Gene expression programming-based behavior monitoring is disclosed. A machine receives, as input, a plurality of data examples. A method can include receiving data indicating behaviors of the device, determining, using a gene expression programming (GEP) method, a data model that explains the data, and comparing further data indicating further behavior of the device to the data model to determine whether the further behavior is explained by the data model.

Provided are methods for sensor attack simulation systems, which can include a processor performing operations comprising receiving a dataset representative of data received from a plurality of sensors at an autonomous vehicle sensor system that measure environmental conditions related to an environment of an autonomous vehicle. The system operations also perform a simulated attack on the dataset. The simulated attack includes at least one of modifying the dataset to imitate a cyberattack and modifying the dataset to imitate a cyber-physical attack in which the cyber-physical attack misrepresents the environmental condition related to the environment of the autonomous vehicle to be measured by the plurality of sensors. The system operations also provide a second dataset based on the simulated attack on the dataset for testing planned movements of the autonomous vehicle.

New methods are proposed to detect misbehaving UEs based on 5GS. The methods allow the network to react accurately and efficiently to deal with misbehaving UE(s).

New methods are proposed to detect misbehaving UEs based on 5GS. The methods allow the network to react accurately and efficiently to deal with misbehaving UE(s).

A communication network (10) provides communicative coupling between potentially large populations of Internet-of-Things (IoT) devices (12) and/or other types of communication devices (12) and one or more Application Servers (ASs) (14) that are affiliated with respective ones of the communication devices (12). One or more network functions (30, 58) in the communication network (10) are operative to determine that any given one of the communication devices (12) is compromised, or that multiple such devices (12) are compromised, and provide for management of such devices (12) within the network (10) as “compromised” devices (12). Aspects of compromised-device management include forcing re-registration of such devices (12), for quarantining them in one or more quarantine network slices (54), and recovering quarantined devices (12) after remediation of the compromise. Recovery operations include forcing re-registration of devices (12) being recovered, for migration back to their normal or regular network slice(s) (50).

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for implementing a spoofed telephone call identifier are disclosed. In one aspect, a method includes the actions of receiving, by a first computing device, data indicating a placement of a telephone call from a second computing device to a third computing device, wherein the data includes a phone number of the second computing device. The actions further include determining characteristics of the phone number of the second computing device. The actions further include, based on the characteristics of the phone number of the second computing device, determining a likelihood that the phone number of the second computing device is spoofed. The actions further include, based on the likelihood that the phone number of the second computing device is spoofed, determining whether to transmit a notification of the telephone call to the third computing device.

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for implementing a spoofed telephone call identifier are disclosed. In one aspect, a method includes the actions of receiving, by a first computing device, data indicating a placement of a telephone call from a second computing device to a third computing device, wherein the data includes a phone number of the second computing device. The actions further include determining characteristics of the phone number of the second computing device. The actions further include, based on the characteristics of the phone number of the second computing device, determining a likelihood that the phone number of the second computing device is spoofed. The actions further include, based on the likelihood that the phone number of the second computing device is spoofed, determining whether to transmit a notification of the telephone call to the third computing device.

A method for conducting a velocity check for outbound subscribers roaming to neighboring countries includes receiving, by a network gateway associated with a home country from an MSC associated with a neighboring country, an ingress signaling message related to a mobile device roaming in the neighboring country, sending, to an HLR in the home country, an interrogation request message containing a mobile subscriber identifier, and receiving an interrogation response message containing age of location information and cell identifier information corresponding to the mobile subscriber identifier. The method further includes utilizing the cell identifier information and a country code identifier included in the ingress signaling message to determine two latitude-longitude positions, determining an estimated transit time of the mobile device using the two latitude-longitude reference positions, and comparing age of location information with the estimated transit time to determine if the ingress signaling message is to be forwarded to the HLR.

A method for misbehaviour warnings in an intelligent transportation system (ITS) including determining at a network server that an ITS station is misbehaving. In response to determining that the ITS station is misbehaving, the network server transmits a misbehaviour warning message to the ITS station indicating that the ITS station is misbehaving. In response to transmitting the misbehaviour warning message and determining that the ITS station is continuing to misbehave, the network server includes information of the ITS station in a certificate revocation list (CRL) and transmits the CRL.

According to one or more embodiments, a system can comprise a processor and a memory that can store executable instructions that, when executed by the processor, facilitate performance of operations. The operations can include establishing a wireless connection to a wireless network. The operations can further include receiving, via the wireless connection, data from a gateway device, that has been communicated via a network device of a publicly accessible network, wherein the data has been compared, by the gateway device, to a template of anomalous activity.