Techniques for providing network slice-based security in mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for network slice-based security in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network; extracting network slice information for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the network slice information.

Techniques for providing network slice-based security in mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for network slice-based security in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network; extracting network slice information for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the network slice information.

A network attack handling method includes identifying, in a mobile network, a network attack from an electronic device, and, in response to the identifying the network attack, limiting, by a session management function (SMF) of the mobile network, use, by the electronic device, of a protocol data unit (PDU) session carrying a message for triggering a core network element to participate in the network attack.

An apparatus is provided, comprising: a volatile memory; a non-volatile memory; a first electronic circuit that is configured to operate as a wireless access point, the first electronic circuit including a wireless controller for accessing a wireless network; and a second electronic circuit that is operatively coupled to the first electronic circuit, the second electronic circuit including at least one processor configured to execute: (i) a first virtual machine that includes a wireless network authentication server, and (ii) a second virtual machine that includes a virtual private network (VPN) server, wherein the wireless network authentication server is configured to authenticate devices that attempt to join the wireless network; wherein the VPN server is arranged to encrypt data that is received at the apparatus to produce encrypted data, and forward the encrypted data to the wireless controller for transmission over the wireless network.

An apparatus is provided, comprising: a volatile memory; a non-volatile memory; a first electronic circuit that is configured to operate as a wireless access point, the first electronic circuit including a wireless controller for accessing a wireless network; and a second electronic circuit that is operatively coupled to the first electronic circuit, the second electronic circuit including at least one processor configured to execute: (i) a first virtual machine that includes a wireless network authentication server, and (ii) a second virtual machine that includes a virtual private network (VPN) server, wherein the wireless network authentication server is configured to authenticate devices that attempt to join the wireless network; wherein the VPN server is arranged to encrypt data that is received at the apparatus to produce encrypted data, and forward the encrypted data to the wireless controller for transmission over the wireless network.

A vehicle according to an exemplary embodiment of the disclosure is capable of detecting and responding to vehicle hacking. The vehicle may comprise a communication device configured to perform internal communication of a vehicle or communication between the vehicle and an external server, a plurality of Electronic Control Units (ECUs), a memory configured to store a criterion for determining whether hacking has occurred in the vehicle; a processor that collects data from the plurality of ECUs and analyzes the data to determine whether the data is unidentified data or whether hacking has occurred in the vehicle, and the communication device may transmit the data to the external server in response to determining that the data is unidentified data.

Techniques for providing an intelligent-interaction honeypot for IoT devices in accordance with some embodiments. In some embodiments, a system/process/computer program product for providing an intelligent-interaction honeypot for IoT devices includes receiving a request from an attacker sent to an IP address that is associated with a honeypot instance for Internet of Things (IoT) devices; determining a response to the request using a data store that stores a plurality of responses and associated IoT device information, wherein the plurality of responses and associated IoT device information is generated based on automated machine learning of active probing of physical IoT devices on the Internet; and sending the response from the honeypot instance for IoT devices to the attacker, wherein the attacker is unable to detect that the response is associated with an emulated IoT device.

Techniques for providing an intelligent-interaction honeypot for IoT devices in accordance with some embodiments. In some embodiments, a system/process/computer program product for providing an intelligent-interaction honeypot for IoT devices includes receiving a request from an attacker sent to an IP address that is associated with a honeypot instance for Internet of Things (IoT) devices; determining a response to the request using a data store that stores a plurality of responses and associated IoT device information, wherein the plurality of responses and associated IoT device information is generated based on automated machine learning of active probing of physical IoT devices on the Internet; and sending the response from the honeypot instance for IoT devices to the attacker, wherein the attacker is unable to detect that the response is associated with an emulated IoT device.

An unauthorized communication detection method detects an unauthorized communication message on an in-facility network over which at least two devices including a first device and a second device are communicably connected, and includes: receiving, from the first device, a communication message transmitted from the first device to the second device; obtaining, when the communication message is received from the first device, first information indicating a state of at least one of (a) a person in a facility and (b) the at least two devices, and determining whether to execute processing pertaining to a device control command that controls the second device when the communication message received from the first device is a communication message including the device control command, the determining being performed based on the first information; and executing the processing pertaining to the device control command when the determining determines to execute the processing.

An unauthorized communication detection method detects an unauthorized communication message on an in-facility network over which at least two devices including a first device and a second device are communicably connected, and includes: receiving, from the first device, a communication message transmitted from the first device to the second device; obtaining, when the communication message is received from the first device, first information indicating a state of at least one of (a) a person in a facility and (b) the at least two devices, and determining whether to execute processing pertaining to a device control command that controls the second device when the communication message received from the first device is a communication message including the device control command, the determining being performed based on the first information; and executing the processing pertaining to the device control command when the determining determines to execute the processing.