Abstract: Techniques for enhancing subscription authorization in a communications network are provided. For example, a method in a source network function service producer or an apparatus for a source network function service provider is disclosed. The method comprises: receiving a subscription request including access authorization information from a network function service consumer for a subscription to receive a notification upon occurrence of a specific event; verifying that the network function service consumer is authorized to create the subscription to the source network function service producer; storing subscription context and access authorization information granted for the subscription if the subscription request is authorized.

Abstract: According to an example aspect of the present invention, there is provided a method comprising storing, by an apparatus, one or more key information elements, wherein each key information element comprises a stored key identifier and a stored key or a certificate, receiving by the apparatus, from a requesting network function, a request message comprising a first field and a second field, wherein the first field comprises an instance identity of the requesting network function and the second field comprises the instance identity of the requesting network function, and the first field is unprotected and the second field is protected with the key or the certificate, determining by the apparatus the key or the certificate used for protecting the second field, validating by the apparatus the second field using the key or the certificate, validating by the apparatus the request message when the instance identity of the requesting network function in the first field matches with the instance identity of the request

Abstract: Techniques for managing user equipment policy data in a communication network environment are disclosed. For example, techniques are provided for managing user equipment policy data to be sent to user equipment by protecting the user equipment policy data in a communication network to which the user equipment is subscribed (e.g., a home communication network) such that the user equipment policy data can be sent to the user equipment through a communication network to which the user equipment is attached (e.g.

Abstract: A method, apparatus, and computer program for receiving an application session establishment request comprising an authentication and key management for applications, AKMA, Key Identifier, A-KID; producing an application key request (Naanf_AKMA_ApplicationKey_Get_request) comprising information elements AKMA Key Identifier A-KID; an application function identifier, AF_ID; and an application encryption key indication (Nnef_AKMA_AF_Encryption_Key_Indication); and sending the produced application key request (Naanf_AKMA_ApplicationKey_Get_request) to a home AKMA anchor function, hAAnF, or to a network exposure function, NEF, for enabling lawful interception in the VPLMN.

Abstract: Inter-alia, methods and apparatuses are disclosed for authorization of a network function consumer by a network function provider.

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising means for determining a data privacy filter of a user equipment, wherein the data privacy filter is configured to be used in a visited network by the user equipment to determine whether a request, from a network function in the visited network, to collect data from the user equipment is acceptable and whether the user equipment should transmit said data to the network function and means for transmitting, to the user equipment located in the visited network, the data privacy filter of the user equipment.

Abstract: Systems, methods, apparatuses, and computer program products for enhancing shared data in a communications system are provided. One method may include receiving or retrieving, at a service consumer, shared data from a service producer. The shared data may include at least one treatment attribute configured to indicate a treatment of at least one attribute in the shared data with respect to at least one attribute in individual subscriber data. The method may also include applying a value provided in the at least one shared data attribute or a value provided in the at least one individual subscriber data attribute based on the at least one treatment attribute.

Abstract: Embodiments of the present disclosure relate to usage of access token in service based architecture. According to one aspect of the present disclosure, a first network device transmits an access token request to a second network device, and receives, from the second network device, an access token associated with a first count value, the first count value indicating the number of times the access token is allowed to be used. The first network device transmits, to a third network device, a service request with the access token; and receives, from the third network device, a service response determined based on the first count value and the access token. In this way, usage of an access token may be restricted and chance of misuse of the access token may be reduced.

Abstract: According to an aspect, there is provided an apparatus comprising means for receiving, from a server, an authorisation request for a federated learning operation, the authorisation request identifying a plurality of user equipments, and means for determining, using subscription data associated with each of the plurality of user equipments, whether each of the plurality of user equipments are authorised to be used by the server for the federated learning operation. The apparatus also comprising means for, in response to determining that at least two of the plurality of user equipments are authorised, providing a message to each of the at least two of the plurality of user equipments that are authorised, each message comprising an encryption key associated with the federated learning operation.

Abstract: Embodiments of the present disclosure relate to network function validation. the first network device receives, from a second network device, a request including profile information of the second network device to be validated, obtain registered profile information of the second network device from a third network device maintaining a blockchain ledger storing the registered profile information, and validate the profile information of the second network device based on the registered profile information. The validation can be implemented via blockchain, and OAuth is not need, and for pure consumer can be authorized, in additioinformation for validation is sufficient.

