Abstract: The present disclosure relates to a vaultless format-preserving tokenization system and method that securely converts sensitive data into a non-sensitive format while maintaining the original structure. The process includes encoding the original data, generating a secure modification based on a predetermined format by encoding another input and combining it with a unique hashing key, applying a special encryption technique that incorporates the encoded data, secure modification, and a unique encryption key to produce an encoded version of the data, and finally creating a token from the encoded data to be used in place of the original sensitive information.

Abstract: A method for distributed tokenization of sensitive strings of characters, such as social security numbers, credit card numbers and the like, in a local server is disclosed. The method comprises the steps of receiving from a central server at least one, and preferably at least two, static token lookup tables, and receiving a sensitive string of characters. In a first tokenization step, a first sub string of characters is substituted with a corresponding first token from the token lookup table(s) to form a first tokenized string of characters, wherein the first sub string of characters is a substring of the sensitive string of characters. Thereafter, in a second step of tokenization, a second sub string of characters is substituted with a corresponding second token from the token lookup table(s) to form a second tokenized string of characters, wherein the second substring of characters is a substring of the first tokenized string of characters. Optionally, one or more additional tokenization steps is/are used.

Abstract: Data in various formats can be protected in a distributed tokenization environment. Examples of such formats include date and time data, decimal data, and floating point data. Such data can tokenized by a security device that instantiates a number of tokenization pipelines for parallel tokenization of the data. Characteristics of such data can be used to tokenize the data. For instance, token tables specific to the data format can be used to tokenized the data. Likewise, a type, order, or configuration of the operations within each tokenization pipeline can be selected based on the data format or characteristics of the data format. Each tokenization pipeline performs a set of encoding or tokenization operations in parallel and based at least in part on a value received from another tokenization pipeline. The tokenization pipeline outputs are combined, producing tokenized data, which can be provided to a remote system for storage or processing.

Abstract: Systems and methods for secure data collection in Fifth Generation System (5GS) are provided. In some embodiments, a Data Collection Coordination Function (DCCF) in a data management framework is adapted to receive, from a first data consumer, a subscription request message, determine a data producer for the particular data, obtain one or more keys for data encryption and/or data integrity for the particular data, controlling one or more entities in a messaging framework of the data management framework, sending a subscription response message to the first data consumer, and sending a subscription request message to the data producer. The subscription request message comprises the one or more keys to be used by the data producer when sending notifications of the particular data to the first data consumer via the messaging framework.

Abstract: Methods and devices of enabling paging of a wireless communication device. In an aspect, a method of a node configured to provide core network user plane functionality in a communications network is provided to enable paging of a wireless communication device being in an idle state.

Abstract: A method of operation of an OAM node in a 5G system for fulfilling a service level agreement (SLA) for a network slice. The method comprises the OAM node initializing the slice information at a first network entity (NSSF) including the initial number of users allowed for a slice and transmitting information related to KPI for the slice for QoE monitoring; receiving one or more Quality of Experience (QoE) measurements related to one or more users of the slice, using the received one or more QoE measurements to determine whether the KPI for the slice is reached in accordance with the SLA and in response to determining that the KPI for the slice is not in accordance with the SLA, triggering an action in at least one of corresponding Radio Access Network or a Core Network associated with the slice, such as resource reconfiguration or redistribution across different slices.

Abstract: A gateway device for implementing data security is described herein. The gateway device is coupled between a client device and a server device, and generates a mapping between portions of data received from a client device and interface fields or data elements of the client device. Upon receiving subsequent data from the client device, the gateway device can access the generated mapping to identify portions of the subsequent data corresponding to particular interface fields or data elements of the client device using the mapping, and can encode the identified portions of the subsequent data, for instance based on data protection techniques defined by a security policy. The encoded data can then be outputted by the gateway device to the server device.

Abstract: The invention relates to methods of providing requested network information from a first core Network Function (NF) to a second NF, and devices performing the methods. In an aspect, a method performed by a first core NF entity of providing requested network information to a second NF entity is provided. The method comprises receiving a request to obtain the network information originating from the second NF entity, determining an expiry time stipulating how long the requested network information is valid, and transmitting, towards the second NF entity, the requested network information and the expiry time.

Abstract: A gateway device for implementing data security is described herein. The gateway device is coupled between a client device and a server device, and generates a mapping between portions of data received from a client device and interface fields or data elements of the client device. Upon receiving subsequent data from the client device, the gateway device can access the generated mapping to identify portions of the subsequent data corresponding to particular interface fields or data elements of the client device using the mapping, and can encode the identified portions of the subsequent data, for instance based on data protection techniques defined by a security policy. The encoded data can then be outputted by the gateway device to the server device.

Abstract: Database entries can be protected by indexing the entries using a plurality of indexes, each associated with a level of access rights. A level of access rights can be determined from a search query, and an index can be selected based on the determined level of access rights. A search key can be generated based on the received query, and the selected index can be searched using the search query. Database entries mapped to the values of the selected index returned in response to the search can be outputted. Each index is associated with a different granularity defining the number and/or ambiguity of search results returned in response to searching an index.

