Abstract: Methods, systems, and computer readable media for validating subscriber entities against spoofing attacks in a communications network are disclosed. One method includes receiving, by a proxy element, a subscriber authentication request message that is sent from an access and mobility management function (AMF) and is directed to a unified data management (UDM) function in a home network, creating, by the proxy element, a record entry including a subscriber identifier and a public land mobile network (PLMN) identifier contained in the subscriber authentication request message, wherein the record entry is stored in an authentication registry database prior to forwarding the subscriber authentication request message to the UDM function.

Abstract: A method for automatic configuration and use of Category 1 message filtering rules includes, at a network function (NF), subscribing, with an NF repository function (NRF), to receive notification of NF profile changes. The method further includes receiving, from the NRF and as a result of the subscribing, notification of an NF profile change. The method further includes automatically configuring, based on the notification of the NF profile change, at least one Category 1 message filtering rule implemented. The method further includes using the at least one Category 1 message filtering rule to filter service based interface (SBI) messages.

Abstract: A method for providing updated network slice information to a network slice selection function (NSSF includes registering, by a network slice management function (NSMF) with a network function (NF) repository function (NRF), an NF profile corresponding to the NSMF and subscribing, by the NSMF with the NRF, for status updates corresponding to NF instances belonging to network slice instances created by the NSMF. The method further includes receiving, by the NSMF from the NRF, a notification message including one or more network traffic load level updates related to at least one of the NF instances, processing the one or more network traffic load level updates to generate network slice instance configuration information for at least one of the network slice instances, and providing, by the NSMF, the network slice instance configuration information to a NSSF managing the at least one of the network slice instances.

Abstract: Methods, systems, and computer readable media for managing network function (NF) request messages at a security edge protection proxy (SEPP) are disclosed. One method comprises receiving, by a SEPP and from an NF service consumer, an initial NF request message and obtaining a target NF type identifier, a requestor NF type identifier, and a network identifier from the initial NF request message. The method further includes utilizing the target NF type identifier, the requestor NF type identifier, and the network identifier to determine whether the initial NF request message is to be blocked by an associated service based interface at the SEPP and discarding, by the SEPP, the initial NF request message if the initial NF request message is determined to be blocked by the associated service based interface.

Abstract: A method for selective inter-PLMN security handshake validation includes receiving, at a SEPP, a first inter-PLMN security handshake request message. The method further includes performing, by the SEPP and in an SEPP trust relationship database, a lookup to determine whether the first inter-PLMN security handshake request message originates from a trusted SEPP. The method further includes determining that the first inter-PLMN security handshake request message does not originate from a trusted SEPP, and, in response, performing, by the SEPP, an inter-PLMN security handshake validation procedure on the first inter-PLMN security handshake request message. The method further includes determining that the first inter-PLMN security handshake request message fails the inter-PLMN security handshake validation procedure, and, in response, performing a network protective operation.

Abstract: Methods, systems, and computer readable media for validating subscriber entities against spoofing attacks in a communications network are disclosed. One method includes receiving, by a proxy element, a subscriber authentication request message that is sent from an access and mobility management function (AMF) and is directed to a user data management (UDM) function in a home network, creating, by the proxy element, a record entry including a subscriber identifier and a public land mobile network (PLMN) identifier contained in the subscriber authentication request message, wherein the record entry is stored in an authentication registry database prior to forwarding the subscriber authentication request message to the UDM function.

Abstract: A method for creating single-use authentication messages includes creating, at a consumer network function of a core network of a telecommunications network, a message hash of at least a subset of a request message. The method includes adding, at the consumer network function, the message hash to a client credentials assertion (CCA) token for the consumer network function. The method includes sending, from the consumer network function, the request message with the CCA token to a producer network function.

Abstract: Methods, systems, and computer readable media for restricting a number of hops conducted in a communications network are disclosed. One method includes receiving, by a hypertext transfer protocol (HTTP) proxy element in a first network region, a service request message including a header section that specifies a maximum number of hops value and conducting a search for a producer network function (NF) in the first network region to provide a network service requested in the service request message.

Abstract: A method for obtaining and using a single-use OAuth 2.0 access token for securing specific service-based architecture (SBA) interfaces includes generating, by a consumer network function (NF) an access token request. The method further includes inserting, in the access token request, a hash of at least a portion of a service-based interface (SBI) request message. The method further includes sending the access token request to an NF repository function (NRF). The method further includes receiving, from the NRF, an access token response, the access token response having an OAuth 2.0 access token including the hash of the at least a portion of the SBI request message. The method further includes using the OAuth 2.0 access token including the hash of the at least a portion of the SBI request message to access an SBI service.

Abstract: A method for providing updated network slice information to a network slice selection function (NSSF includes registering, by a network slice management function (NSMF) with a network function (NF) repository function (NRF), an NF profile corresponding to the NSMF and subscribing, by the NSMF with the NRF, for status updates corresponding to NF instances belonging to network slice instances created by the NSMF. The method further includes receiving, by the NSMF from the NRF, a notification message including one or more network traffic load level updates related to at least one of the NF instances, processing the one or more network traffic load level updates to generate network slice instance configuration information for at least one of the network slice instances, and providing, by the NSMF, the network slice instance configuration information to a NSSF managing the at least one of the network slice instances.

Abstract: A method for creating single-use authentication messages includes creating, at a consumer network function of a core network of a telecommunications network, a message hash of at least a subset of a request message. The method includes adding, at the consumer network function, the message hash to a client credentials assertion (CCA) token for the consumer network function. The method includes sending, from the consumer network function, the request message with the CCA token to a producer network function.

Abstract: A method for obtaining and using a single-use OAuth 2.0 access token for securing specific service-based architecture (SBA) interfaces includes generating, by a consumer network function (NF) an access token request. The method further includes inserting, in the access token request, a hash of at least a portion of a service-based interface (SBI) request message. The method further includes sending the access token request to an NF repository function (NRF). The method further includes receiving, from the NRF, an access token response, the access token response having an OAuth 2.0 access token including the hash of the at least a portion of the SBI request message. The method further includes using the OAuth 2.0 access token including the hash of the at least a portion of the SBI request message to access an SBI service.

Abstract: A method for supporting a migration of user profile and policy information includes receiving a 5G user profile addition request message associated with a subscriber entity, sending a user profile query message to a 4G subscription profile repository (SPR), determining that 4G user profile and policy information corresponding to the subscriber entity exists in the 4G SPR, and receiving 4G user profile and policy information corresponding to the subscriber entity from the 4G SPR and subsequently sending a 5G user profile creation message containing the 4G user profile and policy information to a 5G unified data repository (UDR) in response to determining that the 4G user profile and policy information is stored in the 4G SPR.