WO2020037665A1 - Techniques destinées à être utilisées pour identifier une station de base en tant que ressource non fiable - Google Patents

Techniques destinées à être utilisées pour identifier une station de base en tant que ressource non fiable Download PDF

Info

Publication number
WO2020037665A1
WO2020037665A1 PCT/CN2018/102305 CN2018102305W WO2020037665A1 WO 2020037665 A1 WO2020037665 A1 WO 2020037665A1 CN 2018102305 W CN2018102305 W CN 2018102305W WO 2020037665 A1 WO2020037665 A1 WO 2020037665A1
Authority
WO
WIPO (PCT)
Prior art keywords
base station
candidate base
resource
untrusted
recited
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2018/102305
Other languages
English (en)
Inventor
Xuepan GUAN
Nitin Pant
Bhupesh Umatt
Shiau-He Tsai
Jiming Guo
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qualcomm Inc
Original Assignee
Qualcomm Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qualcomm Inc filed Critical Qualcomm Inc
Priority to PCT/CN2018/102305 priority Critical patent/WO2020037665A1/fr
Publication of WO2020037665A1 publication Critical patent/WO2020037665A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/66Trust-dependent, e.g. using trust scores or trust relationships

Definitions

  • aspects of the disclosure relate generally to methods, apparatuses and items of manufacture for use in wireless communication devices, and more particularly to techniques for identifying a base station as an untrusted resource based, at least in part, on one or more wireless signals exchanged between the base station and at least one user equipment at part of an attempted procedure to operatively attach the user equipment and the base station.
  • Attackers may deploy one or more fake base stations (BSs) in mobile communication networks to make unauthorized connections to UEs (e.g., user equipments (UEs) , such as smartphones) .
  • UEs user equipments
  • Such connections may result in theft of valuable information from users, destruction/corruption of data, loss of privacy, and/or unauthorized control of UEs just to name a few concerns.
  • a method for use by a user equipment (UE) , the method comprising, at the UE: exchanging one or more wireless signals with a candidate base station as part of at least one attempted procedure to operatively attach the UE to the candidate base station; determining that the at least one attempted procedure to operatively attach the UE to the candidate base station was not fully completed; identifying the candidate base station as an untrusted resource, at least in part, in response to the determination that the at least one attempted procedure to operatively attach the UE to the candidate base station was not fully completed; subsequently, operatively attaching the UE to a base station that is not identified as an untrusted resource; and transmitting, to the base station, information corresponding to at least the untrusted resource.
  • UE user equipment
  • such a UE may support at least a first mode and a second mode of wireless signal transmission and reception.
  • one mode may be UMTS and the other mode may be GSM.
  • one mode may be 4G and the other mode may be 2G.
  • a first mode may support communication with a trusted resource in a trusted manner but not an untrusted resource.
  • the second mode may support communication with either a trusted resource or an untrusted resource in an untrusted manner.
  • such a UE may be configured to (continue to) operate in the first mode rather than switching to the second mode in response to identifying a candidate base station as an untrusted resource.
  • the method may include, at the UE, determining that a candidate base station failed to perform one or more trust-related activities as part of at least one attempted procedure to operatively attach the UE to the candidate base station. For example, a UE may determine that a message transmitted by the candidate base station was received without a security context activated, or without including a cipher, or without including an integrity check, or some combination thereof. In another example, a UE may receive an attachment rejection message from the candidate base station.
  • a UE may receive at least a portion of a list of candidate base stations from at least one other device, identify a candidate base station using the list of candidate base stations at the UE; identify a candidate base station as an untrusted resource based, at least in part, on one or more criteria stored at the UE, maintain at least a portion of the list of candidate base stations at the UE, generate at least a portion of the list of candidate base stations at the UE, or some combination thereof.
  • all or part of a list of candidate base stations may be indicative of a known trusted resource, or a known untrusted resource, or one or more candidate base stations, or a combination thereof.
  • a UE may identify a corresponding period of time during which the candidate base station is to be identified as an untrusted resource and wherein after the period of time is over the candidate base station may no longer be so identified as an untrusted resource.
  • the one or more wireless signals comprise at least one of a Tracking Area Update (TAU) message, or a Location Area Update (LAU) message, or a Routing Area Update (RAU) message, or some combination thereof.
  • TAU Tracking Area Update
  • LAU Location Area Update
  • RAU Routing Area Update
  • a UE may be provided which comprises memory, a transceiver, and a processing unit that is coupled to the memory and the transceiver.
  • the processing unit may be configured to: initiate an exchange, via the transceiver, one or more wireless signals with a candidate base station as part of at least one attempted procedure to operatively attach the UE to the candidate base station; determine that the at least one attempted procedure to operatively attach the UE to the candidate base station was not fully completed; identify, in the memory, the candidate base station as an untrusted resource, at least in part, in response to the determination that the at least one attempted procedure to operatively attach the UE to the candidate base station was not fully completed; subsequently, operatively attach the UE to a base station that is not identified as an untrusted resource via the transceiver; and initiate transmission of information corresponding to at least the untrusted resource to the base station via the transceiver.
  • a method may be provided for use by a network resource, e.g., a base station or the like.
  • the method may comprise: receiving, from a user equipment (UE) , information corresponding to a candidate base station that the UE has identified as an untrusted resource based, at least in part, in response to a determination that at least one attempted procedure to operatively attach the UE to the candidate base station was not fully completed; maintaining a list of candidate base stations based, at least in part, on the received information; and transmitting at least a portion of the list of candidate base stations.
  • UE user equipment
  • received information may comprise information corresponding to the candidate base station received from a plurality of UEs, wherein the plurality of UEs comprises the UE.
  • a network resource may comprise a base station identified by the UE as comprising a trusted network resource.
  • a least a portion of the list of candidate base stations is indicative of a known trusted resource, or a known untrusted resource, or both.
  • a network resource may be provided which comprises memory, a transceiver, and a processing unit coupled to the memory and the transceiver.
  • the processing unit of the network resource may be configured to: receive, via the transceiver from a user equipment (UE) , information corresponding to a candidate base station that the UE has identified as an untrusted resource based, at least in part, in response to a determination that at least one attempted procedure to operatively attach the UE to the candidate base station was not fully completed; maintain a list of candidate base stations based, at least in part, on the received information; and initiate transmission of at least a portion of the list of candidate base stations to one or more other devices.
  • UE user equipment
  • FIG. 1 is a conceptual diagram illustrating an example of a radio access network, in accordance with certain implementations.
  • FIG. 2 is a block diagram conceptually illustrating an example of a BS communicating with one or more UEs, in accordance with certain implementations.
  • FIG. 3 is a block diagram conceptually illustrating an example of a hardware implementation for a UE, in accordance with certain implementations.
  • FIG. 4 is a block diagram conceptually illustrating an example of a hardware implementation for a BS, in accordance with certain implementations.
  • FIG. 5 illustrates an example network configuration showing a man-in-the-middle attack, in accordance with certain implementations.
  • FIG. 6 illustrates an example network configuration showing a UE under attack by a fake BS, in accordance with certain implementations.
  • FIG. 7 illustrates an example attach procedure for a UE in a communication network, in accordance with certain implementations.
  • FIG. 8 illustrates an example process for a UE, in accordance with certain implementations.
  • FIG. 9 illustrates an example process for a UE, in accordance with certain implementations.
  • FIG. 10 illustrates an example process for a trusted resource (e.g., BS) , in accordance with certain implementations.
  • a trusted resource e.g., BS
  • FIG. 11 illustrates a call-flow diagram for UE and one or more BSs
  • FIG. 8 illustrates an example process for a UE, in accordance with certain implementations.
  • FIG. 1 a schematic illustration of a radio access network 100 is provided.
  • the geographic region covered by the radio access network 100 may be divided into a number of cellular regions (cells) that may be uniquely identified by a UE based on an identification broadcasted over a geographical area from a base station (BS) .
  • FIG. 1 illustrates macrocells 102, 104, and 106, and a small cell 108, each of which may include one or more sectors.
  • a sector may comprise a sub-area of a cell.
  • all sectors within a cell may be served by the same BS.
