WO2019120507A1 - Commande du comportement de dispositifs - Google Patents

Commande du comportement de dispositifs Download PDF

Info

Publication number
WO2019120507A1
WO2019120507A1 PCT/EP2017/083771 EP2017083771W WO2019120507A1 WO 2019120507 A1 WO2019120507 A1 WO 2019120507A1 EP 2017083771 W EP2017083771 W EP 2017083771W WO 2019120507 A1 WO2019120507 A1 WO 2019120507A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
communication device
packet
filter configuration
data packets
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP2017/083771
Other languages
English (en)
Inventor
Martin KLITTE
Per FRYKING
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Telefonaktiebolaget LM Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget LM Ericsson AB filed Critical Telefonaktiebolaget LM Ericsson AB
Priority to PCT/EP2017/083771 priority Critical patent/WO2019120507A1/fr
Publication of WO2019120507A1 publication Critical patent/WO2019120507A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity

Definitions

  • Embodiments herein relate to wireless communication and more specifically to controlling behavior of communication devices during data connections in a wireless communication system.
  • loT Internet of things
  • present security solutions are based on end to end security that have many parts delivered by many different vendors.
  • Such security parts comprise the components of the loT hardware (e.g. modem, application processors, memory, wired connections etc.), software that is composed by several different software providers, various bearers of information to and from devices, various loT software platforms, communication stacks and so on.
  • loT hardware The extreme price pressure on loT hardware means that the quality is often lacking and when vulnerabilities are found the large number of devices that require software updating and maintenance becomes a problem. In other words - updating loT devices in time to protect them against vulnerabilities is an important issue.
  • network slicing is a technique that allows different types of traffic (different service level agreements (SLA)) to use the same infrastructure without impacting each other.
  • SLA service level agreements
  • Malicious code could involve using the device for Distributed Denial of Service, DDoS, attacks, relaying private information to a third party, making the device un-usable for the device owner, making the device report incorrect information that in turn disturbs the device owner’s operations, hackers using the device for computations for their own gain, hijacking the device for extortion towards the device owner and so on.
  • the actual introduction of malicious code into a device is also to be considered as misbehavior and it may involve, e.g., device to device communication outside the control of any data connection within a 3GPP network
  • the loT device When a vulnerability is found and exploited by a hacker it is often too late for the owner of the loT device to react, the loT device is“lost” and needs to be manually identified and brought in for“resurrection” and thereby enable prevention of future attacks.
  • loT devices may have a multitude of access methods, 3GPP radio access networks, wireless connections in unlicensed radio frequency bands, wired connections, near-filed communication, Bluetooth and so on, meaning that there is a large attack surface.
  • a large attack surface typically implies that there is a need for different layers of protection and detection. The most critical being where the connection to internet is since this opens up the loT device to many more hackers.
  • Another way to protect devices is to control all the access points for the devices. This is for a non-operator mainly achievable by controlling all the access points in a fairly detailed manner. For example by applying software-defined networking (SDN) for WiFi access points or by requiring that all loT devices connect through a common hub/central device or devices. This is of course feasible but only covers use cases where the loT devices are located within this controlled area. It does not cover use cases where the loT devices are connected via 3GPP connections. For 3GPP connected devices the network operators handle all communication devices, including loT devices, in the same way, i.e. impose rules in network gateways and proxies that apply to all data streams in the same way or in the same hardware.
  • SDN software-defined networking
  • 3GPP connected devices the network operators handle all communication devices, including loT devices, in the same way, i.e. impose rules in network gateways and proxies that apply to all data streams in the same way or in the same hardware.
  • the loT device owner has very little flexibility when it comes to configuration. For example, one set of loT devices might be affected by rules set for other devices. Moreover, there might be limitations in hardware firewalls when it comes to amount of rules that are feasible to handle or possible to run. It scales poorly when the amount of loT devices increase and they diversify. It is probably a good idea for preventing large scale attacks where several groups of loT devices are hacked in different ways but used in a similar way to attack some specific target. This is not something that individual loT device owners can handle since it cannot be assumed that they have the automation and reactivity in place to shut down such attacks. Their responsibility is of operation and protection of their own devices.
  • an object of the present disclosure is to overcome or at least mitigate at least some of the drawbacks related to loT device communication.
  • the method is for preventing misbehavior by a communication device (e.g. an loT device as discussed herein) during a data connection in the network.
  • the method comprises obtaining information from a second network node, the information identifying the communication device that is setting up the data connection.
  • Data connection filter configuration data that is associated with the communication device is also obtained.
