DESC:
FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENTS RULES, 2003

COMPLETE SPECIFICATION
(See section 10 and rule 13)
1. TITLE OF THE INVENTION
METHOD AND SYSTEM FOR MODERATING INCOMING REQUESTS
2. APPLICANT(S)
NAME NATIONALITY ADDRESS
JIO PLATFORMS LIMITED INDIAN OFFICE-101, SAFFRON, NR. CENTRE POINT, PANCHWATI 5 RASTA, AMBAWADI, AHMEDABAD 380006, GUJARAT, INDIA
3.PREAMBLE TO THE DESCRIPTION

THE FOLLOWING SPECIFICATION PARTICULARLY DESCRIBES THE NATURE OF THIS INVENTION AND THE MANNER IN WHICH IT IS TO BE PERFORMED.

FIELD OF THE INVENTION
[0001] The present invention generally relates to network security, and more particularly relates to a method and system for moderating incoming requests.
BACKGROUND OF THE INVENTION
[0002] Security Edge Protection Proxy (SEPP) plays a significant role in maintaining the security and integrity of Application Programming Interface (API) access, in network systems. SEPP acts as a security gateway or intermediary between clients and APIs, implementing security controls to protect the API infrastructure and to this end, the SEPP may implement various measures, such as authentication and authorization mechanisms, rate limiting, input validation, etc. By employing SEPP, organizations can ensure that API access is secure, only authorized users can interact with APIs, and potential security threats or attacks are detected and mitigated effectively.
[0003] In applications or systems where, blacklisting mechanisms are not implemented, the absence of effective spam request handling poses a significant problem. Without the ability to selectively block or filter incoming requests, the system is forced to process all requests it receives, leaving it vulnerable to a high volume of spam requests from attackers. This influx of spam requests, if left unchecked, can overwhelm the system and potentially lead to a system crash, compromising its stability and availability.
[0004] One common approach to mitigate the impact of spam requests is by implementing rate limiting techniques. Rate limiting serves as a protective measure by imposing restrictions on network traffic, preventing users from exhausting system resources. By limiting the rate at which requests are accepted and processed, rate limiting makes it more challenging for malicious actors to overload the system and launch attacks such as Denial of Service (DoS), where the goal is to saturate network capacity, storage, and memory.
[0005] However, even with rate limiting in place, there are instances where the system may encounter spam requests that exhibit slight changes in parameters. This presents a challenge as these modified requests may bypass simple rate limiting measures and continue to disrupt the system.
[0006] Thus, there is a need for a solution which solves the above problems.
SUMMARY OF THE INVENTION
[0007] One or more embodiments of the present disclosure provide a system and a method for moderating incoming requests.
[0008] In one aspect of the present invention, a system for moderating incoming requests is disclosed. The system includes a transceiver configured to receive a request from a foreign Security Edge Protection Proxy (SEPP). Further, the system includes a determination module configured to determine if a set of predefined parameters of the foreign SEPP which raised the request is within a preset threshold. The set of predefined parameters is at least one of a utilization or rate limit of the foreign SEPP. The system further includes a retrieving module configured to retrieve a set of features from the request in response to the set of predefined parameters being within the preset threshold. The set of features includes a Uniform Resource Identifier (URI) and an operation type. The system further includes a checking module configured to ascertain if the retrieved operation type is defined in a blacklist policy of a home SEPP based on retrieving the set of features from the request. Further, the system includes a processing module configured to process the request received from the foreign SEPP in response to the absence of the retrieved operation type in the blacklist policy of the home SEPP.
[0009] In one embodiment, the set of predefined parameters are configured based on predictive analysis utilizing machine learning techniques.
[0010] In another embodiment, the transceiver is further configured to transmit an error response to the foreign SEPP if the set of predefined parameters are not within the preset threshold.
[0011] In yet another embodiment, the URI corresponds to one of an endpoint and resource being targeted by the request.
[0012] In yet another embodiment, the operation type pertains to a type of operation to be performed on one of an end point and a resource, and wherein the operation type to be performed is one of a GET, POST, PUT, and DELETE.
[0013] In yet another embodiment, the transceiver is further configured to transmit the error response to the foreign SEPP if the retrieved operation type is included in the blacklist policy of the home SEPP.
[0014] In yet another embodiment, the transceiver is configured to transmit the request to a North Bound Interface (NBI) for further processing in order to process the request received from the foreign SEPP.
[0015] In yet another embodiment, the system further includes the segregation module configured to segregate each of the request received based on a network function type, a Hyper Text Transfer Protocol (HTTP) method, Application Programming Interface (API), Public Land Mobile Network (PLMN) identifier, and Internet Protocol (IP) endpoints.
[0016] In yet another embodiment, the system further comprises the moderation module configured to moderate each of the request received based on the set of predefined parameters.
[0017] In yet another embodiment, the blacklist policy pertains to preconfigured information corresponding to a segregation criterion, Application Programming Interfaces (API) for which moderation of requests is one of enable and disabled, the set of predefined parameters and the preset thresholds on enablement of the moderation of requests, and actions to be invoked on breach of the preset thresholds.
[0018] In another aspect of the present invention, a method for moderating incoming requests is disclosed. The method includes the steps of receiving by one or more processors a request from a foreign Security Edge Protection Proxy (SEPP). The method further includes determining by the one or more processors if a set of predefined parameters of the foreign SEPP which raised the request is within a preset threshold. The set of predefined parameters is at least one of a utilization or rate limit of the foreign SEPP. The method further includes retrieving by the one or more processors a set of features from the request in response to the set of predefined parameters being within the preset threshold. The set of features includes a Uniform Resource Identifier (URI) and an operation type. The method further includes ascertaining by the one or more processors if the retrieved operation type is defined in a blacklist policy of a home SEPP based on retrieving the set of features from the request. The method further includes processing by the one or more processors the request received from the foreign SEPP in response to the absence of the retrieved operation type in the blacklist policy of the home SEPP.