  • a radio link within a sector may be identified by a logical identification corresponding to that sector.
  • a sector may be served by one or more group (s) of antennas with the antennas responsible for communication with UEs in an applicable portion of the cell/sector.
  • a BS may comprise a network element in a radio access network responsible for radio transmission and reception (e.g., exchanging wireless signals) in one or more cells with one or more UEs.
  • a BS may also be referred to by those skilled in the art as base transceiver station (BTS) , a radio base station, a radio transceiver, a transceiver function, a basic service set (BSS) , an extended service set (ESS) , an access point (AP) , a Node B (NB) , an eNode B (eNB) , a gNode B (gNB) , or some other suitable terminology.
  • BTS base transceiver station
  • ESS extended service set
  • AP access point
  • NB Node B
  • eNB eNode B
  • gNB gNode B
  • FIG. 1 two high-power BSs 110 and 112 are shown in cells 102 and 104; and a third high-power BS 114 is shown controlling a remote radio head (RRH) 116 in cell 106.
  • a BS may comprise an integrated antenna or may be coupled to an antenna or RRH, e.g., via feeder cables, etc.
  • cells 102, 104, and 106 may be referred to as macrocells, as the high-power BSs 110, 112, and 114 may be configured to support cells having large size (s) .
  • a low-power BS 118 is shown in the small cell 108 (e.g., a microcell, picocell, femtocell, home BS, home Node B, home eNode B, etc. ) which may overlap with one or more macrocells.
  • the cell 108 may be referred to as a small cell, as the low-power BS 118 may support a cell having a relatively small size.
  • Cell sizing may vary according to system design as well as component constraints.
  • the radio access network 100 may include any number of wireless BSs and cells.
  • a relay node may be deployed to extend the size or coverage area of a given cell.
  • the BSs 110, 112, 114, 118 provide wireless access points to a core network for any number of mobile apparatuses.
  • FIG. 1 further includes a quadcopter or drone 120, which may be configured to function as a BS. That is, in some examples, a cell may not necessarily be stationary, and the geographic area of the cell may move according to the location of a mobile BS such as the quadcopter 120.
  • a quadcopter or drone 120 may be configured to function as a BS. That is, in some examples, a cell may not necessarily be stationary, and the geographic area of the cell may move according to the location of a mobile BS such as the quadcopter 120.
  • BSs may include a backhaul interface for communication with a backhaul portion of the network.
  • the backhaul may provide a link between a BS and a core network, and in some examples, the backhaul may provide interconnection between the respective BSs.
  • the core network is a part of a wireless communication system that is generally independent of the radio access technology used in the radio access network.
  • Various types of backhaul interfaces may be employed, such as a direct physical connection, a virtual network, or the like using any suitable transport network.
  • Some BSs may be configured as integrated access and backhaul (IAB) nodes, where the wireless spectrum may be used both for access links (i.e., wireless links with UEs) , and for backhaul links.
  • IAB integrated access and backhaul
  • This scheme is sometimes referred to as wireless self-backhauling.
  • wireless self-backhauling rather than requiring each new BS deployment to be outfitted with its own hard-wired backhaul connection, the wireless spectrum utilized for communication between the BS and UE may be leveraged for backhaul communication, enabling fast and easy deployment of highly dense small cell networks.
  • the radio access network 100 is illustrated supporting wireless communication for multiple mobile apparatuses (also referred to as UEs) .
  • a mobile apparatus is commonly referred to as user equipment (UE) in standards and specifications promulgated by the 3rd Generation Partnership Project (3GPP) , but may also be referred to by those skilled in the art as a mobile station (MS) , a subscriber station, a mobile unit, a subscriber unit, a wireless unit, a remote unit, a mobile device, a wireless device, a wireless communications device, a remote device, a mobile subscriber station, an access terminal (AT) , a mobile terminal, a wireless terminal, a remote terminal, a handset, a terminal, a user agent, a mobile client, a client, or some other suitable terminology.
  • a UE may be an apparatus that provides a user with access to network services.
  • a UE may comprise a “mobile” apparatus which may be moved about continuously, or from time to time, or may be provisioned in a more stationary state.
  • the term mobile apparatus or mobile device may broadly refer to a diverse array of devices and technologies.
  • some non-limiting examples of a mobile apparatus include a mobile, a cellular (cell) phone, a smart phone, a session initiation protocol (SIP) phone, a laptop, a personal computer (PC) , a notebook, a netbook, a smartbook, a tablet, a personal digital assistant (PDA) , and a broad array of embedded systems, e.g., corresponding to an “Internet of things” (IoT) .
  • IoT Internet of things
  • a mobile apparatus may additionally be an automotive or other transportation vehicle, a remote sensor or actuator, a robot or robotics device, a satellite radio, a global positioning system (GPS) device, an object tracking device, a drone, a multi-copter, a quad-copter, a remote control device, a consumer and/or wearable device, such as eyewear, a wearable camera, a virtual reality device, a smart watch, a health or fitness tracker, a digital audio player (e.g., MP3 player) , a camera, a game console, etc.
  • GPS global positioning system
  • a mobile apparatus may additionally be a digital home or smart home device such as a home audio, video, and/or multimedia device, an appliance, a vending machine, intelligent lighting, a home security system, a smart meter, etc.
  • a mobile apparatus may additionally be a smart energy device, a security device, a solar panel or solar array, a municipal infrastructure device controlling electric power (e.g., a smart grid) , lighting, water, etc.; an industrial automation and enterprise device; a logistics controller; agricultural equipment; military defense equipment, vehicles, aircraft, ships, and weaponry, etc.
  • a mobile apparatus may provide for connected medicine or telemedicine support, i.e., health care at a distance.
  • Telehealth devices may include telehealth monitoring devices and telehealth administration devices, whose communication may be given preferential treatment or prioritized access over other types of information, e.g., in terms of prioritized access for transport of critical service data, and/or relevant QoS for transport of critical service data.
  • the cells may include UEs that may be in communication with one or more sectors of each cell.
  • UEs 122 and 124 may be in communication with BS 110; UEs 126 and 128 may be in communication with BS 112; UEs 130 and 132 may be in communication with BS 114 by way of RRH 116; UE 134 may be in communication with low-power BS 118; and UE 136 may be in communication with mobile BS 120.
  • each BS 110, 112, 114, 118, and 120 may be configured to provide an access point to a core network (not shown) for all the UEs in the respective cells.
  • Transmissions from a BS (e.g., BS 110) to one or more UEs (e.g., UEs 122 and 124) may be referred to as downlink (DL) transmission, while transmissions from a UE (e.g., UE 122) to a BS may be referred to as uplink (UL) transmissions.
  • DL downlink
  • UL uplink
  • the term downlink may refer to a point-to-multipoint transmission originating at a BS 202 (see FIG. 2) . Another way to describe this scheme may be to use the term broadcast channel multiplexing.
  • the term uplink may refer to a point-to-point transmission originating at UE.
  • a mobile network node e.g., quadcopter 120
  • quadcopter 120 may be configured to function as a UE.
  • the quadcopter 120 may operate within cell 102 by communicating with BS 110.
  • two or more UEs e.g., UEs 126 and 128, may communicate with each other using peer to peer (P2P) or sidelink signals 127 without relaying that communication through a BS (e.g., BS 112) .
  • P2P peer to peer
  • sidelink signals 127 without relaying that communication through a BS (e.g., BS 112) .
  • BS e.g., BS 112
  • a radio access network 100 the ability for a UE to communicate while moving, independent of its location, is referred to as mobility.
  • the various physical channels between the UE and the radio access network are generally set up, maintained, and released under the control of an access and mobility management function (AMF) , which may include a security context management function (SCMF) that manages the security context for both the control plane and the user plane functionality, and a security anchor function (SEAF) that performs authentication.
  • AMF access and mobility management function
  • SCMF security context management function
  • SEAF security anchor function
  • a radio access network 100 may utilize DL-based mobility or UL-based mobility to enable mobility and handovers (i.e., the transfer of a UE’s connection from one radio channel to another) .
  • a UE may monitor various parameters of the signal from its serving cell as well as various parameters of neighboring cells. Depending on the quality of these parameters, the UE may maintain communication with one or more of the neighboring cells. During this time, if the UE moves from one cell to another, or if signal quality from a neighboring cell exceeds that from the serving cell for a given amount of time, the UE may undertake a handoff or handover from the serving cell to the neighboring (target) cell.
  • UE 124 may move from the geographic area corresponding to its serving cell 102 to the geographic area corresponding to a neighbor cell 106.
  • the UE 124 may transmit a reporting message to its serving BS 110 indicating this condition.
  • the UE 124 may receive a handover command, and the UE may undergo a handover to the cell 106.
  • UL reference signals from each UE may be utilized by the network to select a serving cell for each UE.