  • a packet data processing instance e.g. a 3GPP Packet Data Convergence Protocol (PDCP) processing instance, is then set up, the setting up comprising providing the data connection filter configuration data to the packet data processing instance.
  • PDCP Packet Data Convergence Protocol
  • the packet data processing instance is controlled to process data packets destined for the communication device and/or data packets emanating from the communication device.
  • the controlling comprises controlling the packet data processing instance to analyze data packets in relation to the data connection filter configuration data and, as a consequence of the analyzing of the data packets, perform a preventive action associated with the data connection.
  • misbehavior in terms of malicious data from devices can be stopped already inside of the communication network, e.g. a 3gpp radio access network, instead of after being sent through the entire infrastructure including all interconnected networks between the communication device, i.e. an loT device, and an entity with which the loT device interacts.
  • the solution reduces the attack surface for the devices significantly and by using filter configuration data that has been configured by a device owner in terms of, e.g., dedicated rules, then the way to compromise one owner’s devices will not be the same as other device owner’s devices even though the device itself may have one and the same origin vendor.
  • malicious data is to be understood as any data or software that a
  • a compromised device might want to contact, or allow to be contacted by, a central server for instructions to participate in distributed denial of service (DDOS) attacks.
  • DDOS distributed denial of service
  • An unauthorized change of firmware might be initiated to change the behavior of the device by downloading software from a server.
  • the device might send data to an address that it shouldn’t, for instance information if there are people present in a location or video/images from a camera to a recipient that shouldn’t have access to that data.
  • a device might be compromised by having a server using an exploit to inject malicious code and then execute it on the device to achieve its goals. Data might be sent to the device over and over and even though the device does not accept the data it might interfere with the device in such a way that it doesn’t perform its intended task or drain the battery of the device.
  • Such a method is advantageous in that it avoids drawbacks of prior art solutions that, e.g., rely on identifying addresses related to loT devices within the operator telecom network and passing this address information out of the telecom network to an external entity (e.g. an internet protocol (IP) router) that is to perform filtering.
  • IP internet protocol
  • the filter configuration data could be configured to demand a certain amount of data over a certain amount of time, of a particular type if so configured, and if that has not occurred the loT device is deemed malfunctioning and a preventive action is performed, such as being reported to a central system.
  • This might in some cases simplify not only detection of compromised loT devices but also broken devices for the device owner that gets a second (or first) level of fault detection.
  • the analysis of data packets in relation to the data connection filter configuration data may comprise comparing addresses of data packets with a list of prohibited addresses.
  • the preventive action may then comprise any of preventing a data packet from being transmitted to a prohibited destination address and disregarding a data packet received from a prohibited originating address.
  • the analysis of data packets in relation to the data connection filter configuration data may comprise comparing addresses of data packets with a list of allowed addresses.
  • the preventive action may in such cases comprises any of preventing a data packet from being transmitted to a destination address that is not an allowed destination addresses, and disregarding a data packet received from an originating address that is not an allowed originating addresses.
  • various embodiments may include the use of so-called black-lists and so-called white-lists of addresses, e.g. IP addresses, media access control (MAC) addresses etc.
  • black-lists e.g. IP addresses, media access control (MAC) addresses etc.
  • white-lists of addresses e.g. IP addresses, media access control (MAC) addresses etc.
  • the analysis of data packets in relation to the data connection filter configuration data may comprise comparing an accumulated amount of data in data packets with a data amount limit.
  • the preventive action may then comprise preventing a data packet from reaching any of a destination address and the communication device in case the accumulated amount of data is greater than the data amount limit.
  • information is obtained from the second network node that identifies a further communication device that is setting up a data connection.
  • Data connection filter configuration data associated with the further communication device is then obtained and a determination is made that the further communication device is one device in a group of devices together with the communication device associated with at least similar filter configuration data.
  • the controlling then comprises controlling the packet data processing instance to also process data packets destined for the further communication device and data packets emanating from the further communication device.
  • a data packet processing capacity of the packet data processing instance may be determined that a data packet processing capacity of the packet data processing instance has reached a data packet processing capacity limit. Then a further packet data processing instance may be setup, this setting up comprising providing the data connection filter configuration data to the further packet data processing instance.
  • groups of loT devices that share similar or identical filter data can be handled in an effective manner by the already setup packet data instance or by a further packet data instance.
  • a method performed by a packet data processing instance e.g. a 3GPP PDCP processing instance, in a communication network.
