Abstract: A method for mitigating network function (NF) update and deregister attacks includes, at an NF repository function (NRF) implemented by at least one processor, receiving, from an NF, an NFRegister request including a hash of a first authentication string, an NF instance identifier, and an NF profile. The method further includes storing the hash of the first authentication string. The method further includes registering the NF by storing the NF profile in an NF profile database. The method further includes receiving a first NFUpdate or NFDeregister request including the NF instance identifier. The method further includes using the stored hash of the first authentication string to validate or reject the first NFUpdate or NFDeregister request.

Abstract: A method for distributing network function (NF) high availability (HA) topology information in a core network includes, at an NF repository function (NRF) including at least one processor, receiving, from a plurality of producer NFs in an NF set, NFRegister requests including NF HA topology information for the producer NFs. The method further includes registering the producer NFs and storing the NF HA topology information for the producer NFs. The method further includes receiving, from a consumer NF or service communication proxy (SCP), an NFDiscover request containing at least one service discovery parameter that corresponds to a service provided by the producer NFs. The method further includes responding to the NFDiscover request by generating an NFDiscover response, including, in the NFDiscover response, the NF HA topology information for the producer NFs, and transmitting the NFDiscover response to the consumer NF or SCP.

Abstract: A method for routing messages relating to existing NF subscriptions includes receiving, at a first NRF, a request from a consumer NF instance creating a first NF subscription, determining that the first NRF does not have the requested NF profile, and forwarding the request to a second NRF. The method further includes receiving a response from the second NRF indicating that the second NRF has created the first NF subscription, modifying the response so that subsequent messages associated with the first subscription will be sent to the first NRF, and forwarding the response to the consumer NF instance. The method further includes receiving, by the first NRF, a message from the consumer NF instance relating to the first subscription, determining, that the second NRF is unavailable, and forwarding the message relating to the first subscription to a third NRF that functions as a mate of the second NRF.

Abstract: A method for delegated authorization at a service communications proxy (SCP) includes intercepting, from a consumer network function (NF) that does not support access token based authorization, a service based interface (SBI) request. The method further includes operating as an access token authorization client to obtain a first access token on behalf of the consumer NF. The method further includes using the first access token to enable the consumer NF to access the service provided by a first producer NF that requires access-token-based authorization.

Abstract: A method for delegated authorization at a security edge protection proxy (SEPP) includes intercepting, from a consumer network function (NF) that does not support access token based authorization, a service based interface (SBI) service request for accessing a service provided by a producer NF that requires access token based authorization. The method further includes operating as an access token authorization client to obtain a first access token on behalf of the consumer NF. The method further includes using the first access token to enable the consumer NF to access the service provided by the first producer NF. The SEPP may also operate as an access token authorization server on behalf of an NRF that does not support access-token-based authorization.

Abstract: A method for providing for reliable service based interface (SBI) message transport using zero event notifications includes, at a consumer NF, sending an SBI message to a producer NF indicating an intent to use zero event notification messaging. The method further includes, at the producer NF, receiving the SBI message indicating the intent to use zero event notification messaging, and, transmitting a zero event notification request message to the consumer NF using a callback URI from the SBI message to confirm the callback URI and connectivity from the producer NF to the consumer NF. The method further includes, at the consumer NF, receiving the zero event notification request message and, in response, sending a zero event notification response message to the producer NF. The method further includes, at the producer NF, receiving the zero event notification response message, and, in response, continuing SBI subscription messaging with the consumer NF.

Abstract: A method for resource object level authorization at a network function (NF) includes maintaining, by a first NF, a service based interface (SBI) resource object access authorization policy database containing policies for controlling access to SBI resource objects and dynamically populating a resource object owner database containing records for resource objects and corresponding resource object owners. The method further includes receiving, by the first NF and from a second NF, a first SBI resource object access request for accessing a resource object, accessing, using information from the first SBI resource object access request, the resource object access authorization policy database and the resource object owner database, determining that an access to the resource object requested by the first resource object access request is not permitted, and preventing the access to the resource object requested by the first resource object access request.

Abstract: A method for mitigating location tracking and DoS attacks that utilize an AMF location service includes receiving, at an NF, an authentication response message from an HPLMN of a UE. The method further includes extracting, by the NF and from the authentication response message, a subscription identifier and an indicator of an authentication result for the UE. The method further includes storing, by the NF and in an AMF location service validation database, the subscription identifier and the indicator of the authentication result for the UE. The method further includes receiving, by the NF, an AMF location service message and using at least one of a subscription identifier extracted from the AMF location service message and contents of the AMF location service validation database, to classify the AMF location service message as a location tracking or DoS attack. The method further includes preventing the location tracking or DoS attack.

Abstract: A method for DoS attacks at an NF includes maintaining, at a first NF, an NF subscription database containing rules that specify maximum numbers of allowed subscriptions and corresponding rule criteria. The method further includes receiving, at the first NF and from a second NF, a subscription request for establishing a subscription. The method further includes determining, by the first NF, that the subscription request matches criteria for at least one rule in the NF subscription database and incrementing, by the first NF, at least one count of a number of subscriptions for the at least one rule. The method further includes determining, by the first NF, that the at least one count of the number of subscriptions exceeds a maximum number of allowed subscriptions for the at least one rule.

Abstract: A method for routing messages relating to existing NF subscriptions includes receiving, at a first NRF, a request from a consumer NF instance creating a first NF subscription, determining that the first NRF does not have the requested NF profile, and forwarding the request to a second NRF. The method further includes receiving a response from the second NRF indicating that the second NRF has created the first NF subscription, modifying the response so that subsequent messages associated with the first subscription will be sent to the first NRF, and forwarding the response to the consumer NF instance. The method further includes receiving, by the first NRF, a message from the consumer NF instance relating to the first subscription, determining, that the second NRF is unavailable, and forwarding the message relating to the first subscription to a third NRF that functions as a mate of the second NRF.