  • the BSs 110, 112, and 114/116 may broadcast unified synchronization signals (e.g., unified Primary Synchronization Signals (PSSs) , unified Secondary Synchronization Signals (SSSs) and unified Physical Broadcast Channels (PBCH) ) .
  • PSSs Primary Synchronization Signals
  • SSSs unified Secondary Synchronization Signals
  • PBCH Physical Broadcast Channels
  • the UEs 122, 124, 126, 128, 130, and 132 may receive the unified synchronization signals, derive the carrier frequency and slot timing from the synchronization signals, and in response to deriving timing, transmit an uplink pilot or reference signal.
  • the uplink pilot signal transmitted by a UE may be concurrently received by two or more cells (e.g., BSs 110 and 114/116) within the radio access network 100.
  • Each of the cells may measure a strength of the pilot signal, and the radio access network (e.g., one or more of the BSs 110 and 114/116 and/or a central node within the core network) may determine a serving cell for the UE 124.
  • the radio access network e.g., one or more of the BSs 110 and 114/116 and/or a central node within the core network
  • the network may continue to monitor the uplink pilot signal transmitted by the UE 124.
  • the network 100 may handover the UE 124 from the serving cell to the neighboring cell, with or without informing the UE 124.
  • the synchronization signal transmitted by the BSs 110, 112, and 114/116 may be unified, the synchronization signal may not identify a particular cell, but rather may identify a zone of multiple cells operating on the same frequency and/or with the same timing.
  • the use of zones in 5G networks or other next generation communication networks may enable an uplink-based mobility framework that may improve the efficiency of the UE and the network. For example, in certain instances the number of mobility messages that may need to be exchanged between a UE and the network may be reduced at times.
  • the air interface in the radio access network 100 may utilize licensed spectrum, unlicensed spectrum, or shared spectrum.
  • Licensed spectrum provides for exclusive use of a portion of the spectrum, generally by virtue of a mobile network operator purchasing a license from a government regulatory body.
  • Unlicensed spectrum provides for shared use of a portion of the spectrum without need for a government-granted license. While compliance with some technical rules is generally still required to access unlicensed spectrum, generally, any operator or device may gain access.
  • Shared spectrum may fall between licensed and unlicensed spectrum, wherein technical rules or limitations may be required to access the spectrum, but the spectrum may still be shared by multiple operators and/or multiple RATs.
  • the holder of a license for a portion of licensed spectrum may provide licensed shared access (LSA) to share that spectrum with other parties, e.g., with suitable licensee-determined conditions to gain access.
  • LSA licensed shared access
  • access to the air interface may be scheduled, wherein a BS allocates resources for communication among some or all devices and equipment within its service area or cell.
  • the BS may be responsible for scheduling, assigning, reconfiguring, and releasing resources for one or more UEs. That is, for scheduled communication, UEs or scheduled entities utilize resources allocated by the BS.
  • a given UE may be capable, to at least some extent, to function as a BS, e.g., possibly scheduling resources for one or more scheduled entities (e.g., one or more other UEs) .
  • sidelink signals may be used between UEs (e.g., either with scheduling from a BS or without necessarily relying on scheduling or control information from a BS) .
  • UE 138 is illustrated communicating with UEs 140 and 142.
  • the UE 138 is functioning as a BS or a primary sidelink device, and UEs 140 and 142 may function as a UE or a non-primary (e.g., secondary) sidelink device.
  • a UE may function as a BS in a device-to-device (D2D) , peer-to-peer (P2P) , or vehicle-to-vehicle (V2V) network, and/or in a mesh network.
  • D2D device-to-device
  • P2P peer-to-peer
  • V2V vehicle-to-vehicle
  • UEs 140 and 142 may optionally communicate directly with one another in addition to communicating with the BS 138.
  • a BS and one or more UEs may communicate utilizing the scheduled resources.
  • FIG. 2 a block diagram illustrates a BS 202 and a plurality of UEs 204 (e.g., 204a and 204b) .
  • the BS 202 may correspond to a BS 110, 112, 114, and/or 118.
  • the BS 202 may correspond to a UE 138, the quadcopter 120, or any other suitable node in the radio access network 100.
  • the UE 204 may correspond to the UE 122, 124, 126, 128, 130, 132, 134, 136, 138, 140, and 142, or any other suitable node in the radio access network 100.
  • the BS 202 may broadcast traffic 206 to one or more UEs 204 (the traffic may be referred to as downlink traffic) .
  • the BS 202 is a node or device responsible for scheduling traffic in a wireless communication network, including the downlink transmissions and, in some examples, uplink traffic 210 from one or more UEs to the BS 202.
  • the UE 204 is a node or device that receives control information, including but not limited to scheduling information (e.g., a grant) , synchronization or timing information, or other control information from another entity in the wireless communication network such as the BS 202.
  • UEs such as a first UE 204a and a second UE 204b may utilize sidelink signals for direct D2D communication.
  • Sidelink signals may include sidelink traffic 214 and sidelink control 216.
  • the sidelink traffic 214 and/or sidelink control 216 may be communicated via a PC5 interface.
  • the PC5 interface may support multicarrier transmissions and/or carrier aggregation (CA) .
  • CA carrier aggregation
  • LTE-based vehicle-to-everything (V2X) communication protocols are implemented by the first UE 204a, the first UE 204a may be allowed to use multiple carriers for the transmission of V2X messages.
  • V2X vehicle-to-everything
  • Sidelink control information 216 may in some examples include a request signal, such as a request-to-send (RTS) , a source transmit signal (STS) , and/or a direction selection signal (DSS) .
  • the request signal may provide for a UE 204 to request a duration of time to keep a sidelink channel available for a sidelink signal.
  • Sidelink control information 216 may further include a response signal, such as a clear-to-send (CTS) and/or a destination receive signal (DRS) .
  • the response signal may provide for the UE 204 to indicate the availability of the sidelink channel, e.g., for a requested duration of time.
  • An exchange of request and response signals (e.g., handshake) may enable different UEs performing sidelink communications to negotiate the availability of the sidelink channel prior to communication of the sidelink traffic information 214.
  • the air interface in the radio access network 100 may utilize one or more duplexing algorithms.
  • Duplex refers to a point-to-point communication link where both endpoints may communicate with one another in both directions.
  • Full duplex means both endpoints may simultaneously communicate with one another.
  • Half duplex means only one endpoint may send information to the other at a time.
  • a full duplex channel generally relies on physical isolation of a transmitter and receiver, and suitable interference cancellation technologies.
  • Full duplex emulation is frequently implemented for wireless links by utilizing frequency division duplex (FDD) or time division duplex (TDD) .
  • FDD frequency division duplex
  • TDD time division duplex
  • transmissions in different directions operate at different carrier frequencies.
  • TDD transmissions in different directions on a given channel are separated from one another using time division multiplexing. That is, at some times the channel is dedicated for transmissions in one direction, while at other times the channel is dedicated for transmissions in the other direction, where the direction may change very rapidly, e.g., several
  • channel coding may be used. That is, wireless communication may generally utilize a suitable error correcting block code.
  • an information message or sequence is split up into code blocks (CBs) , and an encoder (e.g., a CODEC) at the transmitting device then mathematically adds redundancy to the information message. Exploitation of this redundancy in the encoded information message may improve the reliability of the message, enabling correction for any bit errors that may occur due to the noise.
  • user data may be coded using quasi-cyclic low-density parity check (LDPC) with two different base graphs: one base graph is used for large code blocks and/or high code rates, while the other base graph is used otherwise.
  • Control information and the physical broadcast channel (PBCH) are coded using Polar coding, based on nested sequences. For these channels, puncturing, shortening, and repetition are used for rate matching.
  • BS 202 and UE 204 may include suitable hardware and capabilities (e.g., an encoder, a decoder, and/or a CODEC) to utilize one or more of these channel codes for wireless communication.
  • suitable hardware and capabilities e.g., an encoder, a decoder, and/or a CODEC
  • the air interface in the radio access network 100 may utilize one or more multiplexing and multiple access algorithms to enable simultaneous communication of the various devices.
  • 5G NR specifications provide multiple access for uplink (UL) or reverse link transmissions from UEs 122 and 124 to BS 110, and for multiplexing for downlink (DL) or forward link transmissions from BS 110 to one or more UEs 122 and 124, utilizing orthogonal frequency division multiplexing access (OFDM) with a cyclic prefix (CP) .
  • OFDM orthogonal frequency division multiplexing access
  • CP cyclic prefix
  • 5G NR specifications provide support for discrete Fourier transform-spread-OFDM (DFT-s-OFDM) with a CP (also referred to as single-carrier FDMA (SC-FDMA) ) .
  • DFT-s-OFDM discrete Fourier transform-spread-OFDM
  • SC-FDMA single-carrier FDMA
