory media, to off-load data, or to upload data. An article of manufacture, such as one utilizing a communication system may be tangibly embodied as or in the memory QQ210, which may be or comprise a device-readable storage medium.

[0357] The processing circuitry QQ202 may be configured to communicate with an access network or other network using the communication interface QQ212. The communication interface QQ212 may comprise one or more communication subsystems and may include or be communicatively coupled to an antenna QQ222. The communication interface QQ212 may include one or more transceivers used to communicate, such as by communicating with one or more remote transceivers of another device capable of wireless communication (e.g., another UE or a network node in an access network). Each transceiver may include a transmitter QQ218 and / or a receiver QQ220 appropriate to provide network communications (e.g., optical, electrical, frequency allocations, and so forth). Moreover, the transmitter QQ218 and receiver QQ220 may be coupled to one or more antennas (e.g., antenna QQ222) and may share circuit components, software or firmware, or alternatively be implemented separately.

[0358] In the illustrated embodiment, communication functions of the communication interface QQ212 may include cellular communication, Wi-Fi communication, LPWAN communication, data communication, voice communication, multimedia communication, short-range communications such as Bluetooth, near-field communication, location-based communication such as the use of the global positioning system (GPS) to determine a location, another like communication function, or any combination thereof.

[0359] Communications may be implemented in according to one or more communication protocols and / or standards, such as IEEE 802.11, Code Division Multiplexing Access (CDMA), Wideband Code Division Multiple Access (WCDMA), GSM, LTE, New Radio (NR), UMTS, WiMax, Ethernet, transmission control protocol / internet protocol (TCP / IP), synchronous optical networking (SONET), Asynchronous Transfer Mode (ATM), QUIC, Hypertext Transfer Protocol (HTTP), and so forth.Regardless of the type of sensor, a UE may provide an output of data captured by its sensors, through its communication interface QQ212, via a wireless connection to a network node. Data captured by sensors of a UE can be communicated through a wireless connection to a network node via another UE. The output may be periodic (e.g., once every 15 minutes if it reports the sensed temperature), random (e.g., to even out the load from reporting from several sensors), in response to a triggering event (e.g., when moisture is detected an alert is sent), in response to a request (e.g., a user initiated request), or a continuous stream (e.g., a live video feed of a patient).

[0360] As another example, a UE comprises an actuator, a motor, or a switch, related to a communication interface configured to receive wireless input from a network node via a wireless connection. In response to the received wireless input the states of the actuator, the motor, or the switch may change. For example, the UE may comprise a motor that adjusts the control surfaces or rotors of a drone in flight according to the received input or to a robotic arm performing a medical procedure according to the received input.

[0361] A UE, when in the form of an Internet of Things (loT) device, may be a device for use in one or more application domains, these domains comprising, but not limited to, city wearable technology, extended industrial application and healthcare. Non-limiting examples of such an loT device are a device which is or which is embedded in: a connected refrigerator or freezer, a TV, a connected lighting device, an electricity meter, a robot vacuum cleaner, a voice controlled smart speaker, a home security camera, a motion detector, a thermostat, a smoke detector, a door / window sensor, a flood / moisture sensor, an electrical door lock, a connected doorbell, an air conditioning system like a heat pump, an autonomous vehicle, a surveillance system, a weather monitoring device, a vehicle parking monitoring device, an electric vehicle charging station, a smartwatch, a fitness tracker, a wearable for tactile augmentation or sensory enhancement, a water sprinkler, an animal- or item-tracking device, a sensor for monitoring a plant or animal, an industrial robot, an Unmanned Aerial Vehicle (UAV), and any kind of medical device, like a heart rate monitor or a remote controlled surgical robot. A UE in the form of an loT device comprises circuitry and / or software in dependence of the intended application of the loT device in addition to other components as described in relation to the UE QQ200 shown in Figure 26.