Abstract: A method for preventing subscriber identifier leakage from a telecommunications network includes receiving, by a security edge protection proxy (SEPP), an authentication response message authorizing a subscriber in a visitor network, wherein the authentication response message includes a home subscriber identifier used to identify the subscriber within a home network. The method further includes replacing, by the SEPP, the home subscriber identifier in the authentication response message with a visitor subscriber identifier. The method further includes forwarding, by the SEPP, the authentication response message with the visitor subscriber identifier to a visitor network.

Abstract: A method for mitigating a 5G roaming attack for an Internet of things (IoT) device based on expected user equipment (UE) behavior patterns includes receiving, at a network function (NF) including at least one processor, a service request message requesting a service from a home public land mobile network (PLMN) of a UE identified in the service request message, wherein the UE comprises an IoT device and obtaining, for the UE identified in service request message, at least one parameter provisioned in the home PLMN to indicate an expected UE behavior pattern. The method further includes comparing the at least one parameter provisioned in the home PLMN to indicate the expected UE behavior pattern to at least one parameter from the service request message and that the at least one parameter from the service request message is not indicative of the expected UE behavior pattern of the UE. The method further includes dropping or rejecting the service request message.

Abstract: Methods, systems, and computer readable media for message validation in fifth generation (5G) communications networks are disclosed. One method occurring at a first network node of a first network comprises: obtaining, from at least one authentication and key agreement (AKA) procedure related message associated with a user device communicating via a second network, authentication information identifying the user device; storing the authentication information in a data store for validating subsequent messages; receiving a request message associated with the user device; determining, using the authentication information, that the request message is invalid; and in response to determining that the request message is invalid, performing an invalid message action.

Abstract: A method for automatic key management of network access token public keys for 5GC authorization to mitigate security attacks includes providing, at the NRF, a network access token public key status update notification subscription interface that allows producer NFs to subscribe to receive notifications of updates in status of service access token public keys issued by the NRF. When the NRF determines that an update in status of a service access token public key is required, the NRF updates the status of the public key in its local database and notifies producer NFs that have subscribed to receive the updates. The producer NFs use the public keys to validate service requests from consumer NFs. In one variation, the NRF maintains and updates the status of service access token public keys associated with different service access levels.

Abstract: Methods, systems, and computer readable media for providing a unified interface that is configured to support communication between a user equipment (UE) and application function (AF) via a network exposure function (NEF) are disclosed. One method includes receiving, by a NEF from a session management function (SMF), a protocol data unit (PDU) session event change notification message associated with a UE, establishing, by the NEF, a data delivery path between the UE and an application function (AF) via one of a plurality of data delivery planes that traverse the NEF in response to the PDU session event change notification message and processing, by the NEF, messages communicated between the UE and the AF over any of the plurality of data delivery planes using a single unified interface supported by the NEF.

Abstract: Methods, systems, and computer readable media for ingress message rate limiting are disclosed. One method includes, at a network node, receiving a service access request message from a service consumer network function and extracting, from the received service access request message, an access token that includes a consumer network function instance identifier identifying the service consumer network function. The method further includes determining, using the consumer network function instance identifier, that an allowed ingress message rate associated with the service consumer network function has been reached or exceeded and in response to determining that the allowed ingress message rate associated with the service consumer network function has been reached or exceeded, performing a message rate limiting action.

Abstract: Methods, systems, and computer readable media for ingress message rate limiting are disclosed. One method occurs at a first network node of a first network comprises: obtaining, from a transport layer security (TLS) message from a second network node of a second network, an identifier identifying the second network node or the second network; receiving a request message from the second network node or the second network; determining, using the identifier, that an allowed ingress message rate associated with the second network node or the second network has been reached or exceeded; and in response to determining that the allowed ingress message rate associated with the second network node or the second network has been reached or exceeded, performing a rate limiting action.

Abstract: Roaming spoofing attacks can be initiated during N32-c handshake procedure used for inter-PLMN communication in 5G network. One example solution described herein uses the SEPP to mitigate the N32-c roaming spoofing attacks by cross validating the sender attribute present in N32-c handshake security capability exchange messages against the endpoint identity in the X.509v3 certificate shared during TLS handshake and the remote SEPP identity configured in the SEPP's local database.

Abstract: A method for mitigating spoofing attacks on an SEPP inter-PLMN forwarding interface includes obtaining, by a responding SEPP, a first SEPP identifier and/or a first PLMN identifier from at least one message received over an inter-PLMN control interface. The method further includes storing the first SEPP identifier and/or the first PLMN identifier in an identity cross-validation database. The method further includes obtaining, from at least one message received over an inter-PLMN forwarding interface a second SEPP identifier and/or a second PLMN identifier and performing a lookup in the identity cross-validation database using a lookup key comprising at least one of the second SEPP identifier and the second PLMN identifier, determining that a record corresponding to the lookup key is not present in the identity cross-validation database, and, in response, preventing the at least one message received over the inter-PLMN forwarding interface from entering a PLMN protected by the responding SEPP.

Abstract: A method for mitigating a 5G roaming attack using a security edge protection proxy (SEPP), includes receiving, at an SEPP, user equipment (UE) registration messages for outbound roaming subscribers. The method further includes creating, in a SEPP security database, UE roaming registration records derived from UE registration messages. The method further includes receiving, at the SEPP, a packet data unit (PDU) session establishment request message. The method further includes performing, using at least one parameter value extracted from the PDU session establishment request message, a lookup in the SEPP security database for a UE roaming registration record. The method further includes determining, by the SEPP and based on results of the lookup, whether to allow or reject the PDU session establishment request message.