Abstract: A method for monitoring data transiting via a user equipment is described, as well as a cyber attack detection device, The method includes obtaining a first decision from a first cyber attack detection technique and a second decision from a second cyber attack detection technique, indicating whether the data are associated with attack traffic, obtaining a third decision from a third cyber attack detection technique indicating whether the data are associated with attack traffic, the third technique the first and second decisions and confidence levels assigned to the first and second detection techniques, updating the confidence levels on the basis of the first, second and third decisions, and adapting, triggered on the basis of the obtained first, second and third decisions and of the updated confidence levels, at least one rule applied by the first and/or the second technique.

Abstract: A method for detecting anomalies in a telecommunications network. The method includes implementing, by a first anomaly detection module: obtaining a plurality of first measurement data representing a resource usage of the network at a given time at a level of a target element; determining from the first measurement data at least one anomaly category from a plurality of anomaly categories a presence of attack, a presence of a fault and an absence of anomaly; requesting validation of the determined category to a second attack detection module and/or to a third fault detection module, depending on the determined anomaly category, the request including at least at the given time, an identifier of the target item, the determined anomaly category and the first measurement data; and on receipt of a response from the second and/or third module, deciding on a processing action to trigger in the network according to the response.

Abstract: A monitoring system is described for monitoring at least one slice of a communications network using at least one access network, an edge network and a core network. The system, comprises, for each slice, a plurality of intrusion detection modules configured to monitor elements associated with said section and comprising at least a first module for detecting intrusions at the access network level, a second module for detecting intrusions at the edge network level, and at least a third module at the core network level, each of the modules being configured to provide a piece of information representative of a local confidence level assigned to the section according to a behaviour of at least one element that it monitors. One of the third modules is additionally configured to evaluate, from the provided information, an overall confidence level for this section and to trigger an intrusion mitigation action for this section depending on the value of this overall confidence level.

Abstract: A method for processing, by a device in a network, an alert message received by user equipment connected to the network. The alert message indicates detection of an anomaly by the user equipment in traffic transmitted via the network. The processing method includes: obtaining from the alert message at least one piece of information which is representative of at least one user equipment constraint; processing, by means of an algorithm for detecting cyber attacks, traffic characteristics provided by the user equipment and associated with the detected anomaly, the algorithm for detecting cyber attacks being chosen and/or configured according to the at least one piece of information; and determining from the at least one piece of information, according to an outcome of the processing, and if a cyber attack is detected, a response to the user equipment regarding the detected anomaly.

Abstract: A method for monitoring data transiting via a user equipment is described, as well as a cyber attack detection device, The method includes obtaining a first decision from a first cyber attack detection technique and a second decision from a second cyber attack detection technique, indicating whether the data are associated with attack traffic, obtaining a third decision from a third cyber attack detection technique indicating whether the data are associated with attack traffic, the third technique the first and second decisions and confidence levels assigned to the first and second detection techniques, updating the confidence levels on the basis of the first, second and third decisions, and adapting, triggered on the basis of the obtained first, second and third decisions and of the updated confidence levels, at least one rule applied by the first and/or the second technique.