Abstract: A method for detecting and processing egress inter-PLMN SBI request messages without 3gpp-Sbi-Originating-Network-Id headers includes receiving, by a proxy NF serving a plurality of PLMNs, an egress inter-PLMN SBI request message without an 3gpp-Sbi-Originating-Network-Id header. The method further includes determining an originating network identifier from the message, from DNS, or from a database record. The method further includes adding a 3gpp-Originating-Network-Id header to the message, populating the header with the originating network identifier, and forwarding the message to or towards a target PLMN.

Abstract: The technology disclosed herein enables resiliency of routing between NFs when degraded 5G NF topology information is provided to an SCP by an NRF. In a particular example, a method includes transmitting requests for NRF status from a Service Communications Proxy (SCP) to NRFs in a 5G network. The NRFs exchange messages with each other to determine whether Network Function (NF) topology information is available from the NRFs. The method further includes receiving responses to the requests in the SCP. The responses indicate a number of the NRFs from which the NF topology information is available. The method also includes identifying one or more failed NRFs of the NRFs that are in a failed state based on the responses. The NF topology information is aggregated from operative NRFs should one or more of the NRFs still be operative.

Abstract: A method for automatically generating and distributing firewall rules to filter service-based interface (SBI) messages relating to new or updated services includes maintaining a repository of firewall rules for updating a ruleset used by a core network firewall to filter SBI messages transmitted in a core network. The method further includes automatically retrieving, from an online archive of Third Generation Partnership Project (3GPP) standards documents, definitions of service operations performed on SBI interfaces in the core network. The method further includes automatically generating firewall rules based on the definitions of the service operations. The method further includes storing the firewall rules in the repository of firewall rules. The method further includes automatically distributing the firewall rules in the repository of firewall rules to the core network firewall.

Abstract: An example method includes registering, at a network function repository function (NRF) of a telecommunications network, a producer network function, including receiving a first transport layer security (TLS) version for the producer network function; providing, by the NRF, the first TLS version of the producer network function to a consumer network function in a network function discovery response; and establishing, by the consumer network function, a service based interface (SBI) communication with the producer network function based on the first TLS version and a second TLS version for the consumer network function.

Abstract: A method for prioritizing among alternate network function (NF) instances includes registering a first NF profile of a first NF instance with a first NF repository function (NRF), and defining, as part of the first NF profile, alternate NF instance information identifying a plurality of individual alternate NF instances to function as backups in response to unavailability of the first NF instance and specifying, for each alternate NF instance, a priority attribute value indicating a relative priority of the alternate NF instance with respect to the other alternate NF instances. The method further includes, at a first consumer NF or SCP, discovering, from the first NRF, the first NF profile of the first NF instance, detecting unavailability of the first NF instance, and, using the alternate NF instance information in the first NF profile to select and contact one of the alternate NF instances identified by the alternate NF instance information.

Abstract: A method for providing a shared SEPP for roaming aggregators includes, at a shared SEPP that functions as a single point of ingress and egress between an MVNO PLMN and an MNO PLMN and between the MVNO PLMN and MNO PLMNs and external networks, receiving a first service-based interface (SBI) request message from the MVNO PLMN. The method further includes determining, by the shared SEPP, that the first SBI request message is destined for the MNO PLMN, and, in response, routing the first SBI request message to the MNO PLMN. The method further includes receiving a second SBI request message from the MVNO PLMN and determining that the second SBI request message is destined for one of the external networks, and, in response, routing the second SBI request message to the one external network. The shared SEPP may apply security measures for messages transmitted to and from the MNO PLMN and the MVNO PLMN.

Abstract: The technology disclosed herein enables 5G wireless monitoring and analysis using an enhanced feed of 5G SBI traffic. In a particular example, a method includes receiving a 5G SBI message in a Service Communication Proxy (SCP), extracting information from protocols used to transmit the 5G SBI message, and including the information in a mirror message with a copy of a payload of the 5G SBI message. The method further includes transmitting the mirror message to a monitoring system.

Abstract: A method for detecting and mitigating security attacks on producer network NFs using access token to non-access-token parameter correlation at a proxy NF includes receiving an inter-PLMN SBI request message. The method further includes obtaining, from an access token transmitted with the inter-PLMN SBI request message, at least one network- or service-identifying parameter and obtaining, externally from the access token, at least one network- or service-identifying parameter. The method further includes comparing the at least one network- or service-identifying parameter obtained from the access token and the at least one network- or service-identifying parameter obtained externally from the access token and performing a network security action when the at least one network- or service-identifying parameter obtained from the access token does not match the at least one network- or service-identifying parameter obtained externally from the access token.

Abstract: Various embodiments of the present technology generally relate to systems and methods for network intrusion detection. In certain embodiments, a network traffic analysis system may comprise one or more processors, and a memory having stored thereon instructions. The instructions, upon execution, may cause the one or more processors to receive, from a first network function (NF) in a communication exchange on a 5G network, a first copy of traffic from the communication exchange, determine whether a second copy of traffic corresponding to the first copy of traffic has been received from a second NF in the communication exchange, and in response to not receiving the second copy of traffic, issue a security notification to the first NF indicating a network intrusion.

Abstract: Various embodiments of the present technology generally relate to systems and methods for preventing malicious service access over long-lived connections. In certain embodiments, a network traffic analysis system may comprise one or more processors, and a memory having stored thereon instructions. The instructions, upon execution, may cause the one or more processors to receive, from a first network function (NF) on a 5G network, a copy of a message sent over a long-lived connection between the first NF and a second NF on the 5G network, the copy of the message including details for a transport layer security (TLS) certificate involved in the long-lived connection. The network traffic analysis system may compare the details against a list of revoked certificates to determine whether the TLS certificate has been revoked, and when the TLS certificate has been revoked, send a notification directing the first NF to close the long-lived connection.

