DESC:
FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENTS RULES, 2003

COMPLETE SPECIFICATION
(See section 10 and rule 13)
1. TITLE OF THE INVENTION

SYSTEM AND METHOD FOR MANAGING NETWORK SECURITY IN A NETWORK

2. APPLICANT(S)
Name Nationality Address
JIO PLATFORMS LIMITED INDIAN Office - 101, Saffron, Nr. Centre Point, Panchwati 5 Rasta, Ambawadi, Ahmedabad - 380006, Gujarat, India
3. PREAMBLE TO THE DESCRIPTION

The following specification particularly describes the invention and the manner in which it is to be performed.

RESERVATION OF RIGHTS
[0001] A portion of the disclosure of this patent document contains material, which is subject to intellectual property rights such as, but are not limited to, copyright, design, trademark, integrated circuit (IC) layout design, and/or trade dress protection, belonging to Jio Platforms Limited (JPL) or its affiliates (hereinafter referred as owner). The owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all rights whatsoever. All rights to such intellectual property are fully reserved by the owner.
TECHNICAL FIELD
[0002] The present disclosure relates generally to a field of telecommunication networks. More particularly, the present disclosure relates to a system and a method for managing network security in a network.

DEFINITION
[0003] As used in the present disclosure, the following terms are generally intended to have the meaning as set forth below, except to the extent that the context in which they are used to indicate otherwise.
[0004] The term “network function (NF),” as used herein, refers to a software application or a service that performs specific tasks, such as routing, intrusion detection, and load balancing.
[0005] The term “security policies,” as used herein, refers to a set of rules and configurations designed to protect network resources, manage access controls, detect and prevent intrusions, and ensure data integrity and confidentiality across the NFs and the network slice.
[0006] The term “Operations Support System (OSS),” as used herein, refers to a system used by the telecommunications service providers to manage their networks (e.g., network inventory, provisioning, network configuration, fault management). The OSS provides a network-facing or network operations facing functionalities.
[0007] The term “Business Support System (BSS),” as used herein, refers to a system used by the telecommunications service providers to manage customer-facing activities (e.g., billing, customer relationship management, service fulfillment, etc.).
[0008] The term “network security function unit” or “Network security monitoring and enforcement function (NSMEF) unit,” as used herein, refers to a unified, centralized network function configured for assessing and implementing one or more security policies, for example, to connected network functions. The network security function unit or the NSMEF unit receives the one or more security policies and implements at least one security policy of the one or more security policies that are applicable to corresponding network functions.
[0009] The term “Network Data Analytics Function (NWDAF),” as used herein, refers to a network function that collects and analyzes data from the network to provide insights and support decision-making processes related to network operations and optimization.
[0010] The term “Network Slice Selection Function (NSSF),” as used herein, refers to a network function responsible for selecting the appropriate network slice for a user equipment (UE) based on the service requirements.

BACKGROUND
[0011] The following description of related art is intended to provide background information pertaining to the field of the disclosure. This section may include certain aspects of the art that may be related to various features of the present disclosure. However, it should be appreciated that this section be used only to enhance the understanding of the reader with respect to the present disclosure, and not as admissions of prior art.
[0012] Network security is crucial for networks that allow user equipments (UEs) to authenticate and securely access services via the network, as well as to protect against attacks on the radio interfaces. The network security enables network functions (or network nodes) to securely exchange signaling data and user plane data.
[0013] Network slicing is performed within the network to divide (or slice) a single physical network into multiple logical and independent networks, each configured to effectively meet various service requirements. As network slicing splits a network into isolated slices, each network slice is allocated its own resources (bandwidth, service quality, and so on) and has unique security policies. Each network slice is customized for different applications, services, or customers, supporting a wide range of use cases. Therefore, network security is crucial to ensure that only authorized user equipment (UE) is allowed to access the resources of network slices and to facilitate secure data exchange via the network.
[0014] Existing network security solutions often face challenges in effectively managing and enforcing security policies across multiple network slices. These challenges include difficulties in ensuring consistent security levels, efficiently detecting and responding to security threats in a dynamic network environment, and effectively protecting diverse service requirements. Further, the existing network security solutions fail to provide a unified and centralized approach to continuously assess and enforce security policies across all network functions in real-time. Additionally, the absence of standardized interfaces for security policy exchange and real-time data sharing among network functions hampers effective anomaly detection.
