1. Patent Search
  2. Details

4G / 5G CORE NETWORK DEEP PACKET INSPECTION SYSTEM

20220360990 · 2022-11-10

    Inventors

    Cpc classification

    International classification

    Abstract

    The present disclosure relates to a 4G or 5G core network system (10). The system (10) comprises a plurality of network functions (15) in a 4G or 5G core network (11), wherein the network functions (15) are configured to communicate with each other using data packets. The system (10) further comprises at least one deep packet inspection (DPI) engine (13) which is configured to process the data packets and to analyze a protocol stack of said data packets in order to detect security-relevant activities in the 4G or 5G core network (11).

    Claims

    1. A 4G or 5G core network system, comprising: a plurality of network functions in a 4G or 5G core network; wherein the network functions are configured to communicate with each other using data packets; and at least one deep packet inspection (DPI) engine which is configured to process the data packets and to analyze a protocol stack of said data packets in order to detect security-relevant activities in the 4G or 5G core network.

    2. The system according to claim 1, wherein the at least one DPI engine is configured to detect, as said security-relevant activities, unwanted intrusions in the 4G or 5G core network.

    3. The system according to claim 2, wherein the system is configured to block said unwanted intrusions.

    4. The system according to claim 1, further comprising: a service communication proxy which is configured to mediate the communication between the network functions.

    5. The system according to claim 4, wherein the service communication proxy comprises one of the at least one DPI engines.

    6. The system according to claim 1, wherein the system comprises two or more of the DPI engines; wherein at least two of the plurality of network functions comprise a respective one of the two or more DPI engines.

    7. The system according to claim 6, wherein the at least two of the plurality of network functions are associated with the control plane of the 4G or 5G core network.

    8. The system according to claim 1, wherein at least one of the plurality of network functions does not comprise a DPI engine.

    9. The system according to claim 1, wherein the system further comprises a network repository function module which comprises one of the at least one DPI engines.

    10. The system according to claim 1, wherein the at least one DPI engine is configured to analyze the entire protocol stack of the data packets in order to detect the security-relevant activities.

    11. The system according to claim 1, wherein the network functions are virtual network functions in the 4G or 5G core network.

    12. A deep packet inspection method for a 4G or 5G core network, wherein the method comprises: processing data packets that are communication between a plurality of network functions of the 4G or 5G core network by means of deep packet inspection (DPI); and, thereby, analyzing a protocol stack of said data packets in order to detect security-relevant activities in the 4G or 5G core network.

    13. The method according to claim 12, further comprising: detecting, as said security-relevant activities, unwanted intrusions in the 4G or 5G core network.

    14. The method according to claim 13, further comprising: blocking said unwanted intrusions.

    15. Use of the method according to claim 12 for intrusion detection in a 4G or 5G core network.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0047] The above described aspects and implementation forms of the present disclosure will be explained in the following description of specific embodiments in relation to the enclosed drawings, in which:

    [0048] FIG. 1 shows a schematic diagram of a 4G or 5G core network system according to an embodiment;

    [0049] FIG. 2 shows a schematic diagram of a 4G or 5G core network system according to an embodiment;

    [0050] FIG. 3 shows a schematic diagram of a 4G or 5G core network system according to an embodiment; and

    [0051] FIG. 4 shows a flow diagram of a deep packet inspection method for a 4G or 5G core network according to an embodiment.

    DETAILED DESCRIPTIONS OF EMBODIMENTS

    [0052] FIG. 1 shows a schematic diagram of a 4G or 5G core network system 10 according to an embodiment.

    [0053] The system 10 comprises a service communication proxy 12 and a plurality of network functions 15 in the 4G or 5G core network 11. The network functions 15 are configured to communicate with each other using data packets. The system 10 further comprises at least one deep packet inspection (DPI) engine 13 which is configured to process said data packets and to analyze a protocol stack of the data packets in order to detect security-relevant activities in the 4G or 5G core network 11.

    [0054] The DPI engine 13 can be implemented as a DPI module or DPI unit. In particular, the DPI engine 13 is a virtual module or unit, i.e. the DPI engine 13 is implemented via software in the core network 11.

    [0055] In particular, the DPI engine 13 can be configured to analyze the entire protocol stack of the data packets with regard to the security-relevant aspects of the core network 11. Alternatively, the DPI engine 13 may be configured to analyze several layers of the layer stack, e.g. layers 3 to 7 if the protocol stack is configured according to the OSI model. The DPI engine 13 can be configured to correlate information at the analyzed layers and to detect the security-relevant activities. In addition, the DPI engine 13 can be configured to detect applications and their related attributes/parameters based on the correlated information.

    [0056] The system 10 can be implemented in the core network 11 via hardware and/or software.

    [0057] The network functions 15 can be network function entities or modules. The system 10 can comprise these network function entities or modules. In particular, the network functions 15 may be virtual network functions in the core network 11. For example, one, more or all of the network functions 15 can be formed as virtual entities by executing dedicated software. Alternatively, the network functions 15 might also be implemented via hardware or a combination of hardware and software. Although only three network functions 15 are depicted in FIG. 1, the system 10 may comprise any number of network functions 15.

    [0058] The system 10 may also be implemented in a core network according to a higher generation technology standard, e.g. a 6G core network.

    [0059] FIG. 2 shows a schematic diagram of the 4G or 5G core network system 10 according to an embodiment.

    [0060] In the embodiment shown in FIG. 2, the system 10 comprises a service communication proxy 12, wherein this service communication proxy 12 is configured to mediate the communication between the network functions 15a-h. The service communication proxy 10 in FIG. 2 comprises one of the DPI engines 13.