[0362] As yet another specific example, in an loT scenario, a UE may represent a machine or other device that performs monitoring and / or measurements, and transmits the results of such monitoring and / or measurements to another UE and / or a network node. The UEmay in this case be an M2M device, which may in a 3GPP context be referred to as an MTC device. As one particular example, the UE may implement the 3GPP NB-loT standard. In other scenarios, a UE may represent a vehicle, such as a car, a bus, a truck, a ship and an airplane, or other equipment that is capable of monitoring and / or reporting on its operational status or other functions associated with its operation.

[0363] In practice, any number of UEs may be used together with respect to a single use case. For example, a first UE might be or be integrated in a drone and provide the drone’s speed information (obtained through a speed sensor) to a second UE that is a remote controller operating the drone. When the user makes changes from the remote controller, the first UE may adjust the throttle on the drone (e.g. by controlling an actuator) to increase or decrease the drone’s speed. The first and / or the second UE can also include more than one of the functionalities described above. For example, a UE might comprise the sensor and the actuator, and handle communication of data for both the speed sensor and the actuators.

[0364] Figure 27 shows a network node QQ300 in accordance with some embodiments. As used herein, network node refers to equipment capable, configured, arranged and / or operable to communicate directly or indirectly with a UE and / or with other network nodes or equipment, in a telecommunication network. Examples of network nodes include, but are not limited to, access points (APs) (e.g., radio access points), base stations (BSs) (e.g., radio base stations, Node Bs, evolved Node Bs (eNBs) and NR NodeBs (gNBs)), O-RAN nodes or components of an O-RAN node (e.g., O-RU, O-DU, O-CU).

[0365] Base stations may be categorized based on the amount of coverage they provide (or, stated differently, their transmit power level) and so, depending on the provided amount of coverage, may be referred to as femto base stations, pico base stations, micro base stations, or macro base stations. A base station may be a relay node or a relay donor node controlling a relay. A network node may also include one or more (or all) parts of a distributed radio base station such as centralized digital units, distributed units (e.g., in an O-RAN access node) and / or remote radio units (RRUs), sometimes referred to as Remote Radio Heads (RRHs). Such remote radio units may or may not be integrated with an antenna as an antenna integrated radio. Parts of a distributed radio base station may also be referred to as nodes in a distributed antenna system (DAS).

[0366] Other examples of network nodes include multiple transmission point (multi-TRP) 5G access nodes, multi-standard radio (MSR) equipment such as MSR BSs, networkcontrollers such as radio network controllers (RNCs) or base station controllers (BSCs), base transceiver stations (BTSs), transmission points, transmission nodes, multi-cel l / multicast coordination entities (MCEs), Operation and Maintenance (O& M) nodes, Operations Support System (OSS) nodes, Self-Organizing Network (SON) nodes, positioning nodes (e.g., Evolved Serving Mobile Location Centers (E-SMLCs)), and / or Minimization of Drive Tests (MDTs).

[0367] The network node QQ300 includes a processing circuitry QQ302, a memory QQ304, a communication interface QQ306, and a power source QQ308. The network node QQ300 may be composed of multiple physically separate components (e.g., a NodeB component and a RNC component, or a BTS component and a BSC component, etc.), which may each have their own respective components. In certain scenarios in which the network node QQ300 comprises multiple separate components (e.g., BTS and BSC components), one or more of the separate components may be shared among several network nodes. For example, a single RNC may control multiple NodeBs. In such a scenario, each unique NodeB and RNC pair, may in some instances be considered a single separate network node. In some embodiments, the network node QQ300 may be configured to support multiple radio access technologies (RATs). In such embodiments, some components may be duplicated (e.g., separate memory QQ304 for different RATs) and some components may be reused (e.g., a same antenna QQ310 may be shared by different RATs). The network node QQ300 may also include multiple sets of the various illustrated components for different wireless technologies integrated into network node QQ300, for example GSM, WCDMA, LTE, NR, WiFi, Zigbee, Z-wave, LoRaWAN, Radio Frequency Identification (RFID) or Bluetooth wireless technologies. These wireless technologies may be integrated into the same or different chip or set of chips and other components within network node QQ300.

