Abstract: Method of Operating a Telecommunications Network A computer-implemented method (200) of operating a telecommunications network (100), the telecommunications network comprising a client device (110) and a server (140), wherein the server and the client device are connected via an access point (120), the method comprising the steps of: receiving a service request from the client device, said service request requesting a service from the server (310); identifying client device characteristic information associated with the client device (340); identifying service requirement information associated with the requested service (330); comparing the identified client device characteristic information with the identified service requirement information so as to determine if the client device information complies with the service requirement information (350); and in response to said comparison: permitting the server to provide the requested service in accordance with the service request if the client device informatio

Abstract: A computer implemented methods, computer systems and computer programs are provided for deploying a service to edge compute nodes located at the edge of a radio access network that are dispersed throughout a geographical area and for accessing the service from the same. The method for deploying the service receives a travel plan for a mobile entity, the travel plan indicating a route for an intended journey by the mobile entity through the geographical area. The method further selects at least one edge compute node in the network for providing the service to the mobile entity during the intended journey. The at least one edge compute node is selected based, at least in part on a geographical proximity of the at least one edge compute node to the route. The method further deploys a respective instance of the service to each of the at least one edge compute nodes so that it is accessible by the mobile entity while undertaking the intended journey.

Abstract: A computer-implemented method of analysing anomalous network traffic in a telecommunications network, said telecommunications network comprising a plurality of network entities (120, 110) and a security analyser (130-3), wherein the method comprises the steps of: receiving at the security analyser a network communication from a first network entity; identifying the first network entity; by means of the security analyser: analysing the network communication and/or a performance of the first network entity thereby to identify the network communication as an anomalous communication (310); in response to identifying the network communication as an anomalous communication, communicating an instruction to the identified first network entity to respond with origin information regarding the anomalous communication, wherein the origin information identifies a preceding network entity from which the anomalous communication was directly received by the first network entity (320, 330); and commencing with the preceding n

Abstract: Method of Operating a Telecommunications Network A computer-implemented method (200) of operating a telecommunications network (100), the telecommunications network comprising a client device (110) and a server (140), wherein the server and the client device are connected via an access point (120), the method comprising the steps of: receiving a service request from the client device, said service request requesting a service from the server (310); identifying client device characteristic information associated with the client device (340); identifying service requirement information associated with the requested service (330); comparing the identified client device characteristic information with the identified service requirement information so as to determine if the client device information complies with the service requirement information (350); and in response to said comparison: permitting the server to provide the requested service in accordance with the service request if the client device informatio

Abstract: A containerisation orchestrator (26) is controlled by an analysis system (20, 21, 22) which assesses an application and a device for compatibility to have a candidate application installed on the device using the orchestrator. The analysis includes an assessment of the vulnerability of the installed application to failure or malicious attack, and a risk assessment of the consequences of such an event. The candidate containerised configuration (20) for the application is also assessed for compatibilities and vulnerabilities.

Abstract: A computer-implemented method of analysing anomalous network traffic in a telecommunications network, said telecommunications network comprising a plurality of network entities (120, 110) and a security analyser (130-3), wherein the method comprises the steps of: receiving at the security analyser a network communication from a first network entity; identifying the first network entity; by means of the security analyser: analysing the network communication and/or a performance of the first network entity thereby to identify the network communication as an anomalous communication (310); in response to identifying the network communication as an anomalous communication, communicating an instruction to the identified first network entity to respond with origin information regarding the anomalous communication, wherein the origin information identifies a preceding network entity from which the anomalous communication was directly received by the first network entity (320, 330); and commencing with the preceding n

Abstract: Containerised computing processes are generated by an orchestration processor interpreting user commands and user profile data to build a deployment specification specifying functions to be run by a containerised process, using a shell script run on a host virtualisation container. External events such as security threats and computing resource overloads can be used to generate the virtualised process, allowing vulnerability detection, and apply countermeasures such as deployment or migration of containers during attacks to lesser prone infrastructure, and allows the orchestration of non-container tools to provide security and resilience.

Abstract: A web server operating in a container has resource and network limits applied to add an extra layer of security to the web server. If a monitor detects that the container's resource usage is approaching one or more of these limits, which may be indicative of a DDoS attack, (step 210) or identifies traffic sources exhibiting suspicious behaviour, such as frequently repeated requests from the same address, or from a related set of addresses, a restrictor function caps the resources allowed by the original Webserver container to allow it to recover from buffer overflow and protect servers running in other containers from overwhelming any shared resources. A duplicator function starts up replica containers with the same resource limits to take overflow traffic, and a load balancing function then directs incoming traffic to these overflow containers etc.

Abstract: Actuators and sensors in an intelligent system are controlled by setting encryption types and key lengths to individual applications based on the type of device and application being run. A server system (1) running in a communications gateway, selects an encryption policy for one or more devices under its control. This selection is controlled by an analysis function (11) using data relating to the type of device (13), and the applications to be run on the device (14), to generate an appropriate encryption policy (12) which can be deployed to the device (37). Controlling the analysis and deployment in a gateway device allows co-ordination between devices, and reduces processor time in the devices. An agent is sent to the device alongside the encryption policy data, to control the device according to the encryption policy.