  • the method of this aspect is for preventing misbehavior by at least one communication device during a data connection in the network.
  • the method comprises an action of obtaining data connection filter configuration data associated with the at least one communication device.
  • Data packets destined for the at least one communication device and data packets emanating from the at least one communication device are analyzed in relation to the data connection filter configuration data and, as a consequence of the analyzing of the data packets, a preventive action associated with the data connection is performed.
  • a first network node configured to prevent misbehavior by a communication device during a data connection in a communication network.
  • the first network node comprises input/output circuitry, a processor and a memory.
  • the memory contains instructions executable by the processor whereby the first network node is operative to:
  • setup a packet data processing instance comprising providing the data connection filter configuration data to the packet data processing instance
  • a first network node configured to prevent misbehavior by a communication device during a data connection in a communication network.
  • the first network node comprises input/output circuitry, a processor and a memory.
  • the memory contains instructions executable by the processor whereby the first network node is operative to:
  • a computer program comprising instructions which, when executed on at least one processor in a first network node, cause the first network node to carry out any of the methods as summarized above.
  • a carrier comprising a computer program according to the summarized aspect above, wherein the carrier is one of an electronic signal, an optical signal, a radio signal and a computer readable storage medium.
  • Figure 1 schematically illustrates a communication network
  • FIGS. 2a-e are flowcharts of methods performed by a network node
  • figure 3 is a flowchart of a method performed by a network node
  • figure 4 is a schematically illustrated block diagram of a network node
  • figure 5 is a schematically illustrated block diagram of a network node
  • figure 6 is a schematically illustrated block diagram of a network node.
  • a wireless communication system 100 in which the various embodiments of the present disclosure may be realized is schematically illustrated in figure 1.
  • the wireless communication system 100 comprises a first network node 101 and a plurality of wireless communication devices 103, 153 comprising appropriate processing and communication circuitry and a respective subscriber identity module (SIM) 105, 155.
  • the first network node 101 is connected to an antenna node 118 via which the first network node 101 is configured to receive and transmit radio signals from and to at least the wireless communication devices 103, 153 by respective uplink reception and downlink transmission. Illustrations of such up- and downlink are indicated in figure 1 only by respective radio interface symbols 120, 150 the details of which are omitted for the sake of clarity of illustration and the skilled person will readily understand the present disclosure without such illustrations.
  • the wireless communication system 100 may be in the form of a 3GPP LTE system.
  • the first network node 101 may represent an eNodeB.
  • a 3GPP LTE system comprises many nodes in addition to such an eNodeB 101 , for example a core network and gateways to other networks.
  • a second node 122 in the form of a mobility management entity (MME), a home subscriber server (HSS) 124 and a serving gateway (SGW) combined with a packet data network gateway (PGW) 126.
  • MME mobility management entity
  • HSS home subscriber server
  • SGW serving gateway
  • PGW/PGW 126 operates to allow data connections 107, 157 between the wireless communication devices 103, 153 and the Internet 128 via the eNodeB 101.
  • the data connections 107, 157 are realized via a 3GPP implementation of an Open Systems Interconnection (OSI) model communication stack 106 having a physical (PHY) layer 108, a medium access control (MAC) layer 1 10, a radio link control (RLC) layer 1 12 and a PDCP layer 1 14.
  • OSI Open Systems Interconnection
  • realization of the layers 108, 110, 112, 114 may be in the form of instances of software executed by processing and memory circuitry in the eNodeB 101.
  • Such circuitry is exemplified in a functional way by a control unit 102 (or“processor”) having a connection with the stack 106.
  • the PDCP layer 114 will be referred to as“PDCP” processing instance 114, representative of a general packet data processing instance, such as but not limited to a 3GPP Packet Data Convergence Protocol (PDCP) processing instance.
  • the PDCP processing instance 114 is illustrated as having a filter 1 16 that, in functional terms, performs the operations in the PDCP processing instance 1 14 related to analysis in relation to data connection filter configuration data as discussed herein.
  • further PDCP processing instances 134, 136 are indicated.
  • a storage unit 104 that may be in the form of any appropriate configuration of hardware and/or software in the eNodeB 101.
  • the storage unit 104 may be used as a database for data connection filter configuration data obtained by the eNodeB 101 , as will be discussed below.
  • a typical implementation of the eNodeB 101 is in the form of a physical entity, i.e. a hardware structure dedicated to perform more or less exclusively eNodeB functionality.
  • the eNodeB 101 may be realized in a virtual (i.e. “cloud”) environment where all functionality of the eNodeB 101 is realized by software that is executed on a large cloud hardware infrastructure.
  • the wireless communication system 100 may also be in the form of any other system that is capable communication between a network node and wireless communication devices.
  • a 3GPP new radio (NR) system as well as an Institute of Electrical and
  • wireless communication system 100 is an IEEE 802.11 type of network
  • wireless communication devices 103, 153 are all associated with the single network node 101 , in which case the network node 101 is a so-called wireless access point.