  • multiplexing and multiple access are not limited to the above schemes and may be provided utilizing time division multiple access (TDMA) , code division multiple access (CDMA) , frequency division multiple access (FDMA) , sparse code multiple access (SCMA) , resource spread multiple access (RSMA) , or other suitable multiple access schemes.
  • TDMA time division multiple access
  • CDMA code division multiple access
  • FDMA frequency division multiple access
  • SCMA sparse code multiple access
  • RSMA resource spread multiple access
  • multiplexing downlink (DL) or forward link transmissions from the BS 110 to UEs 122 and 124 may be provided utilizing time division multiplexing (TDM) , code division multiplexing (CDM) , frequency division multiplexing (FDM) , orthogonal frequency division multiplexing (OFDM) , sparse code multiplexing (SCM) , or other suitable multiplexing schemes.
  • TDM time division multiplexing
  • CDM code division multiplexing
  • FDM frequency division multiplexing
  • OFDM orthogonal frequency division multiplexing
  • SCM sparse code multiplexing
  • FIG. 3 is a block diagram illustrating an example of a hardware implementation for a UE 300 employing a processing system 314.
  • the UE 300 may be representative of a UE as illustrated in any one or more of drawings herein.
  • UE 300 may be implemented with a processing system 314 that includes one or more processing units represented by processors 304.
  • processors 304 include microprocessors, microcontrollers, digital signal processors (DSPs) , field programmable gate arrays (FPGAs) , programmable logic devices (PLDs) , state machines, gated logic, discrete hardware circuits, and other suitable hardware configured to perform the various functionality described throughout this disclosure.
  • DSPs digital signal processors
  • FPGAs field programmable gate arrays
  • PLDs programmable logic devices
  • state machines gated logic, discrete hardware circuits, and other suitable hardware configured to perform the various functionality described throughout this disclosure.
  • the UE 300 may be configured to perform any one or more of the functions described herein. That is, the processor 304, as utilized in the UE 300, may be used to implement any one or more of the processes and procedures described below and illustrated in FIG. 21.
  • the processing system 314 may be implemented with a bus architecture, represented generally by the bus 302.
  • the bus 302 may include any number of interconnecting buses and bridges depending on the specific application of the processing system 314 and the overall design constraints.
  • the bus 302 communicatively couples together various circuits including one or more processors (represented generally by the processor 304) , a memory 305, and computer-readable media (represented generally by the computer-readable medium 306) .
  • the bus 302 may also link various other circuits such as timing sources, peripherals, voltage regulators, and power management circuits, which are well known in the art, and therefore, will not be described any further.
  • a bus interface 308 provides an interface between the bus 302 and a transceiver 310.
  • the transceiver 310 provides a communication interface or means for communicating with various other apparatus over a transmission medium.
  • a user interface 312 e.g., keypad, display, touch screen, speaker, microphone, joystick, camera, biometric interface, etc.
  • a user interface 312 may also be provided.
  • the processor 304 may, at times, be configured to provide a fake cell detection function 340 that may be configured, at least in part, to implement all or part of the various techniques presented herein, for example, to possibly identify a candidate BS as an untrusted resource, and to act in some manner based on such an identification.
  • a candidate BS may be identified as an untrusted resource in response, at least in part, to a determination that one or more attempted procedures to operatively attach the UE to the candidate BS way not fully completed for some reason.
  • a malfunctioning or busy candidate BS may be identified as an untrusted resource following a failed attach procedure or the like.
  • a rogue or otherwise intentionally provisioned fake BS may by identified as an untrusted resource following a failed attach procedure or the like.
  • an indication that a candidate BS is an untrusted resource may eventually be communicated in some manner to another base station (e.g., a trusted resource) and possibly considered by that or other network resources in managing the network.
  • a list of candidate BSs e.g., “white-list, ” “black-list, ” “neighborhood list, ” or the like or some combination thereof, may be actively or periodically maintained, and such list (s) or portions thereof may be shared in some manner, e.g., with one or more UEs.
  • a list of candidate BSs 342 is illustrated within processor 304 to represent that all or part of such may be accessible or otherwise obtained by processor 304, e.g., possibly via a memory 305, possibly via a transceiver 310, and/or a computer-readable medium 306.
  • all or part of a list of candidate BSs 342 may be received by the UE from one or more other devices.
  • all or part of a list of candidate BSs 342 may be maintained, modified, generated, or otherwise affected by the UE, e.g., as part of face cell detection function 340.
  • a list of candidate BSs 342 may be employed to by a network resource to inform UEs about one or more untrusted cells that a UE should avoid or may be restricted from using, e.g., to camp-on, for handover, and/or possibly for signal measurements, or reselection, or redirection, etc.
  • a network resource may apply/adjust a penalty value or the like indicated in a list of candidates that may affect a UE’s behavior with regard to untrusted resources and/or possibly untrusted signaling frequencies, or the like.
  • a network resource may remove an untrusted resource from a list of candidate BSs identified as untrusted resources.
  • altering a trust-related status may comprise altering a penalty value or the like that may be indicated in a list of candidates.
  • processor 304 may include detection criteria 344 that may comprise information that may be considered by fake cell detection function 340 in determining whether to identify a candidate BS as an untrusted resource.
  • detection criteria 344 may comprise data and/or instructions, and may be obtained via memory 305, computer-readable medium 306, transceiver 310, a user interface 312, or the like or some combination thereof. In certain instances, all or part of detection criteria 344 may be obtained from one or more other devices. Detection criteria 344 may comprise one or more criterion for consideration.
  • a detection criterion may correspond to an event that may be detectable, at least in part, by fake cell detection function 340 as part of an attempted attachment procedure between the UE 304 and a candidate BS (not shown) .
  • a detection criterion may be indicative in some manner that a particular event may or may not be considered proper as part of an attempted and/or successful attachment procedure.
  • information conveyed in one or more wireless signals received from a candidate base station as part of one or more attempted procedures to operatively attach the UE to the candidate base station may inform decision logic of fake cell detection function 340, at least in part, whether or not the candidate base station may be operating as a trusted resource or an untrusted resource.
  • detection criteria 344 may be indicative of all or part of an expected (proper) call flow and/or protocol process that may be indicative of a trusted resource. Hence, detection criteria 344 may be used to detect a deviation or other anomalous behavior of a candidate BS by detection criteria 344. In certain instances, detection criteria 344 may determine that a candidate BS failed to perform one or more trust-related activities as part of at least one attempted procedure to operatively attach the UE to the candidate base station.
  • a candidate BS transmits the wrong information in a message, or fails to transmit a particular message or response therein, or transmits an unexpected message, or transmits a message without a security context activated (e.g., including cipher, integrity check, etc. ) , then the candidate BS may be identified as an untrusted resource.
  • a security context activated e.g., including cipher, integrity check, etc.
  • the processor 304 may include detection information 346 corresponding to fake cell detection function 340, and possibly list of candidate base stations 342. All or part of detection information 346 may be stored in memory 305, computer-readable medium 306, or both, and accessed or otherwise obtained by processor 304. Detection information 344 may, for example, be indicative of a candidate BS identified as an untrusted resource by fake cell detection function 340. Hence, detection information 344 may comprise one or more (possibly unique) identifiers used by the untrusted resource, signal-related information for signals transmitted by the untrusted resource (e.g., RSRP, RSRQ, , RSSI, EARFCN, frequency, etc.
  • signal-related information for signals transmitted by the untrusted resource e.g., RSRP, RSRQ, , RSSI, EARFCN, frequency, etc.
  • position/location information corresponding to the untrusted resource and/or UE e.g., TAC, LAC, TA, coordinates, PCID, sector ID, beam ID, etc.
  • timing-related information detection time, timer or period of time information, etc.
  • previous BS connectivity information e.g., relating to one or more other BSs identified as trusted resource (s)
  • other logged network access information e.g., capabilities, make/model, etc.
  • specific UE related information e.g., capabilities, make/model, etc.
  • detection information 346 may comprise some information that may be used by the UE, at least in part, to possibly affect its behavior in some manner (e.g., avoid accessing an untrusted resource) , affect list of candidate BSs 342 (e.g., add an untrusted resource to a “blacklist” , add a trusted resource to a “whitelist” , etc. ) , transmit a report to one or more other devices (e.g., another BS that is identified as a trusted resource) based upon and/or comprising all or part of the detection information 346 regarding one or more untrusted resources (and/or possibly one or more trusted resources) , or the like or some combination thereof, just to name a few examples.