[0368] The processing circuitry QQ302 may comprise a combination of one or more of a microprocessor, controller, microcontroller, central processing unit, digital signal processor, application-specific integrated circuit, field programmable gate array, or any other suitable computing device, resource, or combination of hardware, software and / or encoded logic operable to provide, either alone or in conjunction with other network node QQ300 components, such as the memory QQ304, to provide network node QQ300 functionality.

[0369] In some embodiments, the processing circuitry QQ302 includes a system on a chip (SOC). In some embodiments, the processing circuitry QQ302 includes one or more ofradio frequency (RF) transceiver circuitry QQ312 and baseband processing circuitry QQ314. In some embodiments, the radio frequency (RF) transceiver circuitry QQ312 and the baseband processing circuitry QQ314 may be on separate chips (or sets of chips), boards, or units, such as radio units and digital units. In alternative embodiments, part or all of RF transceiver circuitry QQ312 and baseband processing circuitry QQ314 may be on the same chip or set of chips, boards, or units.

[0370] The memory QQ304 may comprise any form of volatile or non-volatile computer-readable memory including, without limitation, persistent storage, solid-state memory, remotely mounted memory, magnetic media, optical media, random access memory (RAM), read-only memory (ROM), mass storage media (for example, a hard disk), removable storage media (for example, a flash drive, a Compact Disk (CD) or a Digital Video Disk (DVD)), and / or any other volatile or non-volatile, non-transitory device-readable and / or computer-executable memory devices that store information, data, and / or instructions that may be used by the processing circuitry QQ302. The memory QQ304 may store any suitable instructions, data, or information, including a computer program, software, an application including one or more of logic, rules, code, tables, and / or other instructions capable of being executed by the processing circuitry QQ302 and utilized by the network node QQ300. The memory QQ304 may be used to store any calculations made by the processing circuitry QQ302 and / or any data received via the communication interface QQ306. In some embodiments, the processing circuitry QQ302 and memory QQ304 is integrated.

[0371] The communication interface QQ306 is used in wired or wireless communication of signaling and / or data between a network node, access network, and / or UE. As illustrated, the communication interface QQ306 comprises port(s) / terminal(s) QQ316 to send and receive data, for example to and from a network over a wired connection. The communication interface QQ306 also includes radio front-end circuitry QQ318 that may be coupled to, or in certain embodiments a part of, the antenna QQ310. Radio front-end circuitry QQ318 comprises filters QQ320 and amplifiers QQ322. The radio front-end circuitry QQ318 may be connected to an antenna QQ310 and processing circuitry QQ302. The radio front-end circuitry may be configured to condition signals communicated between antenna QQ310 and processing circuitry QQ302. The radio front-end circuitry QQ318 may receive digital data that is to be sent out to other network nodes or UEs via a wireless connection. The radio front-end circuitry QQ318 may convert the digital data into a radio signal having the appropriate channel and bandwidth parameters using acombination of filters QQ320 and / or amplifiers QQ322. The radio signal may then be transmitted via the antenna QQ310. Similarly, when receiving data, the antenna QQ310 may collect radio signals which are then converted into digital data by the radio front-end circuitry QQ318. The digital data may be passed to the processing circuitry QQ302. In other embodiments, the communication interface may comprise different components and / or different combinations of components.

[0372] In certain alternative embodiments, the network node QQ300 does not include separate radio front-end circuitry QQ318, instead, the processing circuitry QQ302 includes radio front-end circuitry and is connected to the antenna QQ310. Similarly, in some embodiments, all or some of the RF transceiver circuitry QQ312 is part of the communication interface QQ306. In still other embodiments, the communication interface QQ306 includes one or more ports or terminals QQ316, the radio front-end circuitry QQ318, and the RF transceiver circuitry QQ312, as part of a radio unit (not shown), and the communication interface QQ306 communicates with the baseband processing circuitry QQ314, which is part of a digital unit (not shown).