[0015] There is, therefore, a need for a system and a method that overcomes the limitations of the prior art.

SUMMARY
[0016] In an exemplary embodiment, a method for managing network security in a network is described.
[0017] The method includes receiving, by a network security function unit, one or more security policies from at least one network source. In addition, the method includes receiving, by the network security function unit, a registration request to register a network function (NF). The method also includes registering, by the network security function unit, the NF with a network security function unit based on the registration request. The method further includes processing by the network security function unit, the one or more security policies to identify at least one security policy among the one or more security policies applicable to the NF based on one or more parameters associated with the NF. The method also includes applying, by the network security function unit, the identified at least one security policy to the NF. The method further includes receiving, by the network security function unit, real-time network data from the NF. The method includes analyzing, by the network security function unit, the received real-time network data based on the applied at least one security policy to identify one or more anomalies associated with the registered NF.
[0018] In some embodiments, identifying the one or more anomalies comprises processing, by the network security function unit , the real-time network data by comparing the real-time network data corresponding to the applied at least one security policy to determine one or more breaches of the applied at least one security policy, and identifying, by the network security function unit , the one or more breaches as one or more anomalies associated with the registered NF.
[0019] In some embodiments, the method includes communicating the one or more anomalies to at least one of a network data analytics function (NWDAF) and a network slice selection function (NSSF).
[0020] In some embodiments, the at least one network source comprises one of an operations support system (OSS) or business support system (BSS).
[0021] In some embodiments, the one or more parameters comprises at least one of a slice associated with the NF , type of the NF , public land mobile network (PLMN) associated with the NF and use case of the NF.
[0022] In some embodiments, the processing includes evaluating, by the network security function unit , the one or more parameters associated with the NF , and based on the evaluation, identifying the at least one security policy among the one or more security policies applicable to the NF.
[0023] In some embodiments, the real-time data is analyzed using a computing model.
[0024] In some embodiments, the one or more anomalies include unusual data traffic patterns, unauthorized access attempts, unexpected spikes in network usage, and other activities indicative of security threats.
[0025] In another exemplary embodiment, a system for managing network security in a network is described. The system comprises a memory, and a processing engine communicatively coupled with the memory.
[0026] The processing engine comprising a network security function unit is configured to receive one or more security policies from at least one network source, receive a registration request to register a network function (NF), register the NF based on the registration request through the registering unit, process the one or more security policies to identify at least one security policy among the one or more security policies applicable to the NF based on one or more parameters associated with the NF, apply the identified at least one security policy to the NF, receive real-time network data from the registered NF, and analyze, through the analyzing unit the received real-time network data to identify one or more anomalies associated with the NF.
[0027] In some embodiments, to identify the one or more anomalies, the network security function unit is further configured to process the real-time network data by comparing the real-time network data corresponding to the applied at least one security policy to determine one or more breaches of the applied at least one security policy and identify the one or more breaches as one or more anomalies associated with the registered NF.
[0028] In some embodiments, the network security function unit is further configured to communicate the one or more anomalies to at least one of a network data analytics function (NWDAF) and a network slice selection function (NSSF).
[0029] In some embodiments, the at least one network source comprises one of an operations support system (OSS) or business support system (BSS).
[0030] In some embodiments, the one or more parameters comprises at least one of a slice associated with the NF, a type of the NF, a public land mobile network (PLMN) associated with the NF and a use case of the NF.
[0031]
[0032] In some embodiments, the real-time data is analyzed using a computing model.
[0033] In some embodiments, the one or more anomalies include unusual data traffic patterns, unauthorized access attempts, unexpected spikes in network usage, and other activities indicative of security threats.