  • the method is for preventing misbehavior by the communication device 103 during a data connection 107 in the network and the method comprises a number of actions as follows.
  • Information that identifies the communication device 103 that is setting up the data connection 107 is obtained by the first network node 101 from a second network node 122.
  • the obtaining in action 210 from the second network node 122 of the information that identifies the communication device 103 may involve communication with an MME 122.
  • Such an MME operates to, i.a., obtain or derive identity information from the SIM 105 in the communication device 103 that is setting up the data connection 107.
  • the identity obtained or derived from the SIM 105 may be a temporary identity or an established identity during setup of the data connection 107.
  • Data connection filter configuration data associated with the communication device 103 is obtained.
  • the obtaining in action 215 of the filter configuration data may involve communication with a server 129 available on the Internet 128 or by way of retrieval from the storage unit 104 available within the first network node 101. Creation of the filter configuration data may involve interaction with the server 129 by an owner or provider of the communication device 103. However, any details regarding such interaction is outside the scope of the present disclosure. Action 220
  • a packet processing instance in the form of a“PDCP” processing instance 114 is then set up.
  • the setting up comprises, in addition to any necessary operations that are already known in the art, a provision of the data connection filter configuration data to the PDCP processing instance 114.
  • data connection filter configuration data include so-called blacklists and whitelists of addresses with which the communication device 103 may communicate, as well as limits on data amounts that the communication device 103 is allowed to transmit or receive via the data connection 107, etc., as will be discussed in more detail below.
  • PDCP instance 1 14 is one example of a packet processing instance.
  • PDCP is 3GPP-specific but similar packet processing instances exist in other types of networks that operate according to other than 3GPP standard specifications. Nevertheless, in the following, PDCP instance will be used but it is to be understood that any packet processing instance is applicable, depending on the context in which the embodiment in question is realized.
  • Action 225
  • the PDCP processing instance 114 is controlled to process data packets destined for the communication device 103 and data packets emanating from the communication device 103.
  • the controlling in action 225 comprises controlling the PDCP processing instance 1 14 to analyze data packets in relation to the data connection filter configuration data and, as a consequence of the analyzing of the data packets, performing a preventive action associated with the data connection 107.
  • the analysis of data packets in relation to the data connection filter configuration data that is controlled in action 225 may comprise comparing addresses of data packets with a list of prohibited addresses, and the preventive action may comprises any of preventing a data packet from being transmitted to a prohibited destination address, and disregarding a data packet received from a prohibited originating address.
  • the data connection filter configuration data may comprise a list of IP addresses, transmission control protocol (TCP) ports and MAC addresses that are black-listed, e.g. due to known malicious behavior by entities that are associated with such addresses.
  • a white-list of addresses may be used. Such a white-list may comprise addresses of only those entities that are known not to behave maliciously.
  • the analysis of data packets in relation to the data connection filter configuration data may comprise comparing addresses of data packets with a list of allowed addresses and the preventive action may then comprises any of preventing a data packet from being transmitted to a destination address that is not an allowed destination addresses, and disregarding a data packet received from an originating address that is not an allowed originating addresses.
  • the analysis of data packets in relation to the data connection filter configuration data may comprise comparing an accumulated amount of data in transmitted and/or received data packets with a data amount limit and the preventive action may then comprise preventing a data packet from reaching any of a destination address and the communication device 103, in case the accumulated amount of data is greater than the data amount limit.
  • a determination of an accumulated data amount may be in terms of X bytes over a sliding window of Y seconds, or it might be X bytes during a time period of Y after witch the counter is reset and so on.
  • a variation of such embodiments is the use of a lower limit on the amount of data transmitted or received, e.g. over a specific period of time. A controlling entity may then be alerted to the fact that the data amount limit was not reached and thus the device did not qualify as functional and should be inspected further by the device owner. Use of such a lower limit may be advantageous when it is desirable to detect some kind of hardware and/or software failure in the device.
  • preventive action shall be interpreted in a broad sense and includes any appropriate response action, as exemplified above.
  • the preventive action may also include transmission of a report to, e.g., an owner of the communication device or to an operator of the communication network. Such a report may comprise information regarding the outcome of the analysis and any action taken to prevent data packets from being transmitted etc.
  • Some embodiments involve a procedure of updating the data connection filter configuration data that was obtained during action 215.
  • Such an updating procedure is illustrated in figure 2b and it comprises the following actions:
  • Further data connection filter configuration data is obtained.
