Abstract: A wireless communication network to serve a User Equipment (UE) over Network Exposure Functions (NEFs) that have Application Programming Interfaces (APIs). In the wireless communication network, a NEF Interface Function (NIF) receives a NEF request from a network function. The NIF correlates the NEF request with one of the APIs. The NIF selects one of the NEFs based on the one of the APIs. The NIF translates the NEF request into an API call based on the one of the APIs. The NIF transfers the API call to the one of the NEFs. The one of the NEFs receive the API call and responsively performs a network task for the UE based on the API call.

Abstract: Systems and methods for a micro-service data gateway are provided. In some embodiments, the micro-service data gateway comprises at least a micro-service data reflector and a micro-service data synthesizer. The data reflector operates to serve cached micro-service data in response to UE micro-service data requests. The reflector receives requests for micro-service data available from at least one data source exposed by a network exposure function (NEF) of a network operator core, retrieves the micro-service data from a data cache comprising at least a subset of micro-service data available from the data source, and provides the micro-service data to a requestor of the micro-service data. The synthesizer operates to ensure that the cache of micro-service data available to the reflector is fresh and updated. The micro-service data gateway may be positioned near the UE at a network edge of the core network and/or in part implemented within the UE.

Abstract: Systems and methods are provided for rapid user equipment route selection policy rule processing. A method includes determining an applicable routing policy based on user equipment route selection policy (URSP) rules for an established protocol data unit (PDU) session and storing PDU session information with the established uplink PDU session in a cache. The method further includes examining subsequent uplink packets for PDU session information and checking the cache for an established PDU session with matching uplink PDU session information. The method additionally includes routing the subsequent uplink packets to the established PDU session having the matching PDU session information, causing the subsequent uplink packet to be processed in accordance with the applicable routing policy as previously determined based on the URSP rules.

Abstract: A method of user equipment (UE) implemented network slice security protection is disclosed. The method comprises the UE receiving a request to initialize an application, querying a UE Route Selection Policy (URSP) stored on the UE, and receiving traffic descriptors and security descriptors in response to the querying. The traffic descriptors identify a network slice for the application. The security descriptors comprise a security flag and a virtualization container ID. The method also comprises the UE initiating the application within a virtualization container corresponding to the virtualization container ID based on the security flag indicating that the network slice is secure and binding traffic for the application in the virtualization container to a PDU session based on the traffic descriptors. The method further comprises communicating, by the application executing within the virtualization container, with a core network over the PDU session via the network slice bound to the virtualization container.

Abstract: A wireless communication system transfers signaling messages between a wireless access node and a wireless user device. The wireless access node and the wireless user device wirelessly exchange user data with one another. The wireless communication system establishes a node signaling link with the wireless access node. The wireless communication system establishes a user signaling link with the wireless user device. The wireless communication system receives a signaling message from the wireless access node over the node signaling link and transfers the signaling message to the wireless user device over the user signaling link. The wireless communication system receives another signaling message from the wireless user device over the user signaling link and transfers the other signaling message to the wireless access node over the node signaling link.

Abstract: A data communication network serves a user application in User Equipment (UE) over a Virtual Private Network (VPN) Gateway (GW), Application Function (AF), and Network Exposure Function (NEF). The user application in the UE transfers user data to a VPN application in the UE. The VPN application in the UE transfers the user data over a VPN to the VPN-GW for delivery to the NEF. The VPN-GW receives user data over the VPN and transfers the user data to the AF for delivery to the NEF. The AF receives the user data for delivery to the NEF and generates an Application Programming Interface (API) call with the user data. The AF transfers the API call to the NEF. The NEF receives the API call and responsively exposes the user data. The user data may comprise user signaling, and the UE may exchange user data with external systems over the VPN GW responsive to the user signaling.