[0373] The antenna QQ310 may include one or more antennas, or antenna arrays, configured to send and / or receive wireless signals. The antenna QQ310 may be coupled to the radio front-end circuitry QQ318 and may be any type of antenna capable of transmitting and receiving data and / or signals wirelessly. In certain embodiments, the antenna QQ310 is separate from the network node QQ300 and connectable to the network node QQ300 through an interface or port.

[0374] The antenna QQ310, communication interface QQ306, and / or the processing circuitry QQ302 may be configured to perform any receiving operations and / or certain obtaining operations described herein as being performed by the network node. Any information, data and / or signals may be received from a UE, another network node and / or any other network equipment. Similarly, the antenna QQ310, the communication interface QQ306, and / or the processing circuitry QQ302 may be configured to perform any transmitting operations described herein as being performed by the network node. Any information, data and / or signals may be transmitted to a UE, another network node and / or any other network equipment.

[0375] The power source QQ308 provides power to the various components of network node QQ300 in a form suitable for the respective components (e.g., at a voltage and current level needed for each respective component). The power source QQ308 may further comprise, or be coupled to, power management circuitry to supply the componentsof the network node QQ300 with power for performing the functionality described herein. For example, the network node QQ300 may be connectable to an external power source (e.g., the power grid, an electricity outlet) via an input circuitry or interface such as an electrical cable, whereby the external power source supplies power to power circuitry of the power source QQ308. As a further example, the power source QQ308 may comprise a source of power in the form of a battery or battery pack which is connected to, or integrated in, power circuitry. The battery may provide backup power should the external power source fail.

[0376] Embodiments of the network node QQ300 may include additional components beyond those shown in Figure 27 for providing certain aspects of the network node’s functionality, including any of the functionality described herein and / or any functionality necessary to support the subject matter described herein. For example, the network node QQ300 may include user interface equipment to allow input of information into the network node QQ300 and to allow output of information from the network node QQ300. This may allow a user to perform diagnostic, maintenance, repair, and other administrative functions for the network node QQ300. In some embodiments providing a core network node, such as core network node 108 of FIG. QQ1, some components, such as the radio front-end circuitry QQ318 and the RF transceiver circuitry QQ312 may be omitted.

[0377] Figure 28 is a block diagram illustrating a virtualization environment QQ400 in which functions implemented by some embodiments may be virtualized. In the present context, virtualizing means creating virtual versions of apparatuses or devices which may include virtualizing hardware platforms, storage devices and networking resources. As used herein, virtualization can be applied to any device described herein, or components thereof, and relates to an implementation in which at least a portion of the functionality is implemented as one or more virtual components. Some or all of the functions described herein may be implemented as virtual components executed by one or more virtual machines (VMs) implemented in one or more virtual environments QQ400 hosted by one or more of hardware nodes, such as a hardware computing device that operates as a network node, UE, core network node, or host. Further, in embodiments in which the virtual node does not require radio connectivity (e.g., a core network node or host), then the node may be entirely virtualized. In some embodiments, the virtualization environment QQ400 includes components defined by the O-RAN Alliance, such as an O-Cloudenvironment orchestrated by a Service Management and Orchestration Framework via an 0-2 interface. Virtualization may facilitate distributed implementations of a network node, UE, core network node, or host.

[0378] Applications QQ402 (which may alternatively be called software instances, virtual appliances, network functions, virtual nodes, virtual network functions, etc.) are run in the virtualization environment QQ400 to implement some of the features, functions, and / or benefits of some of the embodiments disclosed herein.