  • one or more other devices e.g., another BS that is identified as a trusted resource
  • processor 304 may also be responsible, at least in part, for managing the bus 302 and general processing, including the execution of software stored on the computer-readable medium 306.
  • the software when executed by the processor 304, causes the processing system 314 to perform the various functions described below for any particular apparatus.
  • the computer-readable medium 306 and the memory 305 may also be used for storing data that is manipulated by the processor 304 when executing software.
  • One or more processors 304 in the processing system may execute software.
  • Software shall be construed broadly to mean instructions, instruction sets, code, code segments, program code, programs, subprograms, software modules, applications, software applications, software packages, routines, subroutines, objects, executables, threads of execution, procedures, functions, etc., whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise.
  • the software may reside on a computer-readable medium 306.
  • the computer-readable medium 306 may be a non-transitory computer-readable medium.
  • a non-transitory computer-readable medium includes, by way of example, a magnetic storage device (e.g., hard disk, floppy disk, magnetic strip) , an optical disk (e.g., a compact disc (CD) or a digital versatile disc (DVD) ) , a smart card, a flash memory device (e.g., a card, a stick, or a key drive) , a random access memory (RAM) , a read only memory (ROM) , a programmable ROM (PROM) , an erasable PROM (EPROM) , an electrically erasable PROM (EEPROM) , a register, a removable disk, and any other suitable medium for storing software and/or instructions that may be accessed and read by a computer.
  • a magnetic storage device e.g., hard disk, floppy disk, magnetic strip
  • an optical disk e.g., a compact disc (CD) or a digital versatile disc (DVD)
  • the computer-readable medium 306 may reside in the processing system 314, external to the processing system 314, or distributed across multiple entities including the processing system 314.
  • the computer-readable medium 306 may be embodied in a computer program product.
  • a computer program product may include a computer-readable medium in packaging materials.
  • the computer-readable storage medium 306 may comprise detection capability 350 that may comprise instructions and/or data for use, at least in part, in configuring processor 340 to provide fake cell detection function 340, or access and/or affect list of candidate BSs 342, or access and/or affect detection criteria 344, to access and/or affect detection information 346, or access, affect and/or implement all or part of BS selection function 348.
  • detection capability 350 may comprise instructions and/or data for use, at least in part, in configuring processor 340 to provide fake cell detection function 340, or access and/or affect list of candidate BSs 342, or access and/or affect detection criteria 344, to access and/or affect detection information 346, or access, affect and/or implement all or part of BS selection function 348.
  • UE 300 may comprise additional components that may be of use in some other context of the UE.
  • UE 300 may comprise a position location capability, such as, may be provided by a global navigation satellite system (GNSS) receiver (not shown) or the like.
  • GNSS global navigation satellite system
  • a GNSS or other like capability may, in certain implementations, provide UE-related location information that may be useful to UE 300 (e.g., to processor 304, processing system 314, etc. ) to affect fake cell detection function 340, or list of candidate BSs 342, or detection criteria 344, or detection information 346, or BS selection function 348, or some combination thereof.
  • FIG. 4 is a conceptual diagram illustrating an example of at least a partial hardware implementation for an exemplary BS 400 employing a processing system 414.
  • a processing system 414 that includes one or more processors 404 (e.g., one or more processing units) .
  • the BS 400 may be a BS or candidate BS as illustrated in any of the other drawing presented by way of example herein.
  • the processing system 414 while appearing similar to processing system 314 illustrated in FIG. 3, e.g., by including a bus interface 408, a bus 402, memory 405, a processor 404, and a computer-readable medium 406, will actually be significantly different in certain implementations. This of course is well known. However, as mentioned there may be implementations wherein some UE may be configured to act as a BS in some fashion, and hence processing system 414 may be more similar to processing system 314. Furthermore, as shown in this example, BS 400 may include a user interface 412, or a transceiver 410. That is, the processor 404, as utilized in the BS 400, may be used to implement or support all or part of one or more of the techniques presented herein.
  • the processor 404 may include a circuit 440 configured for various functions.
  • the circuit 440 may be configured to implement one or more of the techniques described herein.
  • FIG. 5 illustrates an example network configuration 500 showing a man-in-the-middle attack. As shown in FIG.
  • a UE 502 may be communicating with one or more of the authentic BSs 504, 506, and 508 of a mobile communication network (e.g., LTE) .
  • a fake BS 510 may be deployed by an attacker to control the UE 500 and/or the authentic BS 506.
  • FIG. 6 illustrates an example network configuration 600 showing a UE under attack by a fake BS.
  • a UE 602 may be communicating with an authentic BS 604 of a mobile communication network (e.g., LTE, NR) .
  • a fake BS 606 may be deployed by an attacker and may cause the UE 602 to establish a connection with the fake BS 606.
  • the fake BS 606 may then trick the UE 602 into providing identity information (e.g., an International Mobile Subscriber Identity (IMSI) ) and/or may limit the UE 602 to particular radio access network (e.g., a downgraded radio access network, such as a 2G network) . In some cases, the fake BS 606 may prevent the UE 602 from connecting to a mobile communication network (e.g., a denial of service (DOS) attack) .
  • a mobile communication network e.g., a denial of service (DOS) attack
  • the fourth-generation (4G) cellular network although significantly improved it security over previous generations, still has the vulnerability that a user-equipment (UE) cannot actively validate the network under certain scenarios. For example, when a UE updates its presence upon entering a new tracking area (TA) and receives a network response indicating anomaly, the UE is not able to authenticate its counterpart. Another example is that there appears no existing UE mechanism to determine reliability of system configuration for mobility towards previous generations (albeit not essential for acquiring 4G services) .
  • TA tracking area
  • One potential detrimental effect from accessing an untrusted resource may be lead to a UEs loss of 4G service (downgrade attack) , and the subsequent UE exposure to rogue 2G BSs that may operate without security and may attempt to gain illicit control or otherwise affect the UE on some way.
  • One way for a fake BS to accomplish such may be by a denial-of-service (DoS) attack at the non-access-stratum (NAS) which may lead the UE to change from a 4G mode to a 2G mode; another way is through extremely biased 4G-to-2G reselection configuration in a system broadcast information.
  • DoS denial-of-service
  • NAS non-access-stratum
  • Some example NAS DoS attacks may include a fake BS failing to respond to a NAS tracking area update (TAU) request (e.g., possibly no lower-layer connection setup or a bare connection setup without any NAS signaling) from the UE.
  • Some example NAS DoS attacks may include a fake BS sending an identity request in response to NAS TAU followed by a rejection (or possibly lower-layer redirect) .
  • an example UE may be configured per 4G standards to remove a 4G mode from its radio access technology (RAT) list or the like after a certain number (e.g., 5) failed TAUs in a row, and/or possibly to down-grade and redirect to a 2G mode.
  • RAT radio access technology
  • a UE may be configured to detect a fake BS, and identify the fake BS as an untrusted resource, perhaps for at least for a period of time.
  • Information corresponding to (e.g., identifying) an untrusted resource may subsequently be reported to a network entity via one or more subsequently accessed trusted resources.
  • information corresponding to an untrusted resource may be shared via an RRC/NAS message.
  • an RRC/NAS message may report a candidate cell identified as an untrusted resource to a trusted resource via one or more message with a security context properly activated.
  • list of candidate BSs may be affected in some manner to indicate to a BS that an untrusted resource may exist and preferably avoided (possibly just for some determined period of time) by UEs.
  • a list of candidate BSs may comprise a “whitelist” section corresponding to candidate BSs, and/or trusted resources.
  • a list of candidate BSs may comprise a “blacklist” section corresponding to untrusted resources.
  • an untrusted resource may be included in such a blacklist.
  • a list of candidate BSs may comprise a combination of candidate BSs some of which may have been identified as (known) trusted resources, or (known) untrusted resources, or candidate BSs that presently lack such a trust indication.
  • a network entity may consider a plurality of reports from one or more UEs, a period of time relating to the detection/indication of an untrusted or trusted resource, known network configurations, and/or the like or some combination thereof.
  • FIG. 7 illustrates an example attach procedure for a UE 702 in a communication network that includes at least a BS 704 and an MME 706.
  • the UE 702 may power on 708, and may perform a cell search operation 710 and a random-access procedure 712.
  • the UE 702 and the MME 706 may enter an EMM deregistered state and an ECM idle state 714, 716.
  • the UE 702 and the BS 704 may enter an RRC idle mode 718, 720.
