Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising means for determining a data privacy filter of a user equipment, wherein the data privacy filter is configured to be used in a visited network by the user equipment to determine whether a request, from a network function in the visited network, to collect data from the user equipment is acceptable and whether the user equipment should transmit said data to the network function and means for transmitting, to the user equipment located in the visited network, the data privacy filter of the user equipment.

Abstract: According to an aspect, there is provided an apparatus comprising means for receiving, from a server, an authorisation request for a federated learning operation, the authorisation request identifying a plurality of user equipments, and means for determining, using subscription data associated with each of the plurality of user equipments, whether each of the plurality of user equipments are authorised to be used by the server for the federated learning operation. The apparatus also comprising means for, in response to determining that at least two of the plurality of user equipments are authorised, providing a message to each of the at least two of the plurality of user equipments that are authorised, each message comprising an encryption key associated with the federated learning operation.

Abstract: Various embodiments relate to network repository function apparatus configured to implement an authorization mechanism for a federated learning (FL) training process, including: at least one processor; and at least one memory storing instructions, that when executed by the at least one processor, cause the apparatus at least to: receive from a network data analytics function (NWDAF) NWDAF FL profile data including a FL process role parameter; receive an access token from the FL server for the NWDAF that is the potential FL client; determine if the FL access token request is authorized for the NWDAF based upon the FL profile data; and send an access token for the NWDAF to the FL server when access token request for the NWDAF is authorized.

Abstract: Example embodiments of the present disclosure relate to abnormal model behavior detection. A first apparatus obtains a machine learning model and expected behavior information of the machine learning model. The first apparatus monitors behavior information of the machine learning model during execution of the machine learning model; and determines occurrence of an abnormal behavior of the machine learning model during the execution by comparing the monitored behavior information with the expected behavior information.

Abstract: There are provided measures for improved robustness of artificial intelligence or machine learning capabilities against compromised input. Such measures exemplarily comprise receiving, from a first machine learning model training data collection entity, first machine learning model training input data, analyzing said first machine learning model training input data for malicious input detection, deducing, based on a result of said analyzing, whether said first machine learning model training data collection entity is suspected to be compromised, and transmitting, if said first machine learning model training data collection entity is suspected to be compromised, information to a core network entity indicative of that said first machine learning model training data collection entity is suspected to be compromised.

Abstract: Example embodiments of the present disclosure relate to access token revocation in security management. In an example method, in response to providing, to a second device, an access token for the second device to access a NF service from a third device, a first device stores a mapping indicating an association among the access token, the second device and the third device. In response to determining that the second device is abnormal, the first device sends, to at least one target device based on the mapping, an indication of revoking the access token. In this way, at least one target device associated with revoked access token can be informed and potential damage caused by the abnormal NF can be eliminated.

Abstract: Embodiments of the present disclosure relate to terminal device authorization for requesting analytics. A terminal device transmits a subscription for an analytics with an analytics identity to a Unified Data Management (UDM), receives a subscribed analytics identity from the UDM, according to the subscription for the analytics, transmits a request comprising the analytics identity to a Session Management Function (SMF) or an Application Function (AF), and receives analytics result data from the SMF or the AF, according to the the analytics identity after authorization of the request. The terminal device authorization for requesting analytics as provided in the present disclosure is more secure.

Abstract: Embodiments of the present disclosure relate to methods, apparatuses and computer readable storage media for inter-network communication. A first edge protection proxy in a first network receives a request for an access token from a network repository function in the first network. The access token is to be used by a first network function in the first network to request a service from a second network function in a second network. The first edge protection proxy validates the request based on configurations allowed to access services provided by networks different from the first network. If the validation of the request is successful, the first edge protection proxy transmits the request to a second edge protection proxy in the second network. The transmitted request comprises verified information concerning the first network function.

Abstract: Example embodiments of the present disclosure relate to dynamic authorization. According to embodiments of the present disclosure, a solution for dynamic access control to data is proposed. On receiving data registration from a data source, a first device checks the data types to be produced by the data source and adds policies for the data or updates existing policies for the data according to its property. It also serves as access control decision point to determine consumers' access rights based on centrally managed policies. Authorization for data access is granted/denied according to local attributes/policies. In this way, it achieves a dynamic, context-aware and risk-intelligent access control to different kind of data from various data sources (i.e., service producers).

Abstract: There is provided a method, computer program, and an apparatus for a network function service consumer, that causes the apparatus to perform: retrieving, from a first repository function, protected sensitive data; retrieving, from a second network function, at least one encrypted key; decrypting the retrieved at least one encrypted key using a private key associated with the network function service consumer to obtain a respective at least one key; and performing at least one of: decryption of the protected sensitive data using the at least one key to obtain sensitive data or integrity protected sensitive data; or verification of the integrity of the protected sensitive data using the at least one key.