Abstract: A communication device. The communication device comprises a central processing unit (CPU), a graphics processing unit (GPU), and a non-transitory memory comprising executable instructions for a sharing application that when executed by at least one of the CPU or the GPU, causes the sharing application to transmit an executable of a trusted application to an endpoint communication device, begin execution of the sharing application in a trusted security execution zone (TSZ) execution mode for sharing media content, instantiate a trustlet application that begins execution by the CPU or the GPU in the TSZ execution mode, display a unit of media content on the communication device, determine whether the unit of media content comprises confidential information, and in response to a determination the unit of media content comprises confidential information, transmit commands to the trusted application to control one or more functions at the endpoint communication device.

Abstract: In a wireless communication system, a source access node receives a security policy for a User Equipment (UE) from a wireless network core. The wireless network core and the UE establish security context over the source access node. The wireless network core and the UE exchange user data over the source access node based on the security context. The source access node handsover the wireless UE to a target access node and transfers the security policy for the wireless UE to the target access node. The target access node signals the wireless network core to establish new security context for the wireless UE responsive to the security policy. The wireless network core and the wireless UE establish new security context over the target access node. The wireless network core and the UE exchange additional user data over the target access node based on the new security context.

Abstract: A wireless communication device serves a user application from a protected memory region. Processing circuitry receives a memory call from the user application for the protected memory region. In response, the processing circuitry generates network signaling that characterizes the memory call and authorization factors for the memory call. Communication circuitry wirelessly transfers the network signaling and receives other network signaling that indicates a memory instruction. The processing circuitry directs the memory circuitry to perform the memory call in the protected memory region for the user application per the memory instruction. The memory circuitry performs the memory call in the protected memory region for the user application per the memory instruction.

Abstract: Programmable networking devices configured to perform various packet processing functions for packet filtration, control and user plane separation (CUPS), user plane function (UPF), pipeline processing, etc. Upon arrival of a user plane packet, a UPF performs a rapid lookup or hash table of the provisioned PDRs associated with a given PFCP session, arrange PDRs in decreasing order of precedence, and process the packet more efficiently than evaluating all PDRs.

Abstract: In a wireless communication network, a wireless access node receives an encrypted slice certificate from a wireless user device and transfers the encrypted slice certificate to a network control-plane. The network control-plane decrypts the encrypted slice certificate and determines a correspondence between expected characteristics and the slice characteristics from the decrypted slice certificate. The network control-plane authorizes the wireless user device for the wireless network slice based on the correspondence. In response to the authorization, the network control-plane transfers user context for the wireless network slice to the wireless access node and a network user-plane. The wireless access node exchanges user data between the wireless user device and the network user-plane per the user context. The network user-plane exchanges the user data between the wireless access node and a data system per the user context.

Abstract: A method of user equipment (UE) implemented network slice security protection is disclosed. The method comprises the UE receiving a request to initialize an application, querying a UE Route Selection Policy (URSP) stored on the UE, and receiving traffic descriptors and security descriptors in response to the querying. The traffic descriptors identify a network slice for the application. The security descriptors comprise a security flag and a virtualization container ID. The method also comprises the UE initiating the application within a virtualization container corresponding to the virtualization container ID based on the security flag indicating that the network slice is secure and binding traffic for the application in the virtualization container to a PDU session based on the traffic descriptors. The method further comprises communicating, by the application executing within the virtualization container, with a core network over the PDU session via the network slice bound to the virtualization container.

Abstract: A method of determining an integrity of an electronic communication device that connects to a 5G core network. The method comprises measuring by an attestation client application executing on the electronic communication device attributes of a universal communication stack (UCS) that executes on the electronic communication device and that promotes communication with the 5G core network; receiving a baseline of UCS attributes comprising norms of UCS attributes and thresholds; comparing measurements of the attributes of the UCS to the baseline by the attestation client application; when the comparisons are within the thresholds, granting communication access by the attestation client application to the 5G core network to a user application that executes on the electronic communication device; and when one of the comparisons exceeds a threshold, denying communication access by the attestation client application to the 5G core network to the user application that executes on the electronic communication device.