[0019] In another aspect of the present invention, a non-transitory computer-readable medium having stored thereon computer-readable instructions that, when executed by a processor is disclosed. The processor is configured to receive a request from a foreign Security Edge Protection Proxy (SEPP). The processor is configured to
determine if a set of predefined parameters of the foreign SEPP (104) which raised the request is within a preset threshold. The set of predefined parameters is at least one of the utilization or rate limit of the foreign SEPP. The processor is configured to retrieve a set of features from the request in response to the set of predefined parameters being within the preset threshold. The set of features include a Uniform Resource Identifier (URI) and an operation type. The processor is configured to ascertain if the retrieved operation type is defined in a blacklist policy of a home SEPP based on retrieving the set of features from the request. The processor is configured to process the request received from the foreign SEPP in response to the absence of the retrieved operation type in the blacklist policy of the home SEPP.
[0020] Other features and aspects of this invention will be apparent from the following description and the accompanying drawings. The features and advantages described in this summary and in the following detailed description are not all-inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the relevant art, in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter.
BRIEF DESCRIPTION OF THE DRAWINGS
[0021] The accompanying drawings, which are incorporated herein, and constitute a part of this disclosure, illustrate exemplary embodiments of the disclosed methods and systems in which like reference numerals refer to the same parts throughout the different drawings. Components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present disclosure. Some drawings may indicate the components using block diagrams and may not represent the internal circuitry of each component. It will be appreciated by those skilled in the art that disclosure of such drawings includes disclosure of electrical components, electronic components or circuitry commonly used to implement such components.
[0022] FIG. 1 is an exemplary block diagram of an environment for moderating incoming requests, according to one or more embodiments of the present disclosure;
[0023] FIG. 2 is a block diagram of a system for moderating the incoming requests, according to the one or more embodiments of the present disclosure;
[0024] FIG. 3 is a schematic representation of the present system of FIG. 1 workflow, according to the one or more embodiments of the present disclosure;
[0025] FIG. 4a shows an exemplary embodiment illustrating a first UE configured to receive the incoming requests from a foreign Security Edge Protection Proxy (SEPP), for blacklisting an Application Programming Interface (API), according to the one or more embodiments of the present disclosure;
[0026] FIG. 4b shows another exemplary embodiment illustrating the foreign SEPP configured to transmit the incoming requests to a home SEPP, for blacklisting the API, according to the one or more embodiments of the present disclosure; and
[0027] FIG. 5 illustrates a flow diagram of a method for moderating the incoming requests, according to the one or more embodiments of the present disclosure.
[0028] The foregoing shall be more apparent from the following detailed description of the invention.
DETAILED DESCRIPTION OF THE INVENTION
[0029] Some embodiments of the present disclosure, illustrating all its features, will now be discussed in detail. It must also be noted that as used herein and in the appended claims, the singular forms "a", "an" and "the" include plural references unless the context clearly dictates otherwise.
[0030] Various modifications to the embodiment will be readily apparent to those skilled in the art and the generic principles herein may be applied to other embodiments. However, one of ordinary skill in the art will readily recognize that the present disclosure including the definitions listed here below are not intended to be limited to the embodiments illustrated but is to be accorded the widest scope consistent with the principles and features described herein.
[0031] A person of ordinary skill in the art will readily ascertain that the illustrated steps detailed in the figures and here below are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0032] Glossary
- SEPP- Security Edge Protection Proxy
- API - Application Programming Interface
- NBI- North Bound Interface
- DoS- Denial of Service
- HTTP- Hypertext Transfer Protocol
- PLMN- Public Land Mobile Network
- IP endpoints- Internet Protocol endpoints
- URI- Uniform Resource Identifier
- NF- Network Function
[0033] As per various embodiments depicted, the present invention discloses the system and method for moderating incoming requests by the blacklist policy defined in the SEPP.
[0034] Referring to FIG. 1, FIG. 1 is an exemplary block diagram of an environment 100 for moderating the incoming requests, according to one or more embodiments of the present disclosure. The environment 100 may comprise a plurality of User Equipments (UEs). The plurality of UEs may be represented as a first UE 102 and a second UE 108 for ease of disclosure. Further, the plurality of UEs is communicably connected to a plurality of servers. The plurality of servers may be configured to host a Security Edge Protection Proxy (SEPP) and may referred to as a SEPP server. The plurality of servers may include, but not limited to, a foreign SEPP 104 and a home SEPP 110.
[0035] The foreign SEPP 104 and the home SEPP 110 may include by way of example but not limitation, one or more of a standalone server, a server blade, a server rack, a bank of servers, a server farm, hardware supporting a part of a cloud service or system, a home server, hardware running a virtualized server, one or more processors executing code to function as a server, one or more machines performing server-side functionality as described herein, at least a portion of any of the above, some combination thereof. In an embodiment, the entity may include, but is not limited to, a vendor, a network operator, a company, an organization, a university, a lab facility, a business enterprise, a defence facility, or any other facility that provides content.
[0036] In one embodiment, the foreign SEPP 104 may be further communicably connected to the first UE 102 via a communication network 106. In another embodiment, the home SEPP 110 may be further communicably connected to the second UE 108 via the communication network 114. Furthermore, the foreign SEPP 104 and the home SEPP 110 may include one or more network functions, such as a first network function (NF) 112a and a second NF 112b, respectively, as illustrated in the figure. As used herein, the Network Function (NF) is a functional building block within a network infrastructure, which has well-defined external interfaces and a well-defined functional behavior.
[0037] In an embodiment, the home SEPP 110 may include a blacklist policy. The blacklist policy may be understood as a file which includes a list of blacklisted Application programming interfaces (APIs). In an example, the blacklist policy may support both, concrete as well as wildcard APIs.