[0034] In another exemplary embodiment, a user equipment (UE) is described. The UE is communicatively coupled with a network, the coupling comprises steps of receiving, by the network, a connection request from the UE, sending, by the network, an acknowledgment of the connection request to the UE and transmitting a plurality of signals in response to the connection request, the network is configured for performing a method for managing network security. The method includes receiving, by a network security function unit, one or more security policies from at least one network source. In addition, the method includes receiving, by the network security function unit, a registration request to register a network function (NF). The method also includes registering, by the network security function unit, the NF with a network security function unit based on the registration request. The method further includes processing by the network security function unit, the one or more security policies to identify at least one security policy among the one or more security policies applicable to the NF based on one or more parameters associated with the NF. The method also includes applying, by the network security function unit, the identified at least one security policy to the NF. The method further includes receiving, by the network security function unit, real-time network data from the NF. The method includes analyzing, by the network security function unit, the received real-time network data based on the applied at least one security policy to identify one or more anomalies associated with the registered NF.
[0035] .
[0036] In an exemplary embodiment, the present invention discloses a computer program product comprising a non-transitory computer-readable medium comprising instructions that, when executed by one or more processors, cause the one or more processors to perform a method for managing network security in a network.
[0037] The method includes receiving, by a network security function unit, one or more security policies from at least one network source. In addition, the method includes receiving, by the network security function unit, a registration request to register a network function (NF). The method also includes registering, by the network security function unit, the NF with a network security function unit based on the registration request. The method further includes processing by the network security function unit, the one or more security policies to identify at least one security policy among the one or more security policies applicable to the NF based on one or more parameters associated with the NF. The method also includes applying, by the network security function unit, the identified at least one security policy to the NF. The method further includes receiving, by the network security function unit, real-time network data from the NF. The method includes analyzing, by the network security function unit, the received real-time network data based on the applied at least one security policy to identify one or more anomalies associated with the registered NF.
[0038] .
[0039] The foregoing general description of the illustrative embodiments and the following detailed description thereof are merely exemplary aspects of the teachings of this disclosure and are not restrictive.
OBJECTS OF THE PRESENT DISCLOSURE
[0040] Some of the objects of the present disclosure, which at least one embodiment herein satisfies, are as follows:
[0041] An object of the present disclosure is to provide a system and a method for managing network security in a network.
[0042] Another object of the present disclosure is to provide a system and a method for network security monitoring and enforcement.
[0043] Another object of the present disclosure is to provide a network security function unit that ensures an overall security of the network by providing operator-defined security policies to one or more network functions (NFs) deployed in the network. The network security function unit is configured to perform real-time data exchange with the one or more NFs. The network security function unit handles the security of the NFs.
[0044] Another object of the present disclosure is to provide a system and a method that cater to disjoint and distinct security requirements of heterogenous use cases in the network.
[0045] Another object of the present disclosure is to create a standardized interface between the network security function unit and the NFs. The standardized interface facilitates reporting of real-time data to the network security function unit.
[0046] Another object of the present disclosure is to enable the network security function unit to translate the security policies and segregate an application of the security policies based on the network slices, use cases, NF type, and public land mobile network (PLMN).
[0047] Other objects and advantages of the present disclosure will be more apparent from the following description, which is not intended to limit the scope of the present disclosure.
BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWING
[0048] The accompanying drawings, which are incorporated herein, and constitute a part of this disclosure, illustrate exemplary embodiments of the disclosed methods and systems in which like reference numerals refer to the same parts throughout the different drawings. Components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present disclosure. Some drawings may indicate the components using block diagrams and may not represent the internal circuitry of each component. It will be appreciated by those skilled in the art that disclosure of such drawings includes disclosure of electrical components, electronic components or circuitry commonly used to implement such components.
[0049] FIG. 1 illustrates an exemplary network architecture for implementing a system for managing network security in a network, in accordance with an embodiment of the present disclosure.
[0050] FIG. 2 illustrates an exemplary block diagram of the system, in accordance with an embodiment of the present disclosure.
[0051] FIG. 3 illustrates an exemplary system architecture for managing network security in the network, in accordance with an embodiment of the present disclosure.
[0052] FIG. 4 illustrates an exemplary sequence diagram representing a process for managing network security in the network, in accordance with embodiments of the present disclosure.
[0053] FIG. 5 illustrates an exemplary flow diagram of a method for managing network security in the network, in accordance with an embodiment of the present disclosure.
[0054] FIG. 6 illustrates an exemplary computer system in which or with which embodiments of the present disclosure may be implemented.
[0055] The foregoing shall be more apparent from the following more detailed description of the disclosure.