  • the obtaining in this action may entail communication with a server 129 available on the Internet 128 or by way of retrieval from the storage unit 104 available within the first network node 101.
  • the further data connection filter configuration data is provided to the PDCP processing instance (114), and
  • controlling (225) comprises controlling the PDCP processing instance (1 14) to analyze data packets in relation to the further data connection filter configuration data.
  • Some embodiments involve handling a group of devices that share at least some characteristics that make it possible to utilize one and the same PDCP instance for processing data packets of all devices in the group. Such a procedure is illustrated in figure 2c and it comprises the following actions:
  • Data connection filter configuration data associated with the further communication device 153 is obtained. For example, it may be similar to the obtaining in action 215.
  • the PDCP processing instance 114 is controlled in action 225 to also process data packets destined for the further communication device 153 and data packets emanating from the further communication device 153.
  • the group determination that is performed in action 260 may involve interaction with the MME 122. What group a device belongs to could be explicit in the response from MME 122, or it could be implicitly identified when obtaining the
  • configuration data i.e. the identity of the configuration data is the determining factor for what group the device belongs to.
  • Some embodiments handle situations where the PDCP processing instance 114 is unable, due to limited processing capacity, to handle further data packet processing. Such embodiments are illustrated in figure 2d and they comprise the following actions:
  • a further PDCP processing instance 134 is set up.
  • the setting up comprises providing the data connection filter configuration data to the further PDCP processing instance 134.
  • the further PDCP processing instance 134 is controlled to process data packets destined for the further communication device 153 and data packets emanating from the further communication device 153.
  • the controlling 280 in this action comprises controlling the further PDCP processing instance 134 to analyze data packets in relation to the data connection filter configuration data and, as a consequence of the analyzing of the data packets, performing a preventive action associated with the data connection 157, similar to the procedures described above in connection with action 225.
  • the PDCP processing instance 114 and the further PDCP processing instance 134 are controlled such that the processing of data packets destined for the communication device 103 and data packets emanating from the communication device 103 is transferred from the PDCP processing instance 114 to the further PDCP processing instance 134.
  • a form of load balancing is performed between the PDCP instances 1 14, 134 in order to handle a limited processing capacity of the PDCP instance 114.
  • load balancing There are many ways of performing such load balancing. For example, new data connections are distributed evenly across running packet data processing instances until the load becomes low, i.e. below predetermined a load threshold. Then one processing instance is blocked from getting new connections until it is empty and then it is removed (at some point lingering connections might be forcibly removed or moved to another processing instance).
  • Such a procedure comprises the following actions:
  • Data connection filter configuration data associated with the further communication device 153 is obtained. For example, it may be similar to the obtaining in action 215 and action 255. Action 294
  • the further PDCP processing instance 134 is controlled to process data packets destined for the further PDCP processing instance 134
  • the controlling in action 296 comprises controlling the further PDCP processing instance 134 to analyze data packets in relation to the data connection filter configuration data and, as a consequence of the analyzing of the data packets, performing a preventive action associated with the data connection 157.
  • FIG. 2d and 2e may be seen as various ways of performing load balancing between two or more PDCP processing instances. Such load balancing may involve monitoring of processing capacity of PDCP instances
  • processing capacity for a PDCP instance may be a result from many different factors. It can be available cycles for processing; it may be the bandwidth for incoming our outgoing traffic, memory usage, limits in software and or hardware security calculations and so on.
  • the load balancing algorithms can be based on, but not limited to, any of these factors or a combination of them. How it is determined to place further
  • the algorithm can for instance choose to have even load on the instances or to have one instance at max and only use the other to take remaining connections until it is full and yet another instance needs to be started.
  • the algorithm can for instance choose to have even load on the instances or to have one instance at max and only use the other to take remaining connections until it is full and yet another instance needs to be started.
  • connections can be actively moved from one instance to another or it can be decided by a load balancing entity to stop allocating new connections to a specific PDCP instance, since all data connections are limited in time this will result in this PDCP instance eventually being empty and can then be terminated and the resources released.
  • control entity will keep track of the resources used by the PDCP instances that filter for specific groups and make this information available to other parts of the system, such as for the operators’ billing system to obtain the information and enable to charge the customer with the specific resources used and for the customer that owns the device to know how to balance the protection compared to the costs of the filtering function. That is, even if the operator has features already today to charge for subscriptions and bytes sent/received the control entity can specify how much cloud resources have been used and provide this information to the operator. This can give the operator a way to charge specifically for the resources used. It allows for an end customer to only pay for what is used, i.e. a customer that has heavy filters pays more than one that has little filtering.