  • the UE 702 may perform network selection 722 and initial cell selection 724, followed by a connection based random access 725 and an RRC connection setup 726.
  • the UE 702 and the BS 704 may enter an RRC connected mode 728, 730.
  • the UE 702, BS 704, and MME 706 may perform an attach procedure 732.
  • an attach procedure may be specified by a standard corresponding to the network arrangement and RAT as supported by the UE and BS, e.g., 4G/LTE, 5G NR, 2G, 3G, GSM, UMTS, etc.
  • the UE 702 and the MME 706 may enter an EMM registered state and an ECM connected state 734, 736.
  • deregistering e.g., indicated with arrow 742 in FIG. 7
  • ECM connected state 734 leading the UE 702 to enter the EMM deregistered state and ECM idle state 714.
  • an idle timer of the UE 702 expires (e.g., indicated with arrow 740 in FIG. 7) while in the RRC Connected State 728, the UE 702 may enter RRC idle state 718.
  • the UE 702 may then perform an idle mode cell reselection operation (e.g., at least performing operation 724) .
  • FIG. 8 is a flow diagram illustrating an example process 800 that be implemented, at least in part, in a UE, in accordance with certain aspects of the present description.
  • the UE may exchange one or more wireless signals with a candidate BS, e.g., as part of at least one attempted procedure to operatively attach the UE to the candidate BS.
  • block 802 may correspond, at least in part, to attach procedure 732 (see FIG. 7) , and/or an attach procedure as initiated at block 1102 (see FIG. 11) .
  • the UE may determine that the at least one attempted procedure to operatively attach the UE to the candidate BS was not fully completed.
  • an attach procedure e.g., defined by a protocol
  • the attach procedure may comprise certain message/data exchanges between the UE and the candidate BS.
  • it may be determined that the attach procedure was not fully completed based, at least in part, on the signaling at block 802.
  • certain types of anomalies and/or deviations from such expected signaling and procedures may, at times, support a determination by the UE that the procedure was not fully completed (e.g., as might be expected when dealing with a trusted resource) . For example, if a particular response is expected from the candidate BS and a different response is received, a UE may determine that the attach procedure has not fully completed. In another example, if a particular response is expected from the candidate BS and no response is timely received, a UE may determine that the attach procedure has not fully completed.
  • the UE may identify the candidate base station as an untrusted resource, at least in part, in response to the determination that at least one attempted procedure to operatively attach the UE to the candidate base station was not fully completed.
  • blocks 802 and 804 may be performed one or more times before process 800 continues to block 806.
  • a decision at block 806 may consider the results of one or more determinations made at block 804 in determining that at least one attempted procedure to operatively attach the UE to the candidate BS was not fully completed. To the contrary, had an attempted procedure to operatively attach the UE to the candidate BS been fully completed at block 802, then process 800 may end.
  • the UE may affect its operation in some manner. For example, a UE may gather detection information corresponding to the candidate base station, such as, for example, BS device-related identification information or lack thereof, BS service-related information, BS transmission/signal-related information or lack thereof, BS security-related information or lack thereof, BS standards-related information, location-related information, time-related information, and/or the like or some combination.
  • the UE in response to identifying that a candidate BS is an untrusted resource, the UE may inform/affect one or more other functions, capabilities, etc. In certain instances, the UE may provide some form of indication to a user of the UE, e.g., via display, sound, haptic mechanism, etc.
  • the UE may, e.g., subsequent to block 806, operatively attach to at least one other base station that is not identified as an untrusted resource.
  • the UE may transmit information corresponding to at least the untrusted resource to the base station, e.g., via one or more wireless signals/messages.
  • information transmitted to the base station at block 810 may comprise or otherwise correspond to all or part of detection information gathered at part of process 800.
  • FIG. 9 is a is a flow diagram illustrating an example process 900 that be implemented, at least in part, in a UE, in accordance with certain aspects of the present description.
  • Process 900 includes some further example activities that may be provided, at least in a part, by one or more of the blocks in process 800. More specifically, in this example, some additional/optional activities are illustrated with regard to blocks 804 and 806 from process 800.
  • example block 804 may further comprise example block 902.
  • a UE may determine that the candidate base station failed to perform one or more trust-related activities as part of at least one attempted procedure to operatively attach the UE to the candidate base station.
  • a trust-related activity may, for example, comprise one or more security contexts/processes, one or more authentication processes, or one or more encryption processes, and/or the like or some combination thereof.
  • An attach procedure may comprise one or more trust-related activities.
  • a UE may determine that a message transmitted by the candidate BS was received without a security context activated, or without including a cipher, or without including an integrity check, or some combination thereof.
  • a decision at block 902 may be based, at least in part, on the determination of block 904.
  • an attempted procedure to operatively attach the UE to the candidate BS at block 802 may be determined at block 804 as having not been fully completed based, at least in part, on the activities at block 904.
  • a UE may receive an attachment rejection message or the like from a candidate BS.
  • the actual reception may occur at block 802.
  • a decision at block 902 may be based, at least in part, on the determination of block 906.
  • an attempted procedure to operatively attach the UE to the candidate BS at block 802 may be determined at block 804 as having not been fully completed based, at least in part, on the attachment rejection message or the like per block 906.
  • Example block 806 is further illustrated in FIG. 9 as potentially including one or more of (optional) blocks 908, 910 or 912.
  • identifying the candidate BS as an untrusted resource at block 806 may further include a decision at block 908 to identify a corresponding period of time during which the candidate BS is to be identified as an untrusted resource.
  • a timer, time-stamp, etc. may be provided to indicate a lifespan or other measure to correspond to the identification of being an untrusted resource.
  • Such information may be included, at least in part, in corresponding gathered/generated detection information. The span of such a period of time may vary by network, device, situation, environment, security concerns, location, etc.
  • a period of time may extend from several seconds, to minutes, to hours, days, etc. In certain instances, a period of time may increase or decrease based on how often a particular candidate BS is identified as being an untrusted resource. In certain instances, the UE may determine a period of time dynamically or apply a more static value. In certain instances, the UE may receive a period of time or other like information from one or more other devices. For example, in certain implementations, a period of time corresponding to an untrusted resource may be indicated via a list of candidate base stations or the like, which may be received from time to time by the UE from one or more network resources (e.g., a trusted BS) .
  • network resources e.g., a trusted BS
  • a list of candidate base stations may comprise a blacklist identifying that one or more base stations may comprise untrusted resources.
  • a blacklist may, for example, identify an untrusted resource in some manner (e.g., via an ID, etc. ) possibly along with some indication of an applicable period of time for such resource to be considered untrusted.
  • a list of candidate base stations may comprise a whitelist, which may, for example, identify a trusted resource in some manner (e.g., via an ID, etc. ) possibly along with some indication of an applicable period of time for such resource to be considered trusted.
  • a list of candidate base stations may comprise a list of candidate base stations that the UE may consider for processes 800 and/or 900, wherein a given BS may be identified by the UE as an untrusted resource or perhaps as a trusted resource (again, possibly for some period of time) .
  • a UE may maintain, generate, alter, or otherwise affect a list of candidate base stations stored at the UE. All or part of a list of candidate base stations may be received by the UE from one or more other devices, in certain implementations. All or part of a list of candidate base stations may be based, as least in part, on information provided by the UE as part of processes 800 and/or 900 (e.g., at block 810) .
  • a UE may (continue) to operate the UE in a first mode of wireless signal transmission and reception rather than switching to a second mode of wireless signal transmission and reception upon identifying the candidate base station as an untrusted resource.
  • a UE may determine (e.g., at blocks 804, 902, 904, 906) that a given candidate BS has not been able to fully complete an attach procedure, and at block 806 the given candidate BS may be identified as an untrusted resource at block 806.
  • some of the responses or lack thereof (at block 802) from the given candidate BS during an attach procedure may indicate the UE should attempt to switch from a first mode to a second mode of wireless signal transmission and reception and to re-attempt to attach to the given candidate BS.
  • a UE having been unable to fully complete an attach procedure in a first mode e.g., a 4G mode
  • may switch to a second mode e.g., 2G