LIST OF REFERENCE NUMERALS
100 – Network architecture
102 - User
104 –User Equipment (UE)
106 – Network
108 – System
200- Block diagram
202 – Processor
204 – Memory
206 –Interface(s)
208 – Processing engine
210 – Network Security Function unit
212 – Registering unit
214 – Analyzing unit
216 – Database
300 – System architecture
302 – Network security monitoring and enforcement function (NSMEF) unit
304 – Operations support system (OSS)/Business support system (BSS)
306 – Network data analytics function (NWDAF)
308 – Network slice selection function (NSSF)
310-1, 310-2, … 310-4 – One or more Network Functions (NFs)
312-1 and 312-2 – One or more network slices
400 – Process Flow
500 – Flow diagram
600 – Computing system
610 – External Storage Device
620 – Bus
630 – Main Memory
640 – Read Only Memory
650 – Mass Storage Device
660 – Communication Port
670 – Processor
DETAILED DESCRIPTION
[0056] In the following description, for the purposes of explanation, various specific details are set forth in order to provide a thorough understanding of embodiments of the present disclosure. It will be apparent, however, that embodiments of the present disclosure may be practiced without these specific details. Several features described hereafter can each be used independently of one another or with any combination of other features. An individual feature may not address any of the problems discussed above or might address only some of the problems discussed above. Some of the problems discussed above might not be fully addressed by any of the features described herein. Example embodiments of the present disclosure are described below, as illustrated in various drawings in which like reference numerals refer to the same parts throughout the different drawings.
[0057] The ensuing description provides exemplary embodiments only, and is not intended to limit the scope, applicability, or configuration of the disclosure. Rather, the ensuing description of the exemplary embodiments will provide those skilled in the art with an enabling description for implementing an exemplary embodiment. It should be understood that various changes may be made in the function and arrangement of elements without departing from the spirit and scope of the disclosure as set forth.
[0058] Specific details are given in the following description to provide a thorough understanding of the embodiments. However, it will be understood by one of ordinary skill in the art that the embodiments may be practiced without these specific details. For example, circuits, systems, networks, processes, and other components may be shown as components in block diagram form in order not to obscure the embodiments in unnecessary detail. In other instances, well-known circuits, processes, algorithms, structures, and techniques may be shown without unnecessary detail in order to avoid obscuring the embodiments.
[0059] Also, it is noted that individual embodiments may be described as a process that is depicted as a flowchart, a flow diagram, a data flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process is terminated when its operations are completed but could have additional steps not included in a figure. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination can correspond to a return of the function to the calling function or the main function.
[0060] The word “exemplary” and/or “demonstrative” is used herein to mean serving as an example, instance, or illustration. For the avoidance of doubt, the subject matter disclosed herein is not limited by such examples. In addition, any aspect or design described herein as “exemplary” and/or “demonstrative” is not necessarily to be construed as preferred or advantageous over other aspects or designs, nor is it meant to preclude equivalent exemplary structures and techniques known to those of ordinary skill in the art. Furthermore, to the extent that the terms “includes,” “has,” “contains,” and other similar words are used in either the detailed description or the claims, such terms are intended to be inclusive like the term “comprising” as an open transition word without precluding any additional or other elements.
[0061] Reference throughout this specification to “one embodiment” or “an embodiment” or “an instance” or “one instance” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present disclosure. Thus, the appearances of the phrases “in one embodiment” or “in an embodiment” in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
[0062] The terminology used herein is to describe particular embodiments only and is not intended to be limiting the disclosure. As used herein, the singular forms “a”, “an”, and “the” are intended to include the plural forms as well, unless the context indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. As used herein, the term “and/or” includes any combinations of one or more of the associated listed items. It should be noted that the terms “mobile device”, “user equipment”, “user device”, “communication device”, “device” and similar terms are used interchangeably for the purpose of describing the invention. These terms are not intended to limit the scope of the invention or imply any specific functionality or limitations on the described embodiments. The use of these terms is solely for convenience and clarity of description. The invention is not limited to any particular type of device or equipment, and it should be understood that other equivalent terms or variations thereof may be used interchangeably without departing from the scope of the invention as defined herein.