[0038] In a further embodiment, the home SEPP 110 may also include or may have access to information about various foreign SEPPs 104, their corresponding predicted utilization and rate limits, and related threshold. In an example, the predicted utilization and the rate limits may be configurable, for example by an admin or by an automated system based on predictive analysis using machine learning techniques.
[0039] The network 106, and/or network 114, may use one or more wireless interfaces/protocols such as, for example, 802.11 (Wi-Fi), 802.15 (including Bluetooth™), 802.16 (Wi-Max), 802.22, Cellular standards such as CDMA, CDMA2000, WCDMA, Radio Frequency (e.g., RFID), Infrared, laser, Near Field Magnetics, etc. Further, the network 106, and/or network 114 may also include, by way of example but not limitation, at least a portion of one or more networks having one or more nodes that transmit, receive, forward, generate, buffer, store, route, switch, process, or a combination thereof, etc. one or more messages, packets, signals, waves, voltage or current levels, some combination thereof, or so forth. The network may also include, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, a VOIP or some combination thereof.
[0040] The environment 100 further includes the system 125 communicably coupled to the plurality of servers 104 and 110 and the plurality of UEs 102 and 108 via the network 106 and 114. The system 125 is configured for moderating incoming requests.
[0041] Operational and construction features of the system 125 will be explained in detail with respect to the following figures.
[0042] Referring to FIG. 2, FIG. 2 illustrates a block diagram of the system 125 for moderating incoming requests, according to the one or more embodiments of the present disclosure.
[0043] Referring to FIG. 2, FIG. 2 illustrates a block diagram of the system 125 for moderating incoming requests, according to one or more embodiments of the present disclosure. The system 125 is adapted to be embedded within the foreign SEPP 104 and the home SEPP 110 or is embedded as an individual entity. However, for the purpose of description, the system 125 is described as an integral part of the foreign SEPP 104 and the home SEPP 110, without deviating from the scope of the present disclosure.
[0044] In an embodiment, the system 125 includes one or more processors 205, a memory 210, and an input/output (I/O) interface unit 215. The one or more processors 205, hereinafter referred to as the processor 205 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, single board computers, and/or any devices that manipulate signals based on operational instructions. As per the illustrated embodiment, the system 125 includes one or more processors 205. However, it is to be noted that the system 125 may include multiple processors as per the requirement and without deviating from the scope of the present disclosure. Among other capabilities, the one or more processors 205 is configured to fetch and execute computer-readable instructions stored in the memory 210.
[0045] The memory 210 may be configured to store one or more computer-readable instructions or routines in a non-transitory computer-readable storage medium, which may be fetched and executed to create or share data packets over a network service. The memory 210 may include any non-transitory storage device including, for example, volatile memory such as RAM, or non-volatile memory such as EPROM, flash memory, and the like.
[0046] In an embodiment, the input/output (I/O) interface unit 215 includes a variety of interfaces, for example, interfaces for data input and output devices, referred to as Input/Output (I/O) devices, storage devices, and the like. The I/O interface unit 215 facilitates communication of the system 125. In one embodiment, the I/O interface unit 215 provides a communication pathway for one or more components of the system 125. Examples of such components include, but are not limited to, the plurality of UEs 102, 108 and a database 260.
[0047] The database 260 is one of, but is not limited to, one of a centralized database, a cloud-based database, a commercial database, an open-source database, a distributed database, an end-user database, a graphical database, a No-Structured Query Language (NoSQL) database, an object-oriented database, a personal database, an in-memory database, a document-based database, a time series database, a wide column database, a key value database, a search database, a cache databases, and so forth. The foregoing examples of the database 260 types are non-limiting and may not be mutually exclusive e.g., a database can be both commercial and cloud-based, or both relational and open-source, etc.
[0048] Further, the one or more processors 205, in an embodiment, may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the one or more processors 205. In the examples described herein, such combinations of hardware and programming may be implemented in several different ways. For example, the programming for the one or more processors 205 may be processor-executable instructions stored on a non-transitory machine-readable storage medium and the hardware for one or more processors 205 may comprise a processing resource (for example, one or more processors), to execute such instructions. In the present examples, the memory 210 may store instructions that, when executed by the processing resource, implement the one or more processors 205. In such examples, the system 125 may comprise the memory 210 storing the instructions and the processing resource to execute the instructions, or the memory 210 may be separate but accessible to the system 125 and the processing resource. In other examples, the one or more processors 205 may be implemented by electronic circuitry.
[0049] In order for the system 125 to moderate incoming requests, the processor 205 includes a transceiver 220, a determination module 225, a retrieving module 230, a checking module 235, a processing module 240, a segregation module 245, and a moderation module 250 communicably coupled to each other.
[0050] The transceiver 220 of the processor 205 is configured to receive a request from a foreign Security Edge Protection Proxy (SEPP) 104. The Security Edge Protection Proxy (SEPP) is a proxy deployed at the edge or the perimeter of the Public Land Mobile Network (PLMN) and enables secured communication between inter-PLMN network messages. The SEPP is enabled to authenticate, provide confidentiality protection, and enable integration protection between two different mobile service providers i.e., inter-PLMN. When the request is received from the foreign SEPP 104, the determination module 225 determines if a set of predefined parameters of the foreign SEPP 104 which raised the request is within a preset threshold. In one embodiment, the set of predefined parameters is at least one of a predicted utilization or rate limit of the foreign SEPP 104.
[0051] The determination module 225 of the processor 205 is configured to determine if the set of predefined parameters of the foreign SEPP 104 which raised the request is within the preset threshold. In one embodiment, the transceiver 220 transmits an error response to the foreign SEPP 104 if the predicted utilization or rate limit are not within the preset threshold. In one embodiment, the preset threshold is configured against segregation of the number of requests and percentage of pending request queue limit or rate limit of the number of requests per second. In one embodiment, the predicted utilization based on number of requests received from the foreign SEPP 104 can be calculated and segregated over Network Function (NF) types, Hypertext Transfer Protocol (HTTP) method, Application Programming Interface (API), a Public Land Mobile Network Identifier (PLMN ID) and Internet Protocol (IP) endpoints, and the rate limit refers to number of requests per second limit over a window for each segregated case. If the predicted utilization exceeds the configured rate limit/ thresholds the configured action is invoked which ranges from partially denial of request to complete blocking of the foreign SEPP 104.