Abstract: An intermediate data transmission device arranges for mutual authentication between itself and a remote terminal to allow data to be exchanged between the remote terminal and a server through the device. The server sends first and second key codes to the intermediate device, the key codes both being derived from a shared secret known to the server and remote terminal but not to the intermediate device. In response to a challenge from the intermediate device the remote terminal uses the shared secret to generate a duplicate of the first key code and transmits the duplicate to the intermediate device. The intermediate device compares the first key code and the duplicate of the first key code received respectively from the server and the remote terminal to verify the authenticity of the remote terminal.

Abstract: Actuators and sensors in an intelligent system are controlled by setting encryption types and key lengths to individual applications based on the type of device and application being run. A server system 1 running in a communications gateway, selects an encryption policy for one or more devices under its control. This selection is controlled by an analysis function 11 using data relating to the type of device 13, and the applications to be run on the device 14, to generate an appropriate encryption policy 12 which can be deployed to the device (37). Controlling the analysis and deployment in a gateway device allows co-ordination between devices, and reduces processor time in the devices. An agent is sent to the device alongside the encryption policy data, to control the device according to the encryption policy.

Abstract: Network-based applications and virtualized components are deployed according to a security analysis of the infrastructure to be used and applications to be run on it. A specification of requirements (201) is analysed (211), together with potential devices (212) and network nodes (213), to determine an appropriate level of security to be applied, and a deployment specification of applications, services, security countermeasures, and networks is prepared that will satisfy the customer requirement and with known characteristics and vulnerabilities of the services. This analysis is used to generate a deployment specification (22), and finally the actual control of an orchestrator (23) to deliver the service. The deployed system can be continually monitored to ensure that the service continues to operate within requirements. Should an incident such as a network attack or failure occur the system is re-analysed against the original requirements and re-configured or repaired.

Abstract: A containerisation orchestrator (26) is controlled by an analysis system (20, 21, 22) which assesses an application and a device for compatibility to have a candidate application installed on the device using the orchestrator. The analysis includes an assessment of the vulnerability of the installed application to failure or malicious attack, and a risk assessment of the consequences of such an event. The candidate containerised configuration (20) for the application is also assessed for compatibilities and vulnerabilities.

Abstract: A web server operating in a container has resource and network limits applied to add an extra layer of security to the web server. If a monitor detects that the container's resource usage is approaching one or more of these limits, which may be indicative of a DDoS attack, (step 210) or identifies traffic sources exhibiting suspicious behaviour, such as frequently repeated requests from the same address, or from a related set of addresses, a restrictor function caps the resources allowed by the original Webserver container to allow it to recover from buffer overflow and protect servers running in other containers from overwhelming any shared resources. A duplicator function starts up replica containers with the same resource limits to take overflow traffic, and a load balancing function then directs incoming traffic to these overflow containers etc.

Abstract: Containerised computing processes are generated by an orchestration processor interpreting user commands and user profile data to build a deployment specification specifying functions to be run by a containerised process, using a shell script run on a host virtualisation container. External events such as security threats and computing resource overloads can be used to generate the virtualised process, allowing vulnerability detection, and apply countermeasures such as deployment or migration of containers during attacks to lesser prone infrastructure, and allows the orchestration of non-container tools to provide security and resilience.

Abstract: An intermediate data transmission device arranges for mutual authentication between itself and a remote terminal (4) to allow data to be exchanged between the remote terminal (4) and a server (1) through the device. The server (1) sends first and second key codes (CK, RK) to the intermediate device (step 105), the key codes both being derived from a shared secret known to the server and remote terminal but not to the intermediate device. In response to a challenge (107) from the intermediate device the remote terminal (4) uses the shared secret to generate a duplicate (CK*) of the first key code and transmits the duplicate to the intermediate device (step 109). The intermediate device compares the first key code and the duplicate of the first key code (CK, CK*) received respectively from the server (1) and the remote terminal (4) to verify the authenticity of the remote terminal (4).

Abstract: A client server system (100, 200, 300) comprises a client subsystem (100), a server subsystem (200) and an interconnecting data network. The client subsystem includes a client application (110, 120, 130, 140, 150) operable to initiate a secure connection over the interconnecting network with the server subsystem (200). The server subsystem includes a server application (254, 255, 256, 257), which is operable to co-operate with the client application to complete the setting up of a secure connection with the client application upon initiation of the connection by the client application and which is further operable to transmit output data over such a connection in response to requests for service provided by the client application.

Abstract: A client-side intermediary (30) is provided to balance the loading of Web service requests between a plurality of servers (32). The status of the Web service servers (32) is monitored by a monitoring server (35) which provides status updates to the intermediary (30) upon request. The intermediary then uses the information on the status of the servers (32) to decide where to send web service requests. Additionally, the intermediary is able to direct requests for Web service descriptions to the least busy server on the basis of status information. The intermediary (30) substitutes its own identifier for the service name and port in the Web service description before passing it to the client so that all requests are directed through it, thus allowing the continual provision of service for the client even in the event that one of the servers fails.