Abstract: A method of policy decision includes receiving, by a central policy server, a network policy, determining, by a cluster policy server that is separate from the central policy server, whether the network policy is relevant to a cluster corresponding to the cluster policy server, storing, by the cluster policy server, the network policy in a cluster policy database based on determining that the network policy is relevant to the cluster corresponding to the cluster policy server, obtaining, by a policy decision point (PDP) module that is separate from the cluster policy server, the network policy stored in the cluster policy database, and determining, by the PDP module, whether to implement the network policy based on a policy query received from a policy enforcement point (PEP) module.

Abstract: A method, performed by at least one processor, for protecting a front-haul link from a Man-in-the-Middle (MiTM) attack in a network communication system includes receiving, through a port of an authenticator, an authentication request for port authentication from a supplicant via an Ethernet Frame, obtaining, by the authenticator from the Ethernet frame, a hop count corresponding to a number of hops in a transmission path of the Ethernet frame between the supplicant and the authenticator, comparing the hop count to a predetermined threshold to determine whether the port should be disabled, and disabling the port based on the hop count being greater than the predetermined threshold.

Abstract: Systems and methods for handling and/or managing permissions data nodes across multiple NETCONF clients by generating or obtaining, by a NETCONF client, a first identifier, wherein the first identifier uniquely identifies the NETCONF client, establishing a first NETCONF session between a NETCONF server and the NETCONF client, wherein the NETCONF server comprises a first O-RU, wherein the NETCONF client comprises a first O-DU, delivering, from the NETCONF client to the NETCONF server, a first request during a NETCONF session handshake comprising the first identifier, delivering, from the NETCONF client to the NETCONF server, a first edit configuration request or payload, wherein the first edit configuration request or payload comprises the first identifier.

Abstract: A method of policy decision includes receiving, by a central policy server, a network policy, determining, by a cluster policy server that is separate from the central policy server, whether the network policy is relevant to a cluster corresponding to the cluster policy server, storing, by the cluster policy server, the network policy in a cluster policy database based on determining that the network policy is relevant to the cluster corresponding to the cluster policy server, obtaining, by a policy decision point (PDP) module that is separate from the cluster policy server, the network policy stored in the cluster policy database, and determining, by the PDP module, whether to implement the network policy based on a policy query received from a policy enforcement point (PEP) module.

Abstract: A method, performed by at least one processor, for protecting a front-haul link from a Man-in-the-Middle (MiTM) attack in a network communication system includes receiving, through a port of an authenticator, an authentication request for port authentication from a supplicant via an Ethernet Frame, obtaining, by the authenticator from the Ethernet frame, a hop count corresponding to a number of hops in a transmission path of the Ethernet frame between the supplicant and the authenticator, comparing the hop count to a predetermined threshold to determine whether the port should be disabled, and disabling the port based on the hop count being greater than the predetermined threshold.

Abstract: A system for providing real-time services and functions in an Open Radio Access Network (O-RAN) architecture, includes: a first physical node comprising at least one first processor configured to execute instructions to implement an O-RAN centralized unit (O-CU); at least one second physical node comprising at least one second processor configured to execute instructions to implement: an O-RAN distributed unit (O-DU), and a real-time (RT) RAN Intelligent Controller (RIC) connected to the O-DU via an interface terminating at the RT RIC and having a latency of less than 10 ms; an O-RAN radio unit (O-RU); at least one third physical node comprising at least one third processor configured to execute instructions to implement a non-real-time (Non-RT) RIC operating at a time scale of greater than 1 second; and at least one fourth physical node including at least one fourth processor configured to execute instructions to implement a near-real-time (Near-RT) RIC operating at a time scale of 10 ms to 1 second, wherein

Abstract: Improved techniques for secure access control in communication systems are provided. In one example, in accordance with an authorization server function, a method comprises receiving a request from a service consumer in a communication system for access to a service type and one or more resources associated with the service type. The method determines whether the service consumer is authorized to access the service type and the one or more resources associated with the service type. The method generates an access token that identifies one or more service producers for the service type and the one or more resources associated with the service type that the service consumer is authorized to access, and sends the access token to the service consumer. The service consumer can then use the access token to access the one or more services and one or more resources. In addition to such resource level access authorization, target network function group access authorization can be performed.

Abstract: Improved security management techniques between user equipment and a communication system are provided. For example, techniques are provided for preventing malicious attacks via a user equipment deregistration process. In one example, a method comprises sending a deregistration request message from the given user equipment to a communication system to which the given user equipment is registered, wherein the deregistration request message is security-protected and comprises a temporary identifier assigned to the given user equipment. By not sending the deregistration request message with a subscription concealed identifier, the given user equipment prevents a malicious actor from succeeding with a deregistration attack replaying the subscription concealed identifier.