[0052] As per the above illustrated embodiment, the set of predefined parameters are configured based on predictive analysis utilizing machine learning techniques. In another embodiment, a current value of the set of predefined parameters is predicted utilizing an Artificial Intelligence (AI) module. The AI module incorporates dynamic resource management capabilities and predicts threshold values based on traffic learning and historical security breach events, thereby allowing Service Control Points (SCPs) to be protected from anomalies at any given time. Furthermore, the AI module may provide dynamic overload conditions and threshold values to ensure that the system 125 remains effective in handling evolving network environments, traffic patterns, and security challenges. A set of features from the request is retrieved by the retrieving module 230 when the set of predefined parameters being within the preset threshold.
[0053] The retrieving module 230 of the processor 205 is configured to retrieve a set of features from the request in response to the set of predefined parameters being within the preset threshold. In one embodiment, the set of features include a Uniform Resource Identifier (URI) and an operation type. The Uniform Resource Identifier (URI) is a unique sequence of characters that identifies a logical or physical resource used by web technologies. The URIs may be used to identify anything, including real-world objects, such as people and places, concepts, or information resources such as web pages and books. In one embodiment, the URI corresponds to one of an end point and the resource being targeted by the request. In one embodiment, the operation type pertains to a type of operation to be performed on one of the endpoints and the resource. In another embodiment, the operation type to be performed is one of a GET, POST, PUT, and DELETE.
[0054] Furthermore, the retrieving module 230 enables granular control over data operations by including methods such as GET, POST, PUT, and DELETE in the blacklisting policy, which allows administrators to selectively block or allow specific CRUD (Create, Read, Update, and Delete) operations performed on the database 260, thereby ensuring data integrity and preventing unauthorized modifications or deletions, strengthening the overall security posture of the network.
[0055] The checking module 235 of the processor 205 is configured to ascertain if the retrieved operation type is defined in a blacklist policy of the home SEPP 110 based on retrieving the set of features from the request. In one embodiment, the blacklist policy may be defined as a file which includes a list of blacklisted Application programming interfaces (APIs). The blacklist policy may support both concrete as well as wildcard APIs. Further, the blacklist policy pertains to preconfigured information corresponding to a segregation criterion, the API for which moderation of requests is one of enable and disabled, the set of predefined parameters and the preset thresholds on enablement of the moderation of requests, and actions to be invoked on breach of the preset thresholds.
[0056] As per the above illustrated embodiment, the transceiver 220 is configured to transmit the error response to the foreign SEPP 104 if the retrieved operation type is included in the blacklist policy of the home SEPP 110. When the retrieved operation type is not included in the blacklist policy of the home SEPP 110, the request received from the foreign SEPP 104 is processed by the processing module 240.
[0057] The processing module 240 of the processor 205 is further configured to process the request received from the foreign SEPP 104 in response to the absence of the retrieved operation type in the blacklist policy of the home SEPP 110. The transceiver 220 is configured to transmit the request to a North Bound Interface (NBI) 255 (shown in FIG.4a) for further processing in order to process the request received from the foreign SEPP 104. The NBI 255 refers to an interface that enables communication and information exchange between lower-level components (such as network devices, controllers, or data planes) and higher-level components (such as management systems, orchestrators, or applications). While processing the request, the segregation module 245 is configured to segregate each of the request received from the foreign SEPP 104.
[0058] The segregation module 245 is configured to segregate each of the request received based on the network function type, the HTTP method, the API, the PLMN ID, and the IP endpoints when the request received from the foreign SEPP 104 is processed by the processing module 240. The API refers to a part of a Network Repository Function (NRF) and is configured for managing the registration and discovery of network functions (NFs) such as Nnrf in a Fifth Generation (5G) core network, and a part of a Session Management Function (SMF) configured for handling Packet Data Unit (PDU) sessions such as Nsmf-PDUSession, etc, in the 5G core network. The PLMN ID refers to 405-015 and 405-010, are unique identifiers for a mobile network, which include a Mobile Country Code (MCC) and a Mobile Network Code (MNC) and also specific to operation and region. The IP endpoints refer to for an example 10.0.0.1, etc, which is default gateway address for routers in Local Area Networks (LANs) and specific to the foreign SEPP 104. Let us consider for an example, the blacklist policy is defined as to block the incoming requests for 1 minute of the rate of request exceed 1000 requests (rate limit) if the request HTTP method is GET, the request API is Nnrf-nfm and the request is received from the IP endpoints 10.0.0.3.
[0059] Upon receiving the segregation of each of the request from the foreign SEPP 104, the moderation module 250 is configured to moderate each of the request received from the foreign SEPP 104 based on the set of predefined parameters. The moderation module 250 is configured to moderate the request received from the foreign SEPP 104 based on the rate of requests calculated and segregated over the NF types, the HTTP method, the API, the PLMN ID, Fully Qualified Domain Name (FQDN), IP PORT and the IP endpoints. Further, the moderation module 250 effectively moderates the access to APIs based on the blacklist policy, thereby safeguarding the network infrastructure from potential security threats and unauthorized activities.
[0060] FIG. 3 is a schematic representation of the present system of FIG. 1 workflow, according to the one or more embodiments of the present system. As mentioned earlier in FIG. 1, the first UE 102 includes one or more primary processors 305 communicably coupled to the one or more processors 205 of the system 125. The one or more primary processors 305 are coupled with a memory unit 310 storing instructions which are executed by the one or more primary processors 305. Execution of the stored instructions by the one or more primary processors 305 enables the first UE 102 to transmit the request to the NBI 255 for processing the request received from the foreign SEPP 104.