  • the method is for preventing misbehavior by the communication device 103 during a data connection 107 in the network and the method comprises a number of actions performed by a packet data processing instance 114, e.g. a PDCP processing instance as discussed above, as follows:
  • Data connection filter configuration data associated with the at least one communication device 103, 153 is obtained. For example, it may be similar to the obtaining in action 215, action 255 and action 292.
  • Data packets destined for the at least one communication device 103, 153 and data packets emanating from the at least one communication device 103, 153 are analyzed in relation to the data connection filter configuration data.
  • the analysis of data packets in relation to the data connection filter configuration data that is performed in action 320 may comprise comparing addresses of data packets with a list of prohibited addresses, and the preventive action in action 330 may comprises any of preventing a data packet from being transmitted to a prohibited destination address, and disregarding a data packet received from a prohibited originating address.
  • the data connection filter configuration data may comprise a list of IP or MAC addresses that are black-listed, e.g. due to known malicious behavior by entities that are associated with such addresses.
  • a white-list of addresses may be used. Such a white-list may comprise addresses of only those entities that are known not to behave maliciously.
  • the analysis of data packets in relation to the data connection filter configuration data may comprise comparing addresses of data packets with a list of allowed addresses and the preventive action may then comprises any of preventing a data packet from being transmitted to a destination address that is not an allowed destination addresses, and disregarding a data packet received from an originating address that is not an allowed originating addresses.
  • the analysis of data packets in relation to the data connection filter configuration data in action 320 may comprise comparing an accumulated amount of data in data packets with a data amount limit and the preventive action may then comprise preventing a data packet from reaching any of a destination address and the at least one communication device 103, 153 in case the accumulated amount of data is greater than the data amount limit.
  • a determination of an accumulated data amount may be in terms of X bytes over a sliding window of Y seconds, or it might be X bytes during a time period of Y after witch the counter is reset and so on.
  • a variation of such embodiments is the use of a lower limit on the amount of data transmitted or received, e.g. over a specific period of time. A controlling entity may then be alerted to the fact that the data amount limit was not reached and thus the device did not qualify as functional and should be inspected further by the device owner. Use of such a lower limit may be advantageous when it is desirable to detect some kind of hardware and/or software failure in the device.
  • preventive action shall be interpreted in a broad sense and includes any appropriate response action, as exemplified above.
  • the preventive action may also include transmission of a report to, e.g., an owner of the communication device or to an operator of the communication network. Such a report may comprise information regarding the outcome of the analysis and any action taken to prevent data packets from being transmitted etc.
  • the network node 400 which may correspond to the network node 101 described above, is configured to prevent misbehavior by a communication device 103 during a data connection 107 in a communication network 100.
  • the network node 400 comprises radio frequency circuitry 406, a processor 402 and a memory 404, the memory 404 containing instructions executable by the processor 402 whereby the network node 400 is operative to:
  • control the packet data processing instance 1 14 to process data packets destined for the communication device 103 and data packets emanating from the communication device 103, said control comprising control of the packet data processing instance 1 14 to analyze data packets in relation to the data connection filter configuration data and, as a consequence of the analyzing of the data packets, perform a preventive action associated with the data connection 107.
  • the network node 400 is operative such that:
  • the analysis of data packets in relation to the data connection filter configuration data comprises comparing addresses of data packets with a list of prohibited addresses
  • the preventive action comprises any of:
  • the first network node 400 is operative such that:
  • the analysis of data packets in relation to the data connection filter configuration data comprises comparing addresses of data packets with a list of allowed addresses
  • the preventive action comprises any of:
  • the first network node 400 is operative such that:
  • the analysis of data packets in relation to the data connection filter configuration data comprises comparing an accumulated amount of data in data packets with a data amount limit
  • the preventive action comprises preventing a data packet from reaching any of a destination address and the communication device 103, in case the accumulated amount of data is greater than the data amount limit.
  • the first network node 400 is operative to:
  • controlling comprises controlling the packet data processing instance 1 14 to analyze data packets in relation to the further data connection filter configuration data.
  • the first network node 400 is operative to:
  • controlling comprises, as a consequence of said determination, controlling the packet data processing instance 1 14 to also process data packets destined for the further communication device 153 and data packets emanating from the further communication device 153.