Abstract: New tokenization tables are derived at intervals in order to increase the security of tokenized data that is transferred between two endpoints. Generation of the new tokenization tables is based on previous tokenization tables, which advantageously allows the generation process to be performed locally at the two endpoints independently of an external tokenization table provider. New tokenization tables can periodically be distributed to the endpoints as a new starting point for derivation.

Abstract: Methods and apparatus are provided to enable a consumer network function (consumer NF) to discover instances of a NWDAF 90 co-located with NFs in the 5GC 30 of a communication network 10. Existing procedures and messages between NFs are leveraged to distribute lists of NWDAFs 90 co-located with a NF, such as a UPF 35, AMF 40 or SMF 45. A NF can provide a list of NWDAF instances for a particular UE 15 that are co-located with either the same NF or a separate producer NF when the communication procedure for the UE 15 is invoked. Over time, the consumer NFs build a database associating the co-located NWDAFs in other NFs with corresponding UEs 15 served by the consumer NF. When the consumer NF needs analytic data for one or more UEs 15 served by the consumer NF, the consumer NF can use a UE ID to look up the co-located NWDAFs for the UE 15 and subscribe with the co-located NWDAF instances to receive analytics data for the UE 15.

Abstract: Unicode data can be protected in a distributed tokenization environment. Data to be tokenized can be accessed or received by a security server, which instantiates a number of tokenization pipelines for parallel tokenization of the data. Unicode token tables are accessed by the security server, and each tokenization pipeline uses the accessed token tables to tokenization a portion of the data. Each tokenization pipeline performs a set of encoding or tokenization operations in parallel and based at least in part on a value received from another tokenization pipeline. The outputs of the tokenization pipelines are combined, producing tokenized data, which can be provided to a remote computing system for storage or processing.

Abstract: A technique for maintaining a subscription of a subscriber Network Function, NF, for receiving events related to a User Equipment, UE, from a serving NF in a telecommunication system is disclosed, wherein the UE is served by a first instance of the serving NF.

Abstract: Methods of connecting a wireless communication device to a user plane in a wireless communication network and devices performing the methods. In one aspect, a network node configured to connect a wireless communication device to a user plane in a wireless communication network comprises a processing unit and a memory containing instructions executable by the processing unit, wherein the network node is to provide core network user plane functionality and/or radio access network user plane functionality, via an interface.

Abstract: Unicode data can be protected in a distributed tokenization environment. Data to be tokenized can be accessed or received by a security server, which instantiates a number of tokenization pipelines for parallel tokenization of the data. Unicode token tables are accessed by the security server, and each tokenization pipeline uses the accessed token tables to tokenization a portion of the data. Each tokenization pipeline performs a set of encoding or tokenization operations in parallel and based at least in part on a value received from another tokenization pipeline. The outputs of the tokenization pipelines are combined, producing tokenized data, which can be provided to a remote computing system for storage or processing.

Abstract: Methods and apparatus in a network node are provided. In an example, a method in a network node in a network is provided. The method comprises sending, to a network data management function, information identifying an association between a Network Data Analytics Function (NWDAF) and (i) a first network function in the network, and/or (ii) a User Equipment (UE) in the network.

Abstract: Methods and systems for Open Network Automation Platform (ONAP) Fifth Generation Core (5GC) interaction for analytics are provided. According to one aspect, a method, performed by a Front End node for receiving patterns extracted from events and current network status data in a telecommunications network, comprises: receiving, from a Session Management Function (SMF) a request for a User Plane Function (UPF) selection recommendation for a user; determining a list of applications associated with the user; sending, to a Data Collection, Analytics, and Events (DCAE) function of an ONAP, a request for a list of Application Server (AS) locations; receiving, from the DCAE function, the list of AS locations; selecting a UPF based on the user's mobility and application usage patterns; and sending, to the SMF, a recommendation identifying the selected UPF.

Abstract: Database entries can be protected by indexing the entries using a plurality of indexes, each associated with a level of access rights. A level of access rights can be determined from a search query, and an index can be selected based on the determined level of access rights. A search key can be generated based on the received query, and the selected index can be searched using the search query. Database entries mapped to the values of the selected index returned in response to the search can be outputted. Each index is associated with a different granularity defining the number and/or ambiguity of search results returned in response to searching an index.

Abstract: Data in various formats can be protected in a distributed tokenization environment. Examples of such formats include date and time data, decimal data, and floating point data. Such data can tokenized by a security device that instantiates a number of tokenization pipelines for parallel tokenization of the data. Characteristics of such data can be used to tokenize the data. For instance, token tables specific to the data format can be used to tokenized the data. Likewise, a type, order, or configuration of the operations within each tokenization pipeline can be selected based on the data format or characteristics of the data format. Each tokenization pipeline performs a set of encoding or tokenization operations in parallel and based at least in part on a value received from another tokenization pipeline. The tokenization pipeline outputs are combined, producing tokenized data, which can be provided to a remote system for storage or processing.