[0061] The first UE 102 may comprise a memory such as a volatile memory (e.g., RAM), a non-volatile memory (e.g., disk memory, FLASH memory, EPROMs, etc.), an unalterable memory, and/or other types of memory. In one implementation, the memory might be configured or designed to store data. The data may pertain to attributes and access rights specifically defined for the first UE 102. The first UE 102 may be configured to connect with the foreign server 104 through the network 106.
[0062] As mentioned earlier in FIG. 2, the one or more processors 205 of the system 125 is configured to receive the request from the foreign SEPP 104 by the transceiver 220. More specifically, the one or more processors 205 of the system 125 is configured to determine if the set of predefined parameters of the foreign SEPP 104 which raised the request is within the preset threshold by the determining module 225. In one embodiment, the set of predefined parameters is at least one of a predicted utilization or rate limit of the foreign SEPP 104. In one embodiment, the preset threshold is configured against segregation of the number of requests and percentage limit of pending request queue or rate limit of the number of requests per second.
[0063] The retrieving module 230 of the processor 205 is configured to retrieve a set of features from the request in response to the set of predefined parameters being within the preset threshold. In one embodiment, the set of features include a Uniform Resource Identifier (URI) and an operation type. In one embodiment, the URI corresponds to one of an end point and the resource being targeted by the request. In one embodiment, the operation type pertains to a type of operation to be performed on one of the endpoints and the resource. In another embodiment, the operation type to be performed is one of a GET, POST, PUT, and DELETE.
[0064] The checking module 235 of the processor 205 is configured to ascertain if the retrieved operation type is defined in a blacklist policy of the home SEPP 110 based on retrieving the set of features from the request. In one embodiment, the blacklist policy may be defined as a file which includes a list of blacklisted Application programming interfaces (APIs). In one embodiment, the transceiver 220 is configured to transmit the error response to the foreign SEPP 104 if the retrieved operation type is included in the blacklist policy of the home SEPP 110. When the retrieved operation type is not included in the blacklist policy of the home SEPP 110, the request received from the foreign SEPP 104 is processed by the processing module 240.
[0065] The processing module 240 of the processor 205 is further configured to process the request received from the foreign SEPP 104 in response to the absence of the retrieved operation type in the blacklist policy of the home SEPP 110. The transceiver 220 is configured to transmit the request to the NBI 255 for further processing in order to process the request received from the foreign SEPP 104.
[0066] The segregation module 245 is configured to segregate each of the request received based on the network function type, the Hyper Text Transfer Protocol (HTTP) method, the Application Programming Interface (API), the Public Land Mobile Network (PLMN) identifier, and the Internet Protocol (IP) endpoints when the request received from the foreign SEPP 104 is processed by the processing module 240.
[0067] The moderation module 250 is configured to moderate each of the request received from the foreign SEPP 104 based on the set of predefined parameters. The moderation module 250 is configured to moderate the request received from the foreign SEPP 104 based on the rate of requests calculated and segregated over the NF types, the HTTP method (or schemes), the API, the PLMN ID and the IP endpoints. Further, the moderation module 250 effectively moderates the access to APIs based on the blacklist policy, thereby safeguarding the network infrastructure from potential security threats and unauthorized activities.
[0068] Hence, for the sake of brevity, a similar description related to the working and operation of the system 125 as illustrated in FIG. 2 has been omitted to avoid repetition. The limited description provided for the system 125 in FIG. 3, should be read with the description as provided for the system 125 in the FIG. 2 above, and should not be construed as limiting the scope of the present disclosure.
[0069] FIG. 4a shows an exemplary embodiment illustrating the first UE 102 configured to transmit the incoming requests to the home SEPP 110, for blacklisting the API, according to the one or more embodiments of the present disclosure.
[0070] At step 402a, multiple users of the plurality of UEs are initiating the incoming request from the foreign SEPP 104 to the home SEPP 110. When the incoming request is received at the home SEPP 110 from the foreign SEPP 104. At step 404a, the home SEPP 110 includes the blacklist policy. The home SEPP 110 processes the request and extracts URI and method from the request. Thereafter, the home SEPP 110 checks whether the received API is present in the blacklisting policy or not, at step 404.
[0071] At step 406a, in one embodiment, transmit an error response to the foreign SEPP 104 if the API is present in the blacklisting policy. In another embodiment, transmit the request to the NBI 255 for further processing in order to process the request received from the foreign SEPP 104 if the API is not present in the blacklisting policy.
[0072] The home SEPP 110 includes details of the foreign SEPP 104 for which rate limit and overload threshold in configured. The system measures the number of requests in a configured timeframe. If one foreign SEPP 104 initiates multiple requests within the specified timeframe and the preset threshold is reached, the rate-limiting solution throttles the request from the foreign SEPP 104 and does not fulfil the requests for a next timeframe.
[0073] FIG. 4b shows another exemplary embodiment illustrating the foreign SEPP 104 configured to transmit the incoming requests to the home SEPP 110, for blacklisting API, according to the one or more embodiments of the present disclosure.
[0074] Block 402b illustrates, the foreign SEPP 104 includes the second NF 112b, respectively, as illustrated in the figure. As used herein, the Network Function (NF) is a functional building block within a network infrastructure, which has well-defined external interfaces and a well-defined functional behavior. The NFs are responsible for various operations, such as Network Repository Function (NRF), Unified Data Management (UDM), Home Subscriber Server (HSS), etc. The SEPP which ensures secure communication between different PLMNs and the like. The foreign SEPP 104 is configured to transmit the incoming requests to the home SEPP 110. When the incoming request is received at the home SEPP 110 from the foreign SEPP 104.