Abstract: A method for performing a location and velocity check at an SEPP to protect against a spoofing attack includes receiving an SBI request message relating to authentication of UE. The method further includes querying a database NF to obtain previous authentication information for the UE, the previous authentication information including a previous network identifier and a previous authentication time for the UE. The method further includes receiving a response from the database NF, the response including the previous network identifier and the previous authentication time.

Abstract: A method for error information propagation from an SCP to a NF to support a circuit breaker design at the consumer NF includes receiving, at the SCP and from the consumer NF, a first SBI service request message. The method further includes attempting, by the SCP, to forward the first SBI service request to N producer NF instances. The method further includes detecting, by the SCP, an error involving the N producer NF instances. The method further includes performing, by the SCP, successful alternate routing of the first SBI service request message to an (N+1) th producer NF instance. The method further includes receiving, by the SCP, a success response message from the (N+1) th producer NF instance. The method further includes propagating, by the SCP, with the success response message and to the consumer NF, error information regarding the N producer NF instances.

Abstract: A method for automatically generating and distributing firewall rules to filter service-based interface (SBI) messages relating to new or updated services includes maintaining a repository of firewall rules for updating a ruleset used by a core network firewall to filter SBI messages transmitted in a core network. The method further includes automatically retrieving, from an online archive of Third Generation Partnership Project (3GPP) standards documents, definitions of service operations performed on SBI interfaces in the core network. The method further includes automatically generating firewall rules based on the definitions of the service operations. The method further includes storing the firewall rules in the repository of firewall rules. The method further includes automatically distributing the firewall rules in the repository of firewall rules to the core network firewall.

Abstract: A method for selective inter-PLMN security handshake validation includes receiving, at a SEPP, a first inter-PLMN security handshake request message. The method further includes performing, by the SEPP and in an SEPP trust relationship database, a lookup to determine whether the first inter-PLMN security handshake request message originates from a trusted SEPP. The method further includes determining that the first inter-PLMN security handshake request message does not originate from a trusted SEPP, and, in response, performing, by the SEPP, an inter-PLMN security handshake validation procedure on the first inter-PLMN security handshake request message. The method further includes determining that the first inter-PLMN security handshake request message fails the inter-PLMN security handshake validation procedure, and, in response, performing a network protective operation.

Abstract: A method for delegated authorization at a security edge protection proxy (SEPP) includes intercepting, from a consumer network function (NF) that does not support access token based authorization, a service based interface (SBI) service request for accessing a service provided by a producer NF that requires access token based authorization. The method further includes operating as an access token authorization client to obtain a first access token on behalf of the consumer NF. The method further includes using the first access token to enable the consumer NF to access the service provided by the first producer NF. The SEPP may also operate as an access token authorization server on behalf of an NRF that does not support access-token-based authorization.

Abstract: A method for automatically binding an SBI communications digital certificate lifecycle to an NF lifecycle includes receiving, at an NRF, an NF deregister request message for deregistering an NF. The method further includes generating, by the NRF and in response to the NF deregister request message or successful completion of deregistration of the NF, a certificate revocation request message for revoking at least one digital certificate used by NF for SBI communications. The method further includes transmitting, by the NRF, the certificate revocation request message to a certificate authority. The method further includes receiving, by the NRF, an NF register request message identifying the NF. The method further includes determining, by the NRF, that the at least one digital certificate of the NF has been revoked.

Abstract: A method for performing a location and velocity check at an SEPP to protect against a spoofing attack includes receiving an SBI request message relating to authentication of UE. The method further includes querying a database NF to obtain previous authentication information for the UE, the previous authentication information including a previous network identifier and a previous authentication time for the UE. The method further includes receiving a response from the database NF, the response including the previous network identifier and the previous authentication time.

Abstract: A method for performing a location and velocity check at a security edge protection proxy (SEPP) using a service communication proxy (SCP) includes receiving, at an SEPP, an SBI request message relating to a user equipment (UE). The method further includes querying, by the SEPP, a service communication proxy (SCP) to obtain information indicative of a last known update of the UE with the home network of the UE. The method further includes receiving, at the SEPP, a response from the SCP, the response including the information indicative of the last known update of the UE. The method further includes reading, by the SEPP and from the response, the information indicative of the last known update of the UE. The method further includes performing, by the SEPP and using the information indicative of the last known update of the UE, a location and velocity check for the UE. The method further includes performing a network security action based on results of the location and velocity check.

Abstract: A method for protecting against unauthorized use of CMP client identity private keys and CMP public key certificates associated with NFs includes receiving, by a CMP CA proxy, a first CMP certificate request for renewing a security certificate associated with a first NF, the CMP certificate request including a public key certificate associated with the first NF and is protected by a CMP client identity private key associated with the first NF.

Abstract: A method for using an optimized token bucket algorithm for ingress message rate limiting across distributed producer network function (NF) applications includes implementing a producer NF instance as distributed producer NF applications and implementing distributed ingress gateways (IGWs) for performing ingress message rate limiting for the distributed producer NF applications. The method further includes maintaining, for each of the distributed IGWs, a local token bucket for rate limiting of ingress service-based interface (SBI) request messages received by each of the distributed IGWs and maintaining a distributed token bucket for refilling the local token buckets.