  • the first network node 400 is operative to:
  • a further packet data processing instance 134 operative such that said setting up comprises providing the data connection filter configuration data to the further packet data processing instance 134, and
  • control the further packet data processing instance 134 to process data packets destined for the further communication device 153 and data packets emanating from the further communication device 153, operative such that said controlling comprises controlling the further packet data processing instance 134 to analyze data packets in relation to the data connection filter configuration data and, as a consequence of the analyzing of the data packets, performing a preventive action associated with the data connection 157.
  • the first network node 400 is operative to:
  • the first network node 4300 is operative to:
  • the further packet data processing instance 134 to process data packets destined for the further communication device 153 and data packets emanating from the further communication device 153, operative such that said controlling comprises controlling the further packet data processing instance 134 to analyze data packets in relation to the data connection filter configuration data and, as a consequence of the analyzing of the data packets, performing a preventive action associated with the data connection 157.
  • the network node 400 which may correspond to the network node 101 described above, is configured to prevent misbehavior by at least one communication device 103, 153 during a data connection 107, 157 in a communication network 100.
  • the network node 400 comprises radio frequency circuitry 406, a processor 402 and a memory 404, the memory 404 containing instructions executable by the processor 402 whereby the network node 400 is operative to:
  • the first network node 400 is operative such that:
  • the analysis of data packets in relation to the data connection filter configuration data comprises comparing addresses of data packets with a list of prohibited addresses
  • the preventive action comprises any of:
  • the first network node 400 is operative such that:
  • the analysis of data packets in relation to the data connection filter configuration data comprises comparing addresses of data packets with a list of allowed addresses, and - the preventive action comprises any of:
  • the first network node 400 is operative such that:
  • the analysis of data packets in relation to the data connection filter configuration data comprises comparing an accumulated amount of data in data packets with a data amount limit
  • the preventive action comprises preventing a data packet from reaching any of a destination address and the at least one communication device (103, 153), in case the accumulated amount of data is greater than the data amount limit.
  • the instructions that are executable by the processor 402 may be software in the form of a computer program 441.
  • the computer program 441 may be contained in or by a carrier 442, which may provide the computer program 441 to the memory 404 and processor 402.
  • the carrier 442 may be in any suitable form including an electronic signal, an optical signal, a radio signal or a computer readable storage medium.
  • FIG. 5 illustrates schematically a network node 500 that comprises:
  • an obtaining module 502 configured to obtain, from a second network node 122, information that identifies the communication device 103 that is setting up the data connection 107,
  • an obtaining module 504 configured to obtain data connection filter configuration data associated with the communication device 103
  • a setting-up module 506 configured to setup a packet data processing instance 1 14, said setup comprising providing the data connection filter configuration data to the packet data processing instance 114,
  • FIG. 6 illustrates schematically a network node 600 that comprises:
  • an obtaining module 602 configured to obtain data connection filter configuration data associated with the at least one communication device 103, 153,
  • an analyzing module 604 configured to analyze data packets destined for the at least one communication device 103, 153 and data packets emanating from the at least one communication device 103, 153 in relation to the data connection filter configuration data and,
  • a preventing module 606 configured to, as a consequence of the analyzing in the analyzing module 604, perform a preventive action associated with the data connection 107, 157.
  • the network nodes 500, 600 may comprise further modules that are configured to perform in a similar manner as, e.g., the network node 400 described above in connection with figure 4.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention a pour objet d'empêcher un mauvais comportement d'un dispositif (103) de communication au cours d'une connexion (107) de données dans un réseau (100). Des informations provenant d'un second nœud (122) de réseau identifient le dispositif (103) de communication. Des données de configuration de filtre de connexion de données, associées au dispositif de communication, sont obtenues. Une instance (114) de traitement de données par paquets est établie, ce qui comporte la fourniture des données de configuration de filtre de connexion de données à l'instance (114) de traitement de données par paquets. L'instance (114) de traitement de données par paquets est commandée de façon à traiter des paquets de données destinés au dispositif (103) de communication et/ou des paquets de données émanant du dispositif (103) de communication. La commande comporte les étapes consistant à commander l'instance (114) de traitement de données par paquets de façon à analyser des paquets de données par rapport aux données de configuration de filtre de connexion de données et, en raison de l'analyse des paquets de données, à effectuer une action préventive associée à la connexion (107) de données.
PCT/EP2017/083771 2017-12-20 2017-12-20 Commande du comportement de dispositifs Ceased WO2019120507A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2017/083771 WO2019120507A1 (fr) 2017-12-20 2017-12-20 Commande du comportement de dispositifs