[0075] Block 404b illustrates, the home SEPP 110 includes the blacklist policy. The home SEPP 110 processes the request and extracts the URI and method from the request. Thereafter, the home SEPP 110 checks whether the received API is present in the blacklisting policy or not, at step 404. In one embodiment, the transceiver 220 is configured to transmit the error response to the foreign SEPP 104 if the retrieved operation type is not included in the blacklist policy of the home SEPP 110. In owing to this, the transceiver 220 is configured to transmit the request to the NBI 255 for further processing in order to process the request received from the foreign SEPP 104.
[0076] Block 406b illustrates, the transceiver 220 is configured to transmit an error response to the foreign SEPP 104 if the API is present in the blacklisting policy. In another embodiment, the transceiver 220 is configured to transmit the request to the NBI 255 for further processing in order to process the request received from the foreign SEPP 104 if the API is not present in the blacklisting policy.
[0077] The home SEPP 110 includes details of the foreign SEPP 104 for which the rate limit and the overload threshold are configured. The system 125 measures the number of requests in the configured timeframe. If one foreign SEPP 104 initiates multiple requests within the specified timeframe and the preset threshold is reached, the rate-limiting solution throttles the request from the foreign SEPP 104 and does not fulfil the requests for the next timeframe.
[0078] FIG. 5 illustrates a flow diagram of a method for moderating the incoming requests, according to the one or more embodiments of the present disclosure. For the purpose of description, the method 500 is described with the embodiments as illustrated in FIG. 2 and should nowhere be construed as limiting the scope of the present disclosure.
[0079] At step 502, the method 500 includes the step of receiving the request from the foreign SEPP 104 by the transceiver 220. When the request is received from the foreign SEPP 104, the determination module 225 determines if the set of predefined parameters of the foreign SEPP which raised the request is within the preset threshold. In one embodiment, the set of predefined parameters is at least one of utilization or rate limit of the foreign SEPP 104. In one embodiment, the preset threshold is configured against segregation of the number of requests and percentage limit of pending request queue or rate limit of the number of requests per second.
[0080] At step 504, the method 500 includes the step of determining if the set of predefined parameters of the foreign SEPP 104 which raised the request is within the preset threshold by the determination module 225. In the preferred embodiment, the predicted utilization based on number of requests received from the foreign SEPP 104 can be calculated and segregated over NF types, the HTTP method, the API, the PLMN ID and the IP endpoints, and the rate limit refers to number of requests per second limit over the window for each segregated case. In one embodiment, the set of predefined parameters are configured based on predictive analysis utilizing machine learning techniques. In another embodiment, the current value of the set of predefined parameters is predicted utilizing the AI.
[0081] At step 506, the method 500 includes the step of retrieving the set of features from the request in response to the set of predefined parameters being within the preset threshold by using the retrieving module 230. In one embodiment, the set of features includes the URI and the operation type. In one embodiment, the URI corresponds to one of an end point and the resource being targeted by the request. In one embodiment, the operation type pertains to the type of operation to be performed on one of the endpoints and the resource. In another embodiment, the operation type to be performed is one of the GET, POST, PUT, and DELETE.
[0082] At step 508, the method 500 includes the step of ascertaining if the retrieved operation type is defined in the blacklist policy of the home SEPP 110 based on retrieving the set of features from the request. In one embodiment, the blacklist policy may be defined as the file which includes a list of blacklisted Application programming interfaces (APIs). Further, the blacklist policy pertains to preconfigured information corresponding to a segregation criterion, the API for which moderation of requests is one of enable and disabled, the set of predefined parameters and the preset thresholds on enablement of the moderation of requests, and actions to be invoked on breach of the preset thresholds. In one embodiment, the transceiver 220 is configured to transmit the error response to the foreign SEPP 104 if the retrieved operation type is included in the blacklist policy of the home SEPP 110. When the retrieved operation type is not included in the blacklist policy of the home SEPP 110, the request received from the foreign SEPP 104 is processed by the processing module 240.
[0083] At step 510, the method 500 includes the step of processing the request received from the foreign SEPP 104 in response to the absence of the retrieved operation type in the blacklist policy of the home SEPP 110 by the processing module 240. The transceiver 220 is configured to transmit the request to the NBI 255 for further processing in order to process the request received from the foreign SEPP 104.
[0084] At step 512, the method 500 includes the step of segregating each of the request received based on the network function type, the HTTP method, the API, the PLMN ID, and the IP endpoints by the segregation module 245 when the request received from the foreign SEPP 104 is processed by the processing module 240.
[0085] At step 514, the method 500 includes the step of moderating each of the request received from the foreign SEPP 104 based on the set of predefined parameters by the moderation module 250. The moderation module 250 is configured to moderate the request received from the foreign SEPP 104 based on the rate of requests calculated and segregated over the NF types, the HTTP method, the API, the PLMN ID and the IP endpoints. Further, the moderation module 250 effectively moderates the access to APIs based on the blacklist policy, thereby safeguarding the network infrastructure from potential security threats and unauthorized activities.
[0086] A person of ordinary skill in the art will readily ascertain that the illustrated embodiments and steps in description and drawings (FIG.1-5) are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0087] The present disclosure incorporates technical advancement of implementing the home SEPP with the blacklist policy and rate limiting capabilities helps to protect the system from unauthorized access, mitigate the risk of Denial of Service (DoS) attacks, and enhance overall system stability. The inclusion of both concrete and wildcard APIs in the blacklist policy ensures flexibility in identifying and blocking malicious requests, including variations of spam requests.
[0088] Further, the present disclosure also facilitates timely alerts and quicker response to potential malicious activities. The system may raise alerts when the rate limits or the overload thresholds are breached or when daily patterns are disrupted, enabling administrators to take immediate action and help mitigate risks so as to ensure a more secure network environment.
[0089] The present invention offers multiple advantages over the prior art and the above listed are a few examples to emphasize on some of the advantageous features. The listed advantages are to be read in a non-limiting manner.