[0063] While considerable emphasis has been placed herein on the components and component parts of the preferred embodiments, it will be appreciated that many embodiments can be made and that many changes can be made in the preferred embodiments without departing from the principles of the disclosure. These and other changes in the preferred embodiment as well as other embodiments of the disclosure will be apparent to those skilled in the art from the disclosure herein, whereby it is to be distinctly understood that the foregoing descriptive matter is to be interpreted merely as illustrative of the disclosure and not as a limitation.
[0064] Network slicing is performed within the network to divide (or slice) a single physical network into multiple logical and independent networks, each configured to effectively meet various service requirements. As network slicing splits a network into isolated slices, each network slice is allocated its own resources (bandwidth, service quality, and so on) and has unique security policies. Each network slice is customized for different applications, services, or customers, supporting a wide range of use cases. Furthermore, one or more network functions (NFs) may be deployed in each network slice. A network function may be a software application or a service that performs specific tasks, such as routing, intrusion detection, and load balancing. Currently, there are no unified, centralized network functions that would continuously assess and implement security policies for all network functions in real-time.
[0065] Accordingly, there is a need for a system and a method for managing network security in a telecommunication network.
[0066] The present disclosure aims to overcome the above-mentioned and other existing problems in this field of technology by providing a system and a method for managing the network security. In an aspect, the present disclosure provides a centralized network security function unit (interchangeably referred to as a network security monitoring and enforcement function (NSMEF) unit) that is configured to interface with all the NFs to exchange operator-defined security policies and real-time data, thereby handling the overall security of the NFs.
[0067] Hereinafter, exemplary embodiments of the present disclosure will be described with reference to the accompanying drawings.
[0068] FIG. 1 illustrates an example of network architecture (100) for implementing a system (108) for managing network security in a network, in accordance with an embodiment of the present disclosure.
[0069] As illustrated in FIG. 1, the network architecture (100) may include one or more user equipments (UEs) (104-1, 104-2…104-N) associated with one or more users (102-1, 102-2…102-N) in an environment. A person of ordinary skill in the art will understand that one or more users (102-1, 102-2…102-N) may collectively referred to as the users (102). Similarly, a person of ordinary skill in the art will understand that one or more UEs (104-1, 104-2…104-N) may be collectively referred to as the UE (104). Although only three UE (104) are depicted in FIG. 1, however, any number of the UE (104) may be included without departing from the scope of the ongoing description.
[0070] In an embodiment, the UE (104) may include smart devices operating in a smart environment, for example, an Internet of Things (IoT) system. In such an embodiment, the UE (104) may include, but are not limited to, smartphones, smart watches, smart sensors (e.g., mechanical, thermal, electrical, magnetic, etc.), networked appliances, networked peripheral devices, networked lighting system, communication devices, networked vehicle accessories, networked vehicular devices, smart accessories, tablets, smart television (TV), computers, smart security system, smart home system, other devices for monitoring or interacting with or for the users (102) and/or entities, or any combination thereof. A person of ordinary skill in the art will appreciate that the UE (104) may include, but not limited to, intelligent, multi-sensing, network-connected devices, that may integrate seamlessly with each other and/or with a central server or a cloud-computing system or any other device that is network-connected.
[0071] Additionally, in some embodiments, the UE (104) may include, but not limited to, a handheld wireless communication device (e.g., a mobile phone, a smartphone, a phablet device, and so on), a wearable computer device (e.g., a head-mounted display computer device, a head-mounted camera device, a wristwatch computer device, and so on), a Global Positioning System (GPS) device, a laptop computer, a tablet computer, or another type of portable computer, a media playing device, a portable gaming system, and/or any other type of computer device with wireless communication capabilities, and the like. In an embodiment, the UE (104) may include, but are not limited to, any electrical, electronic, electromechanical, or equipment, or a combination of one or more of the above devices, such as virtual reality (VR) devices, augmented reality (AR) devices, laptop, a general-purpose computer, desktop, personal digital assistant, tablet computer, mainframe computer, or any other computing device, wherein the UE (104) may include one or more in-built or externally coupled accessories including, but not limited to, a visual aid device such as a camera, an audio aid, a microphone, a keyboard, and input devices for receiving input from the user (102) or the entity such as touchpad, touch-enabled screen, electronic pen, and the like. A person of ordinary skill in the art will appreciate that the UE (104) may not be restricted to the mentioned devices and various other devices may be used.
