Abstract: Arrangements are provided for identifying a second fraudulent subscription replacing a first fraudulent subscription. A method is performed by a fraudulent subscription detection system. The method includes obtaining notification of the first fraudulent subscription having been identified in a SIM box. The method comprises obtaining historical network data of the first fraudulent subscription. The method com includes prises generating a model based on the historical network data. The method includes identifying the second fraudulent subscription replacing the first fraudulent subscription in the SIM box upon providing live network data as input to the model. The method includes providing an identification of the second fraudulent subscription to at least one of a subscription manager entity and a user interface of a Manual Analysis component.

Abstract: According to some embodiments, a method performed by a network node for validating minimization of drive test (MDT) reports comprises: receiving a MDT report generated by a wireless device: determining to perform validation on the received MDT report: correlating the MDT report with MDT reports from one or more wireless devices in proximity to the wireless device to determine a first correlation value; determining a trust score for the MDT report based on one or more correlation values, the one or more correlation values at least comprising the first correlation value; determining whether the trust score is below a validation threshold; and upon determining the trust score is below the validation threshold, performing a corrective action with respect to the received MDT report.

Abstract: The present disclosure relates to a computer-implemented method and an apparatus for classifying anomalies of one or more feature-associated anomalies in network data traffic between devices in a first part of a network and devices in a second part of the network. The method comprises retrieving at least one network data traffic sample and determining one or more feature-associated anomaly scores for the retrieved at least one network data traffic sample. The method further comprises determining feature importance of each feature of a feature-associated anomaly score and classifying one or more anomalies based on the determined one or more feature-associated anomaly scores and the determined feature importance.

Abstract: A neural network having one or more public parts and one or more confidential parts is trained to perform a primary task. A deployment instantiation of the neural network is trained based on optimal performance of the primary task, and based on sub-optimal performance of the primary task conditioned on the confidential parts of the deployment instantiation being inaccessible. An adversary instantiation of the neural network is trained based on optimal performance of the primary task conditioned on the public parts being identical for the deployment instantiation and for the adversary instantiation, and conditioned on the confidential parts of the deployment instantiation being inaccessible. The training of the deployment instantiation and the training of the adversary instantiation are based on a plurality of training data samples, and are performed iteratively by alternating between the training of the deployment instantiation and the training of the adversary instantiation.

Abstract: Embodiments include methods for managed machine learning (ML) in a communication network, such as by one or more first network functions (NFs) of the communication network. Such methods include determining whether processing of an ML model in the communication network should be distributed to one or more user equipment (UEs) operating in the communication network, based on characteristics of the respective UEs. Such methods also include, based on determining that the processing of the ML model should be distributed to the one or more UEs, establishing trusted execution environments (TEEs) in the respective UEs and distributing the ML model for processing in the respective TEEs. Other embodiments include complementary methods for UEs, as well as UEs and NFs (or communication networks) configured to perform such methods.

Abstract: The present disclosure relates to a computer-implemented method and an apparatus for classifying anomalies of one or more feature-associated anomalies in network data traffic between devices in a first part of a network and devices in a second part of the network. The method comprises retrieving at least one network data traffic sample and determining one or more feature-associated anomaly scores for the retrieved at least one network data traffic sample. The method further comprises determining feature importance of each feature of a feature-associated anomaly score and classifying one or more anomalies based on the determined one or more feature-associated anomaly scores and the determined feature importance.

Abstract: The present disclosure relates to a computer-implemented method and an apparatus for classifying anomalies of one or more feature-associated anomalies in network data traffic between devices in a first part of a network and devices in a second part of the network. The method comprises retrieving at least one network data traffic sample and determining one or more feature-associated anomaly scores for the retrieved at least one network data traffic sample. The method further comprises determining feature importance of each feature of a feature-associated anomaly score and classifying one or more anomalies based on the determined one or more feature-associated anomaly scores and the determined feature importance.

Abstract: A method determines outlier inputs for a machine learning system. The method includes receiving a classification and activation values of a trained classifier or a first input processed by the trained classifier, determining whether an entropy score derived from the first input is below a threshold entropy-based distance metric, and changing the classification in response to the entropy score not being below the threshold.

Abstract: Embodiments include methods for managed machine learning (ML) in a communication network, such as by one or more first network functions (NFs) of the communication network. Such methods include determining whether processing of an ML model in the communication network should be distributed to one or more user equipment (UEs) operating in the communication network, based on characteristics of the respective UEs. Such methods also include, based on determining that the processing of the ML model should be distributed to the one or more UEs, establishing trusted execution environments (TEEs) in the respective UEs and distributing the ML model for processing in the respective TEEs. Other embodiments include complementary methods for UEs, as well as UEs and NFs (or communication networks) configured to perform such methods.

Abstract: The present disclosure relates to a method and an apparatus for training a model for detecting anomalies in network data traffic between devices in a first part of a network and devices in a second part of the network. The method comprises collecting feature samples of network data traffic at a monitoring point between a first and a second part of the network, and training the model for detecting anomalies on the collected feature samples using a plurality of anomaly detection, AD, trees. The training comprises creating the plurality of AD trees using respective subsets of the collected feature samples, at least some of the AD tree comprising subspace selection nodes and anomaly-catching nodes to a predetermined AD tree depth limit.