[0379] Hardware QQ404 includes processing circuitry, memory that stores software and / or instructions executable by hardware processing circuitry, and / or other hardware devices as described herein, such as a network interface, input / output interface, and so forth. Software may be executed by the processing circuitry to instantiate one or more virtualization layers QQ406 (also referred to as hypervisors or virtual machine monitors (VMMs)), provide VMs QQ408a and QQ408b (one or more of which may be generally referred to as VMs QQ408), and / or perform any of the functions, features and / or benefits described in relation with some embodiments described herein. The virtualization layer QQ406 may present a virtual operating platform that appears like networking hardware to the VMs QQ408.

[0380] The VMs QQ408 comprise virtual processing, virtual memory, virtual networking or interface and virtual storage, and may be run by a corresponding virtualization layer QQ406. Different embodiments of the instance of a virtual appliance QQ402 may be implemented on one or more of VMs QQ408, and the implementations may be made in different ways. Virtualization of the hardware is in some contexts referred to as network function virtualization (NFV). NFV may be used to consolidate many network equipment types onto industry standard high volume server hardware, physical switches, and physical storage, which can be located in data centers, and customer premise equipment.

[0381] In the context of NFV, a VM QQ408 may be a software implementation of a physical machine that runs programs as if they were executing on a physical, non-virtualized machine. Each of the VMs QQ408, and that part of hardware QQ404 that executes that VM, be it hardware dedicated to that VM and / or hardware shared by that VM with others of the VMs, forms separate virtual network elements. Still in the context of NFV, a virtual network function is responsible for handling specific network functions that run in one or more VMs QQ408 on top of the hardware QQ404 and corresponds to the application QQ402.Hardware QQ404 may be implemented in a standalone network node with generic or specific components. Hardware QQ404 may implement some functions via virtualization. Alternatively, hardware QQ404 may be part of a larger cluster of hardware (e.g. such as in a data center or CPE) where many hardware nodes work together and are managed via management and orchestration QQ410, which, among others, oversees lifecycle management of applications QQ402. In some embodiments, hardware QQ404 is coupled to one or more radio units that each include one or more transmitters and one or more receivers that may be coupled to one or more antennas. Radio units may communicate directly with other hardware nodes via one or more appropriate network interfaces and may be used in combination with the virtual components to provide a virtual node with radio capabilities, such as a radio access node or a base station. In some embodiments, some signaling can be provided with the use of a control system QQ412 which may alternatively be used for communication between hardware nodes and radio units.

[0382] Although the computing devices described herein (e.g., UEs, network nodes) may include the illustrated combination of hardware components, other embodiments may comprise computing devices with different combinations of components. It is to be understood that these computing devices may comprise any suitable combination of hardware and / or software needed to perform the tasks, features, functions and methods disclosed herein. Determining, calculating, obtaining or similar operations described herein may be performed by processing circuitry, which may process information by, for example, converting the obtained information into other information, comparing the obtained information or converted information to information stored in the network node, and / or performing one or more operations based on the obtained information or converted information, and as a result of said processing making a determination. Moreover, while components are depicted as single boxes located within a larger box, or nested within multiple boxes, in practice, computing devices may comprise multiple different physical components that make up a single illustrated component, and functionality may be partitioned between separate components. For example, a communication interface may be configured to include any of the components described herein, and / or the functionality of the components may be partitioned between the processing circuitry and the communication interface. In another example, non-computationally intensive functions of any of such components may be implemented in software or firmware and computationally intensive functions may be implemented in hardware.In certain embodiments, some or all of the functionality described herein may be provided by processing circuitry executing instructions stored on in memory, which in certain embodiments may be a computer program product in the form of a non-transitory computer-readable storage medium. In alternative embodiments, some or all of the functionality may be provided by the processing circuitry without executing instructions stored on a separate or discrete device-readable storage medium, such as in a hard-wired manner. In any of those particular embodiments, whether executing instructions stored on a non-transitory computer-readable storage medium or not, the processing circuitry can be configured to perform the described functionality. The benefits provided by such functionality are not limited to the processing circuitry alone or to other components of the computing device, but are enjoyed by the computing device as a whole, and / or by end users and a wireless network generally.