Abstract: Methods, systems, apparatuses, and computer program products are provided for authorized machine learning model retrieval for a communications network. In this regard, an access token request for one or more machine learning models related to a communications network is received from a network function service consumer (NFc). The access token request includes information to identify the one or more machine learning models. The NFc is then authorized with respect to the one or more machine learning models based on the information included in the access token request. Additionally, enhanced an access token for retrieving the one or more machine learning models is provided to the NFc based on valid authorization of the NFc with respect to the one or more machine learning models.

Abstract: According to an example aspect of the present invention, there is provided an apparatus configured to obtain reliability values for each user equipment in a group of user equipments, obtain, for each user equipment in the group, a reliability value for a training data set stored in the user equipment, each user equipment storing a distinct training data set, and direct a subset of the group of user equipments to separately perform a machine learning training process in the user equipments in the subset, wherein the apparatus is configured to select the subset based on the reliability values for the user equipments and the reliability values for the training data sets.

Abstract: Example embodiments of the present disclosure relate to devices, methods and computer readable storage media for service provisioning to facilitate analysis of a service from a network function (NF). In example embodiments, one or more logs are received from at least one of a first NF, a network repository function (NRF) and a service communication proxy (SCP). The one or more logs are associated with a service from a second NF. Further, analysis of provision of the service from the second NF is facilitated based on the one or more logs.

Abstract: According to an example aspect of the present invention, there is provided a method comprising, transmitting to a Network Function, NF, service producer, by a Service Communication Proxy, SCP, a service request on behalf of an NF service consumer, wherein the service request comprises an access token, receiving, by the SCP, a service response from the NF service producer and upon receiving the service response, transmitting to the NF service consumer, by the SCP, information related to the access token.

Abstract: According to an example aspect of the present invention, there is provided an apparatus configured to process a request for an access token authorizing access for a network function consumer to a service provided by a network function producer, the request being received in the apparatus from a service communication proxy, wherein the processing comprises one or more of the following verification: verification that a credential data element comprised in the request, cryptographically signed by the network function consumer, identifies the request, the service or a type of the service, and verification with reference to a further node, or to a profile of the network function consumer, that the service communication proxy is authorized to act on behalf of the network function consumer, and transmit, responsive to at least one of the verifications being successful, the requested access token, the access token comprising an indication of the service communication proxy.

Abstract: According to an example aspect of the present invention, there is provided a method comprising, determining, by an apparatus configured to operate as a network function a cellular communication system, at least two disjoint network paths, wherein the at least two disjoint network paths are different paths, and comprise different physical resources, transmitting, by the apparatus, a subscription request to an analytics function of the cellular communication system, to request notifications about attacks or risks of attacks on at least one network function on at least one of the at least two disjoint network paths, receiving from the analytics function, by the apparatus, information about at least one compromised network entity and/or at least one network entity having a risk of being compromised on said at least one of the at least two disjoint network paths and performing, by the apparatus, attack mitigation based on said information.

Abstract: There is provided an apparatus, method and computer program for a proxy function that causes the apparatus to: receive, from a network repository function, profile information relating to a network function service producer: determine from the profile information whether the network function service producer is able to use an access token for subscribing to a service that indicates a plurality of entities; select a mechanism for requesting an access token for subscribing to a service in dependence on the determination; and request, from the network repository function, a first access token for subscribing to a service on behalf of a first network function service consumer based on the selected mechanism.

Abstract: Techniques for detection of abnormal network function service usage in a communication network are disclosed. For example, a method comprises obtaining, at a first network entity, one or more service requests previously received by a second network entity for a service which the second network entity is configured to provide in a communication network. The method further comprises obtaining, at the first network entity, an analysis of the one or more service requests previously received by the second network entity for the service. The method further comprises obtaining, at the first network entity, an expected service usage for the service from the analysis of the one or more service requests. The method may then compare incoming service requests to the expected service usage to detect a given condition, e.g., an abnormal condition, so that at least one action can be taken.

Abstract: According to an example aspect of the present invention, there is provided an apparatus configured to function as a network function repository, and transmit to a network function consumer an access token authorizing access to a service provided by a network function producer, the access token comprising an at least one of: indication of a fully qualified domain name of the network function consumer, an indication of a domain from which access to the network function producer is allowed and an indication of a stand-alone non-public network from which access to the network function producer is allowed.

Abstract: There is provided a method, apparatus and computer program product for causing a network repository function to perform: receiving, from a network function service consumer, an access request for an access authorization token, the request comprising a first identification of the network function service consumer and a first identification of at least one network slice on which access is requested; generating an access token in response to the request, the access token comprising at least one network slice identifier for the at least one network slice identified by the first identification; and providing the generated access token to the network function in response to the request for an access authorization token.