Abstract: Various embodiments of the present technology generally relate to systems and methods for network intrusion detection. In certain embodiments, a network traffic analysis system may comprise one or more processors, and a memory having stored thereon instructions. The instructions, upon execution, may cause the one or more processors to receive, from a first network function (NF) in a communication exchange on a 5G network, a first copy of traffic from the communication exchange, determine whether a second copy of traffic corresponding to the first copy of traffic has been received from a second NF in the communication exchange, and in response to not receiving the second copy of traffic, issue a security notification to the first NF indicating a network intrusion.

Abstract: Various embodiments of the present technology generally relate to systems and methods for preventing malicious service access over long-lived connections. In certain embodiments, a network traffic analysis system may comprise one or more processors, and a memory having stored thereon instructions. The instructions, upon execution, may cause the one or more processors to receive, from a first network function (NF) on a 5G network, a copy of a message sent over a long-lived connection between the first NF and a second NF on the 5G network, the copy of the message including details for a transport layer security (TLS) certificate involved in the long-lived connection. The network traffic analysis system may compare the details against a list of revoked certificates to determine whether the TLS certificate has been revoked, and when the TLS certificate has been revoked, send a notification directing the first NF to close the long-lived connection.

Abstract: A method for performing a location and velocity check at an SEPP to protect against a spoofing attack includes receiving an SBI request message relating to authentication of UE. The method further includes querying a database NF to obtain previous authentication information for the UE, the previous authentication information including a previous network identifier and a previous authentication time for the UE. The method further includes receiving a response from the database NF, the response including the previous network identifier and the previous authentication time.

Abstract: A method for error information propagation from an SCP to a NF to support a circuit breaker design at the consumer NF includes receiving, at the SCP and from the consumer NF, a first SBI service request message. The method further includes attempting, by the SCP, to forward the first SBI service request to N producer NF instances. The method further includes detecting, by the SCP, an error involving the N producer NF instances. The method further includes performing, by the SCP, successful alternate routing of the first SBI service request message to an (N+1) th producer NF instance. The method further includes receiving, by the SCP, a success response message from the (N+1) th producer NF instance. The method further includes propagating, by the SCP, with the success response message and to the consumer NF, error information regarding the N producer NF instances.

Abstract: A method for automatically generating and distributing firewall rules to filter service-based interface (SBI) messages relating to new or updated services includes maintaining a repository of firewall rules for updating a ruleset used by a core network firewall to filter SBI messages transmitted in a core network. The method further includes automatically retrieving, from an online archive of Third Generation Partnership Project (3GPP) standards documents, definitions of service operations performed on SBI interfaces in the core network. The method further includes automatically generating firewall rules based on the definitions of the service operations. The method further includes storing the firewall rules in the repository of firewall rules. The method further includes automatically distributing the firewall rules in the repository of firewall rules to the core network firewall.

Abstract: A method for selective inter-PLMN security handshake validation includes receiving, at a SEPP, a first inter-PLMN security handshake request message. The method further includes performing, by the SEPP and in an SEPP trust relationship database, a lookup to determine whether the first inter-PLMN security handshake request message originates from a trusted SEPP. The method further includes determining that the first inter-PLMN security handshake request message does not originate from a trusted SEPP, and, in response, performing, by the SEPP, an inter-PLMN security handshake validation procedure on the first inter-PLMN security handshake request message. The method further includes determining that the first inter-PLMN security handshake request message fails the inter-PLMN security handshake validation procedure, and, in response, performing a network protective operation.

Abstract: A method for delegated authorization at a security edge protection proxy (SEPP) includes intercepting, from a consumer network function (NF) that does not support access token based authorization, a service based interface (SBI) service request for accessing a service provided by a producer NF that requires access token based authorization. The method further includes operating as an access token authorization client to obtain a first access token on behalf of the consumer NF. The method further includes using the first access token to enable the consumer NF to access the service provided by the first producer NF. The SEPP may also operate as an access token authorization server on behalf of an NRF that does not support access-token-based authorization.

Abstract: A method for automatically binding an SBI communications digital certificate lifecycle to an NF lifecycle includes receiving, at an NRF, an NF deregister request message for deregistering an NF. The method further includes generating, by the NRF and in response to the NF deregister request message or successful completion of deregistration of the NF, a certificate revocation request message for revoking at least one digital certificate used by NF for SBI communications. The method further includes transmitting, by the NRF, the certificate revocation request message to a certificate authority. The method further includes receiving, by the NRF, an NF register request message identifying the NF. The method further includes determining, by the NRF, that the at least one digital certificate of the NF has been revoked.

Abstract: A method for performing a location and velocity check at an SEPP to protect against a spoofing attack includes receiving an SBI request message relating to authentication of UE. The method further includes querying a database NF to obtain previous authentication information for the UE, the previous authentication information including a previous network identifier and a previous authentication time for the UE. The method further includes receiving a response from the database NF, the response including the previous network identifier and the previous authentication time.

Abstract: A method for performing a location and velocity check at a security edge protection proxy (SEPP) using a service communication proxy (SCP) includes receiving, at an SEPP, an SBI request message relating to a user equipment (UE). The method further includes querying, by the SEPP, a service communication proxy (SCP) to obtain information indicative of a last known update of the UE with the home network of the UE. The method further includes receiving, at the SEPP, a response from the SCP, the response including the information indicative of the last known update of the UE. The method further includes reading, by the SEPP and from the response, the information indicative of the last known update of the UE. The method further includes performing, by the SEPP and using the information indicative of the last known update of the UE, a location and velocity check for the UE. The method further includes performing a network security action based on results of the location and velocity check.