Abstract: Techniques for detecting and isolating rogue network entities in a communication network are provided. For example, a method comprises receiving from at least one network entity in a communication network a message identifying one or more network entities suspected of malicious activity operating within the communication network, and initiating one or more remedial actions within the communication network to prevent the one or more network entities suspected of malicious activity operating within the communication network from accessing other network entities in the communication network.

Abstract: It is provided a method comprising: checking whether a maximum data rate for a subscriber for a network slice is received; monitoring, if the maximum data rate for the subscriber for the network slice is received, whether a hypothetical total data rate of all flows of the subscriber for the network slice would exceed the maximum data rate for the subscriber for the network slice if a grant to transmit data were provided for the subscriber for packets belonging to the network slice; inhibiting providing the grant for the subscriber if the hypothetical total data rate of all flows of the subscriber for the network slice exceeded the maximum data rate of the network slice if the grant were provided.

Abstract: A method, apparatus, and computer program product relating to notification requests and callback requests in indirect communications are provided. In the context of a method, the method includes sending a service request for selection of a service consumer. The service request is one of a notification request or a callback request. The method further includes indicating a version of a programming interface configured to support the service request.

Abstract: Improved techniques for secure access control in communication systems are provided. In one example, in accordance with an authorization server function, a method comprises receiving a request from a service consumer in a communication system for access to a service type and one or more resources associated with the service type. The method determines whether the service consumer is authorized to access the service type and the one or more resources associated with the service type. The method generates an access token that identifies one or more service producers for the service type and the one or more resources associated with the service type that the service consumer is authorized to access, and sends the access token to the service consumer. The service consumer can then use the access token to access the one or more services and one or more resources. In addition to such resource level access authorization, target network function group access authorization can be performed.

Abstract: Improved techniques for secure access control in communication systems are provided. Secure access control in one or more examples includes authorization of network function sets. For example, in accordance with an authorization server function, a method includes receiving a request from a service consumer in a communication system for access to a service type, wherein the request comprises information including a service producer set identifier. The method determines whether the service consumer is authorized to access the service type. The method identifies service producer instances that belong to the requested service producer set identifier. The method generates an access token that comprises identifiers for identified ones of the service producer instances that belong to the requested service producer set identifier, and sends the access token to the service consumer.

Abstract: Improved security management techniques between user equipment and a communication system are provided. For example, techniques are provided for preventing malicious attacks via a user equipment deregistration process. In one example, a method comprises sending a deregistration request message from the given user equipment to a communication system to which the given user equipment is registered, wherein the deregistration request message is security-protected and comprises a temporary identifier assigned to the given user equipment. By not sending the deregistration request message with a subscription concealed identifier, the given user equipment prevents a malicious actor from succeeding with a deregistration attack replaying the subscription concealed identifier.

Abstract: Embodiments of the present disclosure relate to methods, apparatuses and computer readable storage media for hop-by-hop security. A proposed method comprises receiving, at a first apparatus and from a second apparatus associated with a first network function, a message directed from the first network function to a second network function, the message comprising a first signature and network function information, the network function information at least comprising identification information of the first network function; in accordance with a successful validation of the first signature, updating the message with a second signature specific to a service communication proxy implemented by the first apparatus; and transmitting the updated message to a third apparatus associated with the second network function, the updated message comprising at least the second signature and the network function information.

Abstract: It is provided a method, comprising monitoring if a received request comprises a notification indication, wherein the notification indication indicates that the request is one of a callback request and a notification request; handling the request as a service request if the request does not comprise the notification indication; handling the request as a notification or callback request if the request comprises the notification indication, wherein the handling as a service request is different from the handling as a notification or callback request.

Abstract: A system and method for notifying the calling party of acknowledgment of the missed calls by the called party is disclosed. The called party and the calling party can subscribe for the notification service to enable charging for the service. When the calling party initiates a call to the called party it may result in a missed call as the called party may be out of coverage area or busy. When the called party views the record of the missed call a notification is generated on the wireless device by the application on the wireless device of the called party. The notification is then sent to the calling party. The acknowledgement notification may be sent directly to the calling party or via an application server.

Abstract: A system and method for notifying the calling party of acknowledgment of the missed calls by the called party is disclosed. The called party and the calling party can subscribe for the notification service to enable charging for the service. When the calling party initiates a call to the called party it may result in a missed call as the called party may be out of coverage area or busy. When the called party views the record of the missed call a notification is generated on the wireless device by the application on the wireless device of the called party. The notification is then sent to the calling party. The acknowledgement notification may be sent directly to the calling party or via an application server.