  • Such a switch (e.g., from a more secure mode (4G, 5G) to a less secure mode (2G) ) may be just the response intended by a person or entity via a rogue or fake BS.
  • Example block 910 may prevent such a fallback or other like process from occurring at times.
  • a UE may consider/apply at least one criterion.
  • detection criteria may correspond to one or more results that may come from trust-related activities associated with blocks 804, 902, 904, and 906, just to name a few examples.
  • detection criteria may correspond to an expected response from a trusted resource, or conversely an expected response from an untrusted resource, or some combination thereof.
  • all or part of the detection criteria may be stored by the UE, possibly generated, maintained, or otherwise affected by the UE.
  • all or part of the detection criteria may be received by the UE from another device.
  • one or more threshold values may be provided as detection criteria.
  • design criteria may specify how many times or how often/when, etc., a UE may attempt to fully complete an attach procedure before possibly identifying a candidate BS as an untrusted resource.
  • criterion may be included in detection criteria for use at one or more of the example blocks in methods 800 and/or 900.
  • FIG. 10 is a flow diagram illustrating an example process 1000 that be implemented, at least in part, in one or more network resources, in accordance with certain aspects of the present description.
  • process 1000 may be implemented at a base station, or other like network device, or a cloud computing resource, etc.
  • information corresponding to a candidate base station that the UE has identified as an untrusted resource may be received.
  • the information may be based, at least in part, in response to a determination that at least one attempted procedure to operatively attach the UE to the candidate base station was not fully completed.
  • such information may result from all or part of processes 800 and/or 900, or other like techniques provided herein.
  • a list of candidate base stations may be maintained in some manner, based, at least in part, on the received information.
  • the received information may indicate that a UE identified a particular candidate BS as an untrusted resource and at block 1004 a list of candidate base stations may be affected in some manner based on such information.
  • a lust of candidate base stations may comprise a blacklist or the like which may be affected at block 1004 in some manner based on the received information (e.g., possibly added to the blacklist or the like) .
  • received information from two or more UEs may be considered before affecting a list of candidate base stations.
  • a particular candidate BS may not be included in a blacklist or the like until reported as an untrusted resource by some threshold number or UEs, or some threshold number of reports, possibly corresponding to some window of time, etc.
  • At example block 1006 at least a portion of the list of candidate base stations may be transmitted, e.g., to one or more UEs, or other network devices.
  • a transmission in accord with block 1006 may occur from time to time, e.g., per some schedule, or in response to a request, or as needed (e.g., when an update us ready) , or at some other point (s) in time, just to name a few examples.
  • FIG. 11 is a flow diagram illustrating an example call-flow process 1100 in accordance with some aspects of the present disclosure.
  • Call-flow process 1100 illustrates certain process blocks and signaling/messaging relating to a UE and a candidate BS (which is assumed to for this example to represent a rogue or fake BS) , and also the UE and a trusted resource. It should be understood, however, that an actual call-flow applying at least a portion of the techniques provided herein may include additional signaling/messaging not shown in this brief example.
  • Call-flow process 1100 is further intended to illustrate certain aspects of all or part of one or more of the example processes 800, 900, and/or 1000.
  • blocks 1102, 1110 and 1112 from call-flow process 1100 may relate to blocks 802, 804, 806, 902, 904, 906, 908, 910, and/or 912 in some manner.
  • a UE may initiate at least one attach procedure with the candidate BS, e.g., beginning at block 1102.
  • the attach procedure in this example may end at block 1110 without being fully completed as per certain aspects of the present description.
  • the UE may transmit one or more attach request messages or the like to the candidate BS, as represented by a request message 1104.
  • request message 1104 may relate to a TAU request, a LAU request, a RAU request, and/or the like or some combination thereof.
  • the candidate BS may transmit a response message 1106, wherein message 1106 may be transmitted without an expected security context activated.
  • the candidate BS may have intentionally or unintentionally failed to perform one or more trust- related activities as expected in response to request message 1104.
  • response message 1106 may lack an expected cipher, integrity check, etc., associated with a security context.
  • reject message 1108 may be transmitted by the candidate BS without an expected security context activated. Again, for example, reject message 1108 may lack an expected cipher or integrity check, etc., associated with a security context.
  • the UE may end the attach procedure without completion, e.g., based, at least in part, on response message 1106, rejection message 1108, and/or the like.
  • the UE may gather or otherwise provide information (e.g., detection information or the like) , which may relate to the attempted attach procedure, the UE, the candidate BS, one or more responses or other signaling/message exchanges, etc.
  • the UE may fully complete an attach procedure with another BS or the like, represented here by the trusted resource.
  • the UE may transmit one or more messages to the trusted resource, as represented by report message 1122.
  • report message 1122 may comprise all or part of one or more messages via which ma convey information associated with the attach procedure that ended at block 1110.
  • report message 1122 may comprise all or part of the detection information as gathered at block 1112.
  • report message 1122 may indicate that the candidate BS has been identified by the UE as an untrusted resource.
  • the trusted resource may, at times, provide all or part of a list of candidate BSs to the UE.
  • information provided via one or more report messages 1122 may be used to affect all or part of such a list of candidate BSs.
  • the trusted resource or other network resources may be configured to compare report message information with known network configuration (s) to update or otherwise maintain a list of candidate BSs that may be useful to UE network access.
  • Some of the techniques presented herein may be implemented in a UE to possibly detect, identify, and report a fake BS.
  • the information provided in a report to the network by the UE may lead to further analysis of the BS and/or dissemination of such knowledge to other UEs.
  • the information provided to the network may, for example, comprise or correspond to a RAT, a cell ID, an ARFCN, a PCID, AC/LAC GPS info, information regarding a previous camped-on cell, a time elapsed, a period of time, a time stamp, and/or the like or some combination thereof, just to name a few examples.
  • a network may use the information reported by one or more UEs regarding one or more BSs identified by the UE (s) as an untrusted resources to inform UEs about the network.
  • an untrusted resource may be added to otherwise included in a blacklist or the like in the network’s system information, which may inform a UE to avoid such untrusted resources (e.g., don’t select such BS for attachment) , at least for a period of time (specified or inherent) .
  • a network may remove an untrusted resource from a blacklist through a system information change in idle, or blackCellsToRemoveList or other like in a measurement object in a connected state, or reconfigure a blacklist in a connected state, just to name a few examples.
  • CPUs central processing units
  • GPUs graphic processing units
  • DSPs digital signal processors
  • ASICs application specific integrated circuits
  • FPGAs field programmable gate arrays
  • sequences of actions described herein can be considered to be embodied entirely within any form of computer readable storage medium having stored therein a corresponding set of computer instructions that upon execution would cause an associated processor to perform the functionality described herein.
  • the various aspects of the disclosure may be embodied in a number of different forms, all of which have been contemplated to be within the scope of the claimed subject matter.
  • the corresponding form of any such aspects may be described herein as, for example, “logic configured to” perform the described action.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne diverses techniques qui peuvent être mises en œuvre sous la forme de procédés, d'appareils et/ou d'articles de fabrication. Dans un exemple, un équipement utilisateur (UE) peut être configuré pour échanger un ou plusieurs signaux sans fil avec une station de base candidate dans le cadre d'au moins une tentative de procédure de rattachement fonctionnel de l'UE à la station de base candidate, déterminer que la tentative de procédure de rattachement fonctionnel de l'UE à la station de base candidate n'a pas été complètement achevée, et identifier la station de base candidate en tant que ressource non fiable, au moins en partie, en réponse à la détermination du fait que la tentative de procédure n'a pas été complètement achevée. L'UE peut, par la suite, se rattacher de manière fonctionnelle à une autre station de base, par exemple, qui n'est pas identifiée en tant que ressource non fiable, et transmettre des informations correspondant à au moins la ressource non fiable à la station de base.
PCT/CN2018/102305 2018-08-24 2018-08-24 Techniques destinées à être utilisées pour identifier une station de base en tant que ressource non fiable Ceased WO2020037665A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2018/102305 WO2020037665A1 (fr) 2018-08-24 2018-08-24 Techniques destinées à être utilisées pour identifier une station de base en tant que ressource non fiable