REFERENCE NUMERALS
[0090] Environment - 100;
[0091] First User Equipment – 102;
[0092] Foreign SEPP - 104;
[0093] Communication Network – 106, 114;
[0094] Second User Equipment - 108;
[0095] Home SEPP– 110;
[0096] Network Functions-112a, 112b;
[0097] System – 125;
[0098] Processor- 205;
[0099] Memory - 210;
[00100] I/O interface unit - 215;
[00101] Transceiver - 220;
[00102] Determination Module - 225;
[00103] Retrieving Module- 230;
[00104] Checking Module– 235;
[00105] Processing Module– 240;
[00106] Segregation Module – 245;
[00107] Moderation module- 250;
[00108] NBI- 255;
[00109] Database – 260;
[00110] Primary processors -305;
[00111] Memory Unit of User Equipment – 310.
,CLAIMS:CLAIMS:
We Claim:
1. A method (500) of moderating incoming requests, the method (500) comprising the steps of:
receiving (502), by one or more processors (205), a request from a foreign Security Edge Protection Proxy (SEPP) (104);
determining (504), by the one or more processors (205), if a set of predefined parameters of the foreign SEPP (104) which raised the request is within a preset threshold, wherein the set of predefined parameters is at least one of a utilization or rate limit of the foreign SEPP (104);
retrieving (506), by the one or more processors (205), a set of features from the request in response to the set of predefined parameters being within the preset threshold, wherein the set of features include a Uniform Resource Identifier (URI) and an operation type;
ascertaining (508), by the one or more processors (205), if the retrieved operation type is defined in a blacklist policy of a home SEPP (110) based on retrieving the set of features from the request; and
processing (510), by the one or more processors (205), the request received from the foreign SEPP (104) in response to the absence of the retrieved operation type in the blacklist policy of the home SEPP (110).