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2017/083771 WO2019120507A1 (fr) 2017-12-20 2017-12-20 Commande du comportement de dispositifs

Publications (1)

Publication Number Publication Date
WO2019120507A1 true WO2019120507A1 (fr) 2019-06-27

Family

ID=60888415

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2017/083771 Ceased WO2019120507A1 (fr) 2017-12-20 2017-12-20 Commande du comportement de dispositifs

Country Status (1)

Country Link
WO (1) WO2019120507A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050122930A1 (en) * 2003-12-05 2005-06-09 Wen Zhao Apparatus and method of controlling unsolicited traffic destined to a wireless communication device
US20150215186A1 (en) * 2012-08-06 2015-07-30 Telefonaktiebolaget Lm Ericsson (Publ) Dynamic content filtering of data traffic in a communication network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050122930A1 (en) * 2003-12-05 2005-06-09 Wen Zhao Apparatus and method of controlling unsolicited traffic destined to a wireless communication device
US20150215186A1 (en) * 2012-08-06 2015-07-30 Telefonaktiebolaget Lm Ericsson (Publ) Dynamic content filtering of data traffic in a communication network

Similar Documents

Publication Publication Date Title
US12120092B2 (en) Security platform for service provider network environments
US11777994B2 (en) Dynamic per subscriber policy enablement for security platforms within service provider network environments
US12532183B2 (en) Applying subscriber-ID based security, equipment-ID based security, and/or network slice-ID based security with user-ID and syslog messages in mobile networks
US12279119B2 (en) Systems and method for micro network segmentation
US11950144B2 (en) Context-based security over interfaces in NG-RAN environments in mobile networks
US20220311747A1 (en) Method and system for securing connections to iot devices
Feng et al. A dual-layer zero trust architecture for 5G industry MEC applications access control
US12120128B1 (en) Route and packet flow evaluation on a cloud exchange
US11943620B2 (en) Context-based security over interfaces in O-RAN environments in mobile networks
US20250142340A1 (en) Intelligent security for zero trust in mobile networks with security platforms using a diameter protocol or a radius protocol
WO2019120507A1 (fr) Commande du comportement de dispositifs
EP4483535B1 (fr) Sécurité basée sur le contexte sur des interfaces dans des environnements ng-ran et des environnements o-ran au sein de réseaux mobiles
US20250323950A1 (en) Explicit proxy solutions for 5g security with service access service edge (sase) with service provide network attach to prisma sase
WO2025221554A1 (fr) Solutions de proxy explicites pour sécurité 5g avec périphérie de service d'accès sécurisé (sase) avec service fournissant un rattachement de réseau à une sase prisma
WO2025221552A1 (fr) Bord de service d'accès sécurisé pour réseaux mobiles
Liu et al. Community Cleanup: Incentivizing Network Hygiene via Distributed Attack Reporting
Sattar Mitigating Security Problems in Virtualized Networks Through Resource Management
WO2025221556A1 (fr) Solution de périphérie de service d'accès à un service pour fournir une sécurité améliorée pour des dispositifs non gérés pour des réseaux mobiles
WO2025221553A1 (fr) Solution sase (service access service edge) pour fournir une sécurité améliorée pour des réseaux mobiles

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17822662

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17822662

Country of ref document: EP

Kind code of ref document: A1