    [0061] In particular, the core network 11 in FIG. 2 is a 5G core network.

    [0062] The service communication proxy 12 can be configured to detect via its DPI engine 13 unwanted intrusions in the 5G core network 11. In this way, the security of the 5G network can be enhanced. By implementing the DPI engine 13 in the service communication proxy 12 any communication that is handled by the service communication proxy 12 can be immediately analyzed by the DPI engine 13 and unwanted intrusions or other security-relevant activities in the network can be quickly and efficiently detected. Thus, the service communication proxy 12 provides a centralized security instance of the 5G core network that may analyze any communication in the network 11 with regard to security-relevant activities.

    [0063] Upon detection of an unwanted intrusion, the service communication proxy 12 can be configured to block said unwanted intrusions.

    [0064] Alternatively or additionally, the service communication proxy 12 may be configured to trigger further actions upon detection of an unwanted intrusion. For example, the service communication proxy 12 may issue a notification on the detection of the unwanted intrusion or its successful blocking to another entity in the network, and/or the service communication proxy 12 may trigger another entity in the 5G core network 11, e.g. a network function 15, to block the unwanted intrusion.

    [0065] The DPI engine 13 can be configured to perform protocol analysis in all service communication proxy 12 network functions that receive NF communication, in particular NF/NF communication.

    [0066] The service communication proxy 12 can provide several further functions to the core network 11, such as routing control, security, resiliency, and observability. For example, the service communication proxy 12 may analyze the data packets to carry out further tasks, such as providing flow prioritization or application awareness. The service communication proxy 12 can, thereby, interact with a NF Repository Function (NRF) module of the core network 11.

    [0067] At least one of the plurality of network functions 15 may comprise a further one of the DPI engines 13. For example, the further DPI engine can be “lite” DPI engine, i.e. DPI engine with a limited functionality compared to the DPI engine 13 of the service communication proxy 12. The further DPI engine can be virtual module or unit, i.e. implemented via software.

    [0068] For example, the further DPI engines that are implemented in at least one of the network functions 15 may also be configured to process and analyze data packets that are exchanged between network functions to detect security-relevant activities in the core network. In particular, there may exist some level of cooperation between the DPI engine in the service communication proxy and the DPI engine(s) in the at least one network function.

    [0069] In particular, at least one of the plurality of network functions 15 may not comprise a further DPI engine or may not comprise a full DPI engine, such as the DPI engine in the service communication proxy 12.

    [0070] The system 10 shown in FIG. 2 further comprises an NF repository function (NRF) module 21. For example, the NRF module can store profiles of all NF/NF (network function to network function) service instances.

    [0071] The NRF module 21 may comprise a further DPI engine, in particular in case of managed communication. For example, the NRF module 21 with the further DPI engine may provide network service discovery.

    [0072] The system 10 shown in FIG. 2 comprises a plurality of network functions 15a-h, such as: a 5G session management function 15a, a 5G equipment identity register function 15b, an access and mobility management function 15b, which is connected to a 4G or 5G RAN 23, an authentication server function 15d, a policy control function 15e, a unified data management function 15f, a short message service function 15g, and further network functions 15h. However, the set of network functions 15a-h shown in FIG. 2 are only an example and the system 10 may comprise any combination of these network functions 15a-h and/or further network functions.

    [0073] FIG. 3 shows a schematic diagram of the 4G or 5G core network system according to another embodiment. In the embodiment shown in FIG. 3, at least two of the network functions comprise a respective DPI engine 13.

    [0074] The network functions that comprise the DPI engine 13 are, preferably, associated with a control plane of the core network 11, i.e. they are network functions in the control plane of the core network 11. In particular, these DPI engines 13 are control plane DPI engines, i.e. DPI engines 13 operating on the control plane of the core network 11.

    [0075] In particular, all of the network functions 15a-h may comprise a respective DPI engine 13 that is analyzing the protocol stack for security-relevant activities.

    [0076] By implementing the DPI engines in core network functions, a core network 11 with decentralized security via deep packet inspection can be provided. The network functions which comprise the DPI engines 13 can be configured to process and/or control data in the core network 11. Thus, these network functions can be configured, upon detection of unwanted intrusions in the core network 11, to block said intrusions.

    [0077] The network functions 15a-h may be static provisioned network functions or discovered network functions. Preferably, the network functions 15a-h are virtual network functions. As in FIG. 2, the set of network functions 15a-h shown in FIG. 3 are only an example and the system 10 may comprise any combination of these network functions 15a-h and/or further network functions.

    [0078] The core network 11 shown in FIG. 3 may be a 4G core network or a 5G core network.

    [0079] FIG. 4 shows a flow diagram of a deep packet inspection method 40 for the 4G or 5G core network 11 according to an embodiment.

    [0080] The method 40 comprises the steps of: [0081] processing 41 data packets that are communication between the plurality of network functions 15 in the 4G or 5G core network 11 by means of deep packet inspection (DPI); and, thereby, [0082] analyzing 42 the protocol stack of said data packets in order to detect 43 security-relevant activities in the 4G or 5G core network.

    [0083] In particular, unwanted intrusions in the core network 11 can be detected as security-relevant activities by the method 40.

    [0084] The method 40 may further comprise the step of blocking said unwanted intrusions.

    [0085] The method 40 can be used for threat detection and, particularly, for intrusion detection in the core network 11.

    [0086] All features of all embodiments described, shown and/or claimed herein can be combined with each other.