[0383] When using the word "comprise" or “comprising” it shall be interpreted as non-limiting, i.e. meaning "consist at least of".

[0384] The embodiments herein are not limited to the preferred embodiments described above. Various alternatives, modifications and equivalents may be used.

Claims

CLAIMS1. A method performed by a training node (111) for determining a training plan for fine-tuning models in a communication system (100), the method comprising: selecting (501) models to be fine-tuned, and a plurality of data segments on which the fine-tuned models will be trained,for each robustness level out of a number of robustness levels, auditing (502) the respective data segments for security threats,based on the auditing results, developing (503) a training plan for fine-tuning a first set of candidate models comprising a set of robust models, a set of default models, and a set of incomplete models,wherein a robust model is adapted for interaction with non-adversary communication devices, a default model is adapted for interaction with adversary communication devices, and an incomplete model is adapted for fine-tuning based on a request from a query handler (113),based on the training plan, fine-tuning (504) a second set of candidate models comprising at least one robust model and at least one default model, and deploying (505) the fine-tuned second set of candidate models in an execution environment (112) such that each deployed model out of the second set of candidate models is invokable by the query handler (113).

2. The method according to claim 1, further comprising:receiving (506) from the query handler (113) a request for a specific candidate model to be deployed,based on the request, selecting (507), an incomplete model for fine-tuning among the set of incomplete models,fine-tuning (508) the selected incomplete model to form a fine-tuned robust model, anddeploying (509) the fine-tuned robust model in the execution environment (112) to be invokable by the query handler (113).

3. The method according to any of the claims 1-2, wherein fine-tuning (504) additionally comprises:further fine-tuning at least one incomplete model to be subsequently finetuned for deployment in response to a request for a specific candidate model to be deployed from the query handler.

4. A computer program (2330) comprising instructions, which when executed by a processor (2310), causes the processor (2310) to perform actions according to any of the claims 1-3.

5. A carrier (2340) comprising the computer program (2330) of claim 4, wherein the carrier (2340) is one of an electronic signal, an optical signal, an electromagnetic signal, a magnetic signal, an electric signal, a radio signal, a microwave signal, or a computer-readable storage medium.

6. A method performed by a query handler (113) for handling queries from a communication device (120) in a communication system (100), the method comprising:receiving (601) a query from the communication device (120), said communication device (120) being assigned an adversary uncertainty score, invoking (602), based on the received query, a first fine-tuned model among a second set of candidate models deployed in an execution environment (112), and receiving (603) a first response, wherein the first fine-tuned model is selected based on the adversary uncertainty score associated with the communication device (120), wherein the second set of candidate models comprises at least one set of robust models adapted for interaction with non-adversary communication devices and at least one set of default models adapted for interaction with adversary communication devices,updating (604) the adversary uncertainty score based on the received query and the first response,determining (605) whether or not the first fine-tuned model is suitable for the communication device (120) based on the updated adversary uncertainty score, when the first model is not suitable: determining (606) whether or not any one model in the second set of candidate models is suitable for the communication device (120) based on the updated adversary uncertainty score; andwhen all models in the second set of candidate model are unsuitable: transmitting (607) a request to a training node (111) for a specific candidate model based on the updated adversary uncertainty score.

7. The method according to claim 6, wherein the second set of candidate models additionally comprise incomplete models, wherein the incomplete models are further to be fine-tuned candidate models.

8. The method according to any of the claims 6-7, wherein determining (606) whether or not any one model in the second set of candidate models is suitable for the communication device (120) based on the updated adversary uncertainty score comprises:invoking a first evaluation group of candidate models amongst the second set of candidate models and receiving a first evaluation set of responses, determining whether or not any one response in the first evaluation set of responses is suitable for transmission to the communication device (120), and when all responses in the first evaluation set of responses are unsuitable: invoking a second evaluation group of candidate models amongst the second set of candidate models and receiving a second evaluation set of responses, determining whether or not any one response in the second evaluation set of responses is suitable for transmission to the communication device (120).