Abstract: A method for protecting against unauthorized use of CMP client identity private keys and CMP public key certificates associated with NFs includes receiving, by a CMP CA proxy, a first CMP certificate request for renewing a security certificate associated with a first NF, the CMP certificate request including a public key certificate associated with the first NF and is protected by a CMP client identity private key associated with the first NF.

Abstract: A method for using an optimized token bucket algorithm for ingress message rate limiting across distributed producer network function (NF) applications includes implementing a producer NF instance as distributed producer NF applications and implementing distributed ingress gateways (IGWs) for performing ingress message rate limiting for the distributed producer NF applications. The method further includes maintaining, for each of the distributed IGWs, a local token bucket for rate limiting of ingress service-based interface (SBI) request messages received by each of the distributed IGWs and maintaining a distributed token bucket for refilling the local token buckets.

Abstract: A method for improving inter-PLMN routing by implementing health checks for remote SEPPs includes storing a target SEPP database including records corresponding to remote SEPPs to which SBI request messages can be routed. The method further includes receiving SBI request messages destined for NFs in PLMNs protected by the remote SEPPs, using the target SEPP database to select and route messages to the remote SEPPs. The method further includes, for each of the remote SEPPs, sending a health check message to the remote SEPP, determining, based on a response or lack of a response to the health check message that the remote SEPP is unhealthy or unreachable, and, in response, removing a record for the remote SEPP from the target SEPP database or marking the record for the remote SEPP to indicate that the remote SEPP is unhealthy or unreachable.

Abstract: The subject matter described herein includes a method for reducing the likelihood of successful denial of service (DoS) attacks by validating overload control information (OCI) scope information against network function (NF) profile information obtained using target resource identification information. The method includes receiving a service based interface (SBI) request message, obtaining, from the SBI request message, target resource identification information, obtaining NF profile information using the target resource identification information and storing the NF profile information, receiving an SBI response message including overload control information and scope information for the overload control information, using the stored NF profile information to determine whether the scope information for the overload control information is valid, and, in response to determining that the scope information for the overload control information is invalid, rejecting the SBI response message.

Abstract: A method for providing a security edge protection proxy (SEPP) router for routing messages between roaming hub SEPPs includes registering, at an SEPP router, a first roaming hub SEPP. Registering the first roaming hub SEPP includes receiving an NFRegister request from the first roaming hub SEPP, the NFRegister request including an NF profile of the first roaming hub SEPP, and storing, by the SEPP router, at least a portion of the NF profile of the first roaming hub SEPP. The method further includes receiving, at the SEPP router, a service-based interface (SBI) request message from a second roaming hub SEPP, and determining, by the SEPP router, a public land mobile network (PLMN) as an intended destination for the SBI request message. The method further includes routing, by the SEPP router, the SBI request message to the first roaming hub SEPP.

Abstract: A method for providing a shared SEPP for roaming aggregators includes, at a shared SEPP that functions as a single point of ingress and egress between an MVNO PLMN and an MNO PLMN and between the MVNO PLMN and MNO PLMNs and external networks, receiving a first service-based interface (SBI) request message from the MVNO PLMN. The method further includes determining, by the shared SEPP, that the first SBI request message is destined for the MNO PLMN, and, in response, routing the first SBI request message to the MNO PLMN. The method further includes receiving a second SBI request message from the MVNO PLMN and determining that the second SBI request message is destined for one of the external networks, and, in response, routing the second SBI request message to the one external network. The shared SEPP may apply security measures for messages transmitted to and from the MNO PLMN and the MVNO PLMN.

Abstract: A method for providing for optimized service based interface (SBI) communications by performing network function (NF) fully qualified domain name (FQDN) resolution at an NF repository function (NRF) includes, at an NRF including at least one processor, receiving NF register requests including NF profiles and/or NF service profiles, at least some of which include FQDNs and do not include Internet protocol (IP) addresses. The method further includes storing the NF profiles and/or NF service profiles in an NF profiles database. The method further includes resolving the FQDNs in NF profiles and/or NF service profiles into IP addresses. The method further includes receiving NF discovery requests. The method further includes generating lists of NF profiles and/or NF service profiles that match query parameters in the NF discovery requests. The method further includes providing the lists of NF profiles and/or NF service profiles including the IP addresses to consumer NFs in NF discovery responses.

Abstract: A method for optimized routing of service based interface (SBI) request messages to remote network function (NF) repository functions (NRFs) using indirect communications via a service communication proxy (SCP) includes, at an SCP including at least one processor, receiving an SBI request message. The method further includes forwarding the SBI request message to a remote NRF. The method further includes determining that the remote NRF is unable to process the SBI request message, and, in response to determining that the remote NRF is unable, identifying a georedundant mate of the remote NRF. The method further includes forwarding the SBI request message to the georedundant mate NRF of the remote NRF that is unable to process the SBI request message.

Abstract: Methods, systems, and computer readable media for ingress message rate limiting are disclosed. One method includes, at a network node, receiving a service request message from a service consumer network function and extracting, from the received service request message, an access token that includes a consumer network function instance identifier identifying the service consumer network function. The method further includes determining, using the consumer network function instance identifier, that an allowed ingress message rate associated with the service consumer network function has been reached or exceeded and in response to determining that the allowed ingress message rate associated with the service consumer network function has been reached or exceeded, performing a message rate limiting action.

Abstract: A method for automatic configuration and use of Category 1 message filtering rules includes, at a network function (NF), subscribing, with an NF repository function (NRF), to receive notification of NF profile changes. The method further includes receiving, from the NRF and as a result of the subscribing, notification of an NF profile change. The method further includes automatically configuring, based on the notification of the NF profile change, at least one Category 1 message filtering rule implemented. The method further includes using the at least one Category 1 message filtering rule to filter service based interface (SBI) messages.