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2018/102305 WO2020037665A1 (fr) 2018-08-24 2018-08-24 Techniques destinées à être utilisées pour identifier une station de base en tant que ressource non fiable

Publications (1)

Publication Number Publication Date
WO2020037665A1 true WO2020037665A1 (fr) 2020-02-27

Family

ID=69592121

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/102305 Ceased WO2020037665A1 (fr) 2018-08-24 2018-08-24 Techniques destinées à être utilisées pour identifier une station de base en tant que ressource non fiable

Country Status (1)

Country Link
WO (1) WO2020037665A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021096410A1 (fr) * 2019-11-11 2021-05-20 Telefonaktiebolaget Lm Ericsson (Publ) Procédés d'informations de confiance dans un réseau de communication, équipement de communication et dispositif de communication associés
CN114286344A (zh) * 2021-12-14 2022-04-05 中国联合网络通信集团有限公司 一种伪基站确定方法、装置、服务器及存储介质
WO2025210200A1 (fr) * 2024-04-05 2025-10-09 Koninklijke Philips N.V. Atténuation d'attaques de dégradation à un réseau mis hors service dans un système sans fil

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106572450A (zh) * 2016-11-03 2017-04-19 华为技术有限公司 伪基站识别方法及装置
US20170215132A1 (en) * 2016-01-27 2017-07-27 Mediatek Singapore Pte. Ltd. Avoiding reselection of a fake cell in a wireless communication network
CN107683617A (zh) * 2015-06-26 2018-02-09 华为技术有限公司 用于伪基站检测的系统及方法
US20180109552A1 (en) * 2016-10-14 2018-04-19 Qualcomm Incorporated Techniques for mitigating non-cross domain code execution vulnerabilities in cellular baseband

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107683617A (zh) * 2015-06-26 2018-02-09 华为技术有限公司 用于伪基站检测的系统及方法
US20170215132A1 (en) * 2016-01-27 2017-07-27 Mediatek Singapore Pte. Ltd. Avoiding reselection of a fake cell in a wireless communication network
US20180109552A1 (en) * 2016-10-14 2018-04-19 Qualcomm Incorporated Techniques for mitigating non-cross domain code execution vulnerabilities in cellular baseband
CN106572450A (zh) * 2016-11-03 2017-04-19 华为技术有限公司 伪基站识别方法及装置

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021096410A1 (fr) * 2019-11-11 2021-05-20 Telefonaktiebolaget Lm Ericsson (Publ) Procédés d'informations de confiance dans un réseau de communication, équipement de communication et dispositif de communication associés
US12225377B2 (en) 2019-11-11 2025-02-11 Telefonaktiebolaget Lm Ericsson (Publ) Methods for trust information in communication network and related communication equipment and communication device
CN114286344A (zh) * 2021-12-14 2022-04-05 中国联合网络通信集团有限公司 一种伪基站确定方法、装置、服务器及存储介质
CN114286344B (zh) * 2021-12-14 2023-07-28 中国联合网络通信集团有限公司 一种伪基站确定方法、装置、服务器及存储介质
WO2025210200A1 (fr) * 2024-04-05 2025-10-09 Koninklijke Philips N.V. Atténuation d'attaques de dégradation à un réseau mis hors service dans un système sans fil

Similar Documents

Publication Publication Date Title
US12108486B2 (en) System and method that facilitate steering of roaming
US11070981B2 (en) Information protection to detect fake base stations
US11632676B2 (en) Service-based access stratum (AS) security configuration
CN115280817B (zh) 用于与蜂窝小区接入相关的广播信息的安全通信的方法和设备
US20190132740A1 (en) Enhanced cloud information system with prefetching and caching decisions to facilitate detection of false network access nodes
TWI887278B (zh) 在核心網路中的網路功能處的系統資訊保護
CN113728670B (zh) 使用接入层安全性模式命令的系统信息修改的检测
CA3218766A1 (fr) Commutation de cellules
CN109429231B (zh) 蜂窝安全性框架
US12010508B2 (en) Peer-to-peer link security setup for relay connection to mobile network
KR20190032470A (ko) 빔포밍 및 선택을 사용하는 라디오 디바이스들에 대한 이동성
WO2020256617A1 (fr) Procédés, ue et nœud d'accès pour gérer des signatures d'informations système
KR20190125487A (ko) 통신 네트워크에서 사용하기 위한 네트워크 노드, 통신 디바이스 및 이를 동작시키는 방법들
US11910480B2 (en) Systems and methods for null-scheme access authorization
CN121058311A (zh) 层1/层2触发的移动性的时间对准
CN118715857A (zh) 基站分布式单元中多用户标识模块间隙配置
WO2020037665A1 (fr) Techniques destinées à être utilisées pour identifier une station de base en tant que ressource non fiable
Lutz et al. Bridging the security gap: Lessons from 5G and what 6G should do better
KR20240133970A (ko) 네트워크 존재 및 동작을 은닉하기 위한 셀 액세스
US20230007642A1 (en) Method and apparatus for communication systems involving incorporating user equipment identifiers into control channel transmissions
WO2022036668A1 (fr) Amélioration de la mobilité de mise en tranche de réseau
WO2022061809A1 (fr) Gestion de sécurité de modules d'identification d'abonné multiples
WO2022000252A1 (fr) Appareil et procédés de transfert intercellulaire d'un réseau d'évolution à long terme à un réseau de nouvelle radio de cinquième génération pour module d'identification à double abonné

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18931188

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18931188

Country of ref document: EP

Kind code of ref document: A1