Abstract: A method for providing a translating virtual network function by a network element. The method comprises receiving by the network element a first Packet Forwarding Control Protocol (PFCP) message of a plurality of PFCP messages at a first Internet Protocol (IP) address of a plurality of IP addresses of the network element, the first IP address corresponding to a first Session Management Function (SMF) of one or more SMFs, selecting by the network element a translation method based on the first IP address on which the first PFCP message was received, translating by the network element the first PFCP message using the selected translation method into a function-based model representation of the first PFCP message, and configuring by the network element a network interface controller to implement, based on the representation of the first PFCP message, a protocol data unit (PDU) session.

Abstract: A wireless User Equipment (UE) performs quantum authentication with a wireless communication network. The wireless UE receives qubits that were generated by the wireless communication network and determines polarization states for the qubits. The wireless UE exchanges cryptography information with the wireless communication network. The wireless UE and the wireless communication network both generate cryptography keys based on the polarization states and the cryptography information. The wireless UE generates authentication data based the cryptography keys. The wireless UE wirelessly transfers the authentication data to the wireless communication network. The wireless communication network authenticates the wireless UE based on the authentication data and the cryptography keys.

Abstract: A data communication network controls network access for User Equipment (UE) over a non-Third Generation Partnership Project (non-3GPP) access node. The non-3GPP access node transfers a UE access control message to a non-3GPP Interworking Function (IWF). The non-3GPP IWF transfers an N2 message indicating the UE access control message to a 3GPP Access and Mobility Management Function (AMF). The 3GPP AMF transfers an N1 message indicating the UE access control message to the UE. The UE processes the UE access control message from the non-3GPP access node.

Abstract: A method of user equipment (UE) implemented network slice security protection is disclosed. The method comprises the UE receiving a request to initialize an application, querying a UE Route Selection Policy (URSP) stored on the UE, and receiving traffic descriptors and security descriptors in response to the querying. The traffic descriptors identify a network slice for the application. The security descriptors comprise a security flag and a virtualization container ID. The method also comprises the UE initiating the application within a virtualization container corresponding to the virtualization container ID based on the security flag indicating that the network slice is secure and binding traffic for the application in the virtualization container to a PDU session based on the traffic descriptors. The method further comprises communicating, by the application executing within the virtualization container, with a core network over the PDU session via the network slice bound to the virtualization container.

Abstract: Systems and methods are provided for duplicate message detection and removal. A method includes receiving a message tagged with a sequence number during one of a first timing window and a second timing window, wherein the first and second timing windows are consecutive recurring timing windows in a network. The method additionally includes sending a response to the message during one of the timing windows and marking the sequence number with the timing window of the response. The method further includes adding the marked sequence number to an exclusion list and after a next timing window expires, deleting the sequence number from the exclusion list.

Abstract: A Third Generation Partnership Project (3GPP) gateway serves a non-Third Generation Partnership Project (non-3GPP) user device over a 3GPP N1 link. The gateway receives a transaction request from the non-3GPP user device. The gateway translates the transaction request into a 3GPP request. The gateway transfers the 3GPP request to a 3GPP network and receives an authentication request from the 3GPP network. The gateway generates and transfers an authentication response based on the transaction request and the authentication request to the 3GPP network. In response to the authentication, the gateway establishes the 3GPP N1 link with the 3GPP network for the non-3GPP user device. The gateway exchanges user data with the non-3GPP user device. The gateway interworks the user data and N1 signaling. The gateway exchanges the N1 signaling with the 3GPP network. The 3GPP network interworks the N1 signaling and the user data and exchanges the user data.

Abstract: Methods and systems for detecting false base stations are provided. A computing device transmits a request for a verification message to a base station. An encrypted verification message comprising a base station identifier and a signature encrypted using an encryption key associated with the base station is received by the computing device. The computing device decrypts the signature included in the encrypted verification message utilizing a decryption key associated with the computer system. Based on the decrypted signature, the computing device determines that the encryption key does not correspond to the decryption key. Based on determining that the encryption key does not correspond to the decryption key, the computing device stores the base station identifier in a data store in association with a false base station indicator.