9. A computer program (2430) comprising instructions, which when executed by a processor (2410), causes the processor (2410) to perform actions according to any of the claims 6-8.

10. A carrier (2440) comprising the computer program (2430) of claim 9, wherein the carrier (2440) is one of an electronic signal, an optical signal, an electromagnetic signal, a magnetic signal, an electric signal, a radio signal, a microwave signal, or a computer-readable storage medium.

11. A training node (111) configured to determine a training plan for fine-tuning models in a communication system (100), the training node (111) further being configured to:select models to be fine-tuned, and a plurality of data segments on which the fine-tuned models will be trained,for each robustness level out of a number of robustness levels, audit the respective data segments for security threats,based on the auditing results, develop a training plan for fine-tuning a first set of candidate models comprising a set of robust models, a set of default models, and a set of incomplete models,wherein a robust model is adapted for interaction with non-adversary communication devices, a default model is adapted for interaction with adversary communication devices, and an incomplete model is adapted for fine-tuning based on a request from a query handler (113),based on the training plan, fine-tune a second set of candidate models comprising at least one robust model and at least one default model, and deploy the fine-tuned second set of candidate models in an execution environment (112) such that each deployed model out of the second set of candidate models is invokable by the query handler (113).

12. The training node (111) according to claim 11, further being configured to:receive from the query handler (113) a request for a specific candidate model to be deployed,based on the request, select an incomplete model for fine-tuning among the set of incomplete models,fine-tune the selected incomplete model to form a fine-tuned robust model, anddeploy the fine-tuned robust model in the execution environment (112) to be invokable by the query handler (113).

13. The training node (111) according to claim 11 or 12, further being configured to:further fine-tune at least one incomplete model to be subsequently fine-tuned for deployment in response to a request for a specific candidate model to be deployed from the query handler.

14. A query handler (113) configured to handle queries from a communication device (120) in a communication system (100), the query handler (113) further being configured to:receive a query from the communication device (120), said communication device (120) being adapted to be assigned an adversary uncertainty score, invoke, based on the received query, a first fine-tuned model among a second set of candidate models deployed in an execution environment (112), and receive a first response, wherein the first fine-tuned model is adapted to be selected based on the adversary uncertainty score associated with the communication device (120), wherein the second set of candidate models is adapted to comprise at least one set of robust models adapted for interaction with non-adversary communication devices and at least one set of default models adapted for interaction with adversary communication devices,update the adversary uncertainty score based on the received query and the first response,determine whether or not the first fine-tuned model is suitable for the communication device (120) based on the updated adversary uncertainty score, when the first model is not suitable: determine whether or not any one model in the second set of candidate models is suitable for the communication device (120) based on the updated adversary uncertainty score; andwhen all models in the second set of candidate model are unsuitable: transmit a request to a training node (111) for a specific candidate model based on the updated adversary uncertainty score.

15. The query handler (113) according to claim 14, wherein the second set of candidate models additionally is adapted to comprise incomplete models, wherein the incomplete models are further fine-tuned candidate models.

16. The query handler (113) according to claim 14 or 15, further being configured to determine whether or not any one model in the second set of candidate models is suitable by:invoking a first evaluation group of candidate models amongst the second set of candidate models and receiving a first evaluation set of responses,determining whether or not any one response in the first evaluation set of responses is suitable for transmission to the communication device (120), and when all responses in the first evaluation set of responses are unsuitable: invoking a second evaluation group of candidate models amongst the second set of candidate models and receiving a second evaluation set of responses, and determining whether or not any one response in the second evaluation set of responses is suitable for transmission to the communication device (120).