2. The method (500) as claimed in claim 1, wherein the one or more processors (205) is located within the home SEPP (110).

3. The method (500) as claimed in claim 1, wherein the set of predefined parameters are configured based on predictive analysis utilizing machine learning techniques.

4. The method (500) as claimed in claim 1, wherein if the set of predefined parameters are not within the preset threshold, the one or more processors (205) further comprises the step of transmitting an error response to the foreign SEPP (104).

5. The method (500) as claimed in claim 1, wherein the URI corresponds to one of an endpoint and resource being targeted by the request.

6. The method (500) as claimed in claim 1, wherein the operation type pertains to a type of operation to be performed on one of an endpoint and a resource, and wherein the operation type to be performed is one of a GET, POST, PUT, and DELETE.

7. The method (500) as claimed in claim 1, wherein if the retrieved operation type is included in the blacklist policy of the home SEPP (110), the one or more processors (205) performs the step of transmitting an error response to the foreign SEPP (104).

8. The method (500) as claimed in claim 1, wherein the method (500) further comprises the step of, transmitting, by the one or more processors (205) the request to a North Bound Interface (NBI) (255) for further processing in order to process the request received from the foreign SEPP (104).

9. The method (500) as claimed in claim 1, wherein the method (500) further comprises the step of: segregating (512), by the one or more processors (205), each of the request received based on a network function type, a Hyper Text Transfer Protocol (HTTP) method, Application Programming Interface (API), Public Land Mobile Network (PLMN) identifier, and Internet Protocol (IP) endpoints.

10. The method (500) as claimed in claim 1, wherein the method (500) further comprises the step of moderating (514), by the one or more processors (205), each of the request received based on the set of predefined parameters.

11. The method (500) as claimed in claim 1, wherein the blacklist policy pertains to preconfigured information corresponding to a segregation criterion, Application Programming Interfaces (API) for which moderation of requests is one of enable and disabled, the set of predefined parameters and the preset thresholds on enablement of the moderation of requests, and actions to be invoked on breach of the preset thresholds.

12. A system (125) for moderating incoming requests, the system (125) comprising:
a transceiver (220) configured to receive, a request from a foreign Security Edge Protection Proxy (SEPP) (104);
a determination module (225) configured to determine, if a set of predefined parameters of the foreign SEPP (104) which raised the request is within a preset threshold, wherein the set of predefined parameters is at least one of a utilization or rate limit of the foreign SEPP (104);
a retrieving module (230) configured to retrieve, a set of features from the request in response to the set of predefined parameters being within the preset threshold, wherein the set of features include a Uniform Resource Identifier (URI) and an operation type;
a checking module (235) configured to ascertain, if the retrieved operation type is defined in a blacklist policy of a home SEPP (110) based on retrieving the set of features from the request; and
a processing module (240) configured to process, the request received from the foreign SEPP (104) in response to the absence of the retrieved operation type in the blacklist policy of the home SEPP (110).

13. The system (125) as claimed in claim 12, wherein the set of predefined parameters are configured based on predictive analysis utilizing machine learning techniques.

14. The system (125) as claimed in claim 12, wherein the transceiver (220) is further configured to transmit an error response to the foreign SEPP (104) if the set of predefined parameters are not within the preset threshold.

15. The system (125) as claimed in claim 12, wherein the URI corresponds to one of an endpoint and resource being targeted by the request.

16. The system (125) as claimed in claim 12, wherein the operation type pertains to a type of operation to be performed on one of an endpoint and a resource, and wherein the operation type to be performed is one of a GET, POST, PUT, and DELETE.

17. The system (125) as claimed in claim 12, wherein the transceiver (220) is further configured to transmit an error response to the foreign SEPP (104) if the retrieved operation type is included in the blacklist policy of the home SEPP (110).

18. The system (125) as claimed in claim 12, wherein the transceiver (220) is configured to transmit the request to a North Bound Interface (NBI) (255) for further processing in order to process the request received from the foreign SEPP (104).

19. The system (125) as claimed in claim 12, wherein the system (125) further comprises a segregation module (245) configured to segregate each of the request received based on a network function type, a Hyper Text Transfer Protocol (HTTP) method, Application Programming Interface (API), Public Land Mobile Network (PLMN) identifier, and Internet Protocol (IP) endpoints.

20. The system (125) as claimed in claim 12, wherein the system (125) further comprises a moderation module (250) configured to moderate each of the request received based on the set of predefined parameters.

21. The system (125) as claimed in claim 12, wherein the blacklist policy pertains to preconfigured information corresponding to a segregation criterion, Application Programming Interfaces (API) for which moderation of requests is one of enable and disabled, the set of predefined parameters and the preset thresholds on enablement of the moderation of requests, and actions to be invoked on breach of the preset thresholds.