Abstract: A computer-implemented machine learning method is disclosed for training of a neural network to perform a primary task. The method comprises determining the neural network to comprise one or more public parts and one or more confidential parts, training a deployment instantiation of the neural network based on optimal performance of the primary task, and based on sub-optimal performance of the primary task conditioned on the confidential parts of the deployment instantiation being inaccessible, and training an adversary instantiation of the neural network based on optimal performance of the primary task conditioned on the public parts being identical for the deployment instantiation and for the adversary instantiation, and conditioned on the confidential parts of the deployment instantiation being inaccessible.

Abstract: An efficient obfuscation of program control flow, comprising obscuring a control execution flow through a plurality of code blocks of a computer program. It involves obtaining a secret key, initializing a state variable based on the secret key, generating a switching value by processing the state variable through an encoding function, and selecting a code block from among a set of code blocks using the switching value. It further involves executing the block code, which comprises updating the state variable based on a present value of the state variable, and repeating the steps of generating a switching value, selecting a code block, and executing the code block to control execution flow through the set of code blocks.

Abstract: A method to obscure a control execution flow in a computer program includes initializing a state variable, q, and a switching variable, selecting a code block for execution using a present value of the switching variable, executing the code block, updating the state variable based on a present value of the state variable and a block-dependent constant that is associated with the code block to generate an updated state variable, and by applying a state update function to the updated state variable, and updating the switching variable by processing the state variable through a non-injective output function that generates a new value of the switching variable based on the state variable. The operations of selecting the code block, executing the code block, updating the state variable and updating the switching variable are repeated to control execution flow.

Abstract: The present disclosure relates to a computer-implemented method and an apparatus for classifying anomalies of one or more feature-associated anomalies in network data traffic between devices in a first part of a network and devices in a second part of the network. The method comprises retrieving at least one network data traffic sample and determining one or more feature-associated anomaly scores for the retrieved at least one network data traffic sample. The method further comprises determining feature importance of each feature of a feature-associated anomaly score and classifying one or more anomalies based on the determined one or more feature-associated anomaly scores and the determined feature importance.

Abstract: Arrangements are provided for identifying a second fraudulent subscription replacing a first fraudulent subscription. A method is performed by a fraudulent subscription detection system. The method includes obtaining notification of the first fraudulent subscription having been identified in a SIM box. The method comprises obtaining historical network data of the first fraudulent subscription. The method com includes prises generating a model based on the historical network data. The method includes identifying the second fraudulent subscription replacing the first fraudulent subscription in the SIM box upon providing live network data as input to the model. The method includes providing an identification of the second fraudulent subscription to at least one of a subscription manager entity and a user interface of a Manual Analysis component.

Abstract: The present disclosure relates to a method and an apparatus for training a model for detecting anomalies in network data traffic between devices in a first part of a network and devices in a second part of the network. The method comprises collecting feature samples of network data traffic at a monitoring point between a first and a second part of the network, and training the model for detecting anomalies on the collected feature samples using a plurality of anomaly detection, AD, trees. The training comprises creating the plurality of AD trees using respective subsets of the collected feature samples, at least some of the AD tree comprising subspace selection nodes and anomaly-catching nodes to a predetermined AD tree depth limit.

Abstract: A method to obscure a control execution flow in a computer program includes initializing a state variable, q, and a switching variable, selecting a code block for execution using a present value of the switching variable, executing the code block, updating the state variable based on a present value of the state variable and a block-dependent constant that is associated with the code block to generate an updated state variable, and by applying a state update function to the updated state variable, and updating the switching variable by processing the state variable through a non-injective output function that generates a new value of the switching variable based on the state variable. The operations of selecting the code block, executing the code block, updating the state variable and updating the switching variable are repeated to control execution flow.

Abstract: An efficient obfuscation of program control flow, comprising obscuring a control execution flow through a plurality of code blocks of a computer program. It involves obtaining a secret key, initializing a state variable based on the secret key, generating a switching value by processing the state variable through an encoding function, and selecting a code block from among a set of code blocks using the switching value. It further involves executing the block code, which comprises updating the state variable based on a present value of the state variable, and repeating the steps of generating a switching value, selecting a code block, and executing the code block to control execution flow through the set of code blocks.

Abstract: This disclosure relates to methods and apparatuses for protection of control plane functionality of a network node of a communications network providing wireless communication to a mobile terminal. The network node is configured to support control plane signaling with the mobile terminal. A communication context for the mobile terminal is maintained, wherein the communication context is associated with a control signaling message exchange between the mobile terminal and the network node. One method includes establishing, for a received message, a communication context to which it belongs; determining, in relation to information in the established communication context, the received message to be a message conforming to a protection rule or a message violating a protection rule; and handling the message in accordance with rules of a protection policy. Related network nodes, computer programs, and computer program products are disclosed.

Abstract: A node in a first network domain and a method performed thereby for transmitting a data packet to a VPN client in a second network domain, the node and the VPN client being part of a VPN, wherein the first and second network domain are connected by means of a third network domain are provided. The method comprises receiving, from an application server, a first packet comprising a first IP header and a payload; and determining a DCSP. The method further comprises adding a second header comprising the determined DCSP and an IP address of a VPN client resulting in a second packet and encrypting the second packet. Further the method comprises adding a third header to the encrypted second packet resulting in a third packet, the third header comprising a destination address of a node in the second network domain, and transmitting the third packet in an IP tunnel terminating at the node in the second network domain.