Abstract: Method comprising: monitoring whether a network receives an authorization request for establishing a session of an AF with a UE, wherein the authorization request comprises a permanent identifier of the AF, a received temporary identifier of the AF, and a temporary identifier of a UE; if the authorization request is received: forming a key identifier based on the temporary identifier of the UE; retrieving, based on the key identifier, a stored key and a first permanent identifier of the UE; calculating a calculated temporary identifier of the AF based on the permanent identifier of the AF and the stored key; checking whether the calculated temporary identifier of the AF is identical with the received temporary identifier of the AF; inhibiting authorizing the AF for the establishing the session with the UE if the calculated temporary identifier of the AF is not identical with the received temporary identifier of the AF.

Abstract: A method is disclosed comprising: establishing an encrypted session with an application function based on a certificate; receiving a request for an application key from the application function using the encrypted session, wherein the request comprises a key identifier relating to a user device and an application function identifier; determining at least one response to the request for the application key from a set of possible responses, the set comprising at least a rejection and a message comprising the application key and a user device identifier; and transmitting the at least one response to the request for the application key to the application function. Furthermore, related methods, apparatuses, computer programs and systems are disclosed.

Abstract: Various embodiments relate to network repository function apparatus configured to implement an authorization mechanism for a federated learning (FL) training process, including: at least one processor; and at least one memory storing instructions, that when executed by the at least one processor, cause the apparatus at least to: receive from a network data analytics function (NWDAF) NWDAF FL profile data including a FL process role parameter; receive an access token from the FL server for the NWDAF that is the potential FL client; determine if the FL access token request is authorized for the NWDAF based upon the FL profile data; and send an access token for the NWDAF to the FL server when access token request for the NWDAF is authorized.

Abstract: Techniques for securely identifying applications in a communication network are disclosed. For example, a method comprises receiving, at user equipment, a data item associated with an application program that is installed or being installed on the user equipment. The method further comprises storing, by the user equipment, the data item with an identifier of the application program. The method still further comprises utilizing, by the user equipment, the stored data item when deciding to apply a route selection rule for data traffic associated with the application program.

Abstract: There is provided an apparatus comprising means for determining a change of connection at a user equipment from a source access point to a target access point, and means for receiving, from the target access point, an indication that an associated gateway function is the same for the source access point and the target access point. The apparatus also comprising means for generating an access point key based on the received indication from the target access point, and means for securing communications with the target access point using the generated access point key.

Abstract: Example embodiments of the present disclosure relate to abnormal model behavior detection. A first apparatus obtains a machine learning model and expected behavior information of the machine learning model. The first apparatus monitors behavior information of the machine learning model during execution of the machine learning model; and determines occurrence of an abnormal behavior of the machine learning model during the execution by comparing the monitored behavior information with the expected behavior information.

Abstract: There is provided an apparatus comprising: means for providing, to a network repository function, a discovery request comprising a preferred locality query parameter, wherein the preferred locality query parameter comprises a plurality of location descriptions, and means for receiving, from the network repository function, a response to the discovery request, wherein the response comprises one or more service producers that match the preferred locality query parameter.

Abstract: There are provided measures for improved robustness of artificial intelligence or machine learning capabilities against compromised input. Such measures exemplarily comprise receiving, from a first machine learning model training data collection entity, first machine learning model training input data, analyzing said first machine learning model training input data for malicious input detection, deducing, based on a result of said analyzing, whether said first machine learning model training data collection entity is suspected to be compromised, and transmitting, if said first machine learning model training data collection entity is suspected to be compromised, information to a core network entity indicative of that said first machine learning model training data collection entity is suspected to be compromised.

Abstract: There is provided an apparatus comprising means for: receiving, at a coordinating network function from a network function consumer, at least one data request, wherein the at least one data request indicates at least one version of an application programming interface supported by the network function consumer; and causing, by the coordinating network function, data to be provided to the network function consumer from at least one data source based on the at least one data request and one or more versions of an application programming interface supported by the at least one data source.

Abstract: A method of performing a data retrieval service for a first analytics function of a first communication network comprises collecting (S201), for at least one user equipment, data from the first communication network, obtaining (S203), from the collected data, processed information which is to be passed to an entity of a second communication network, and storing (S205) the processed information, wherein the processed information complies with one or more protection policies with respect to the second communication network.