[0072] Referring to FIG. 1, the UE (104) may communicate with a system (108) through a network (106) for sending or receiving various types of data. In an embodiment, the network (106) may include at least one of a 5G network, 6G network, or any other next generation network. The network (106) may enable the UE (104) to communicate with other devices in the network architecture (100) and/or with the system (108). The network (106) may include a wireless card or some other transceiver connection to facilitate this communication. In another embodiment, the network (106) may be implemented as, or include any of a variety of different communication technologies such as a wide area network (WAN), a local area network (LAN), a wireless network, a mobile network, a Virtual Private Network (VPN), the Internet, the Public Switched Telephone Network (PSTN), or the like.
[0073] In an embodiment, the network (106) may include, by way of example but not limitation, at least a portion of one or more networks having one or more nodes that transmit, receive, forward, generate, buffer, store, route, switch, process, or a combination thereof, etc. one or more messages, packets, signals, waves, voltage or current levels, some combination thereof, or so forth. The network (106) may also include, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet-switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a Public-Switched Telephone Network (PSTN), a cable network, a cellular network, a satellite network, a fiber optic network, or some combination thereof.
[0074] In an embodiment, the UE (104) is communicatively coupled with the network (106). The network (106) may receive a connection request from the UE (104). The network (106) may send an acknowledgment of the connection request to the UE (104). The UE (104) may transmit a plurality of signals in response to the connection request. The network (106) may enable the system (108) to manage the network security in a telecommunication network (e.g., the network (106)).
[0075] Although FIG. 1 shows exemplary components of the network architecture (100), in other embodiments, the network architecture (100) may include fewer components, different components, differently arranged components, or additional functional components than depicted in FIG. 1. Additionally, or alternatively, one or more components of the network architecture (100) may perform functions described as being performed by one or more other components of the network architecture (100).
[0076] FIG. 2 illustrates an exemplary block diagram (200) of the system (108), in accordance with an embodiment of the present disclosure. The system (108) may be configured to manage the network security in the network (106) (e.g., 5G network, 6G network and advanced networks). In particular, the system (108) may be responsible for network security monitoring and enforcement.
[0077] In an embodiment, the system (108) may include one or more processor(s) (202). The one or more processor(s) (202) may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, logic circuitries, and/or any devices that process data based on operational instructions. Among other capabilities, the one or more processor(s) (202) may be configured to fetch and execute computer-readable instructions stored in a memory (204) of the system (108). The memory (204) may be configured to store one or more computer-readable instructions or routines in a non-transitory computer readable storage medium, which may be fetched and executed to create or share data packets over a network service. The memory (204) may include any non-transitory storage device including, for example, volatile memory such as random-access memory (RAM), or non-volatile memory such as erasable programmable read only memory (EPROM), flash memory, and the like.
[0078] In an embodiment, the system (108) may include an interface(s) (206). The interface(s) (206) may include a variety of interfaces, for example, interfaces for data input and output devices (I/O), storage devices, and the like. The interface(s) (206) may facilitate communication through the system (108). The interface(s) (206) may also provide a communication pathway for one or more components of the system (108). Examples of such components include, but are not limited to, a processing engine (208) and a database (216).
[0079] In an embodiment, the processing engine (208) may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processing engine (208). In the examples described herein, such combinations of hardware and programming may be implemented in several different ways. For example, the programming for the processing engine (208) may be processor-executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the processing engine (208) may comprise a processing resource (for example, one or more processors), to execute such instructions. In the present examples, the machine-readable storage medium may store instructions that, when executed by the processing resource, implement the processing engine (208). In such examples, the system may comprise the machine-readable storage medium storing the instructions and the processing resource to execute the instructions, or the machine-readable storage medium may be separate but accessible to the system and the processing resource. In other examples, the processing engine (208) may be implemented by electronic circuitry.
[0080] In an embodiment, the database (216) includes data that may be either stored or generated as a result of functionalities implemented by any of the components of the processor (202) or the processing engine (208). In an embodiment, the database (216) may be indicative of including, but not limited to, a relational database, a distributed database, a cloud-based database, or the like.
[0081] In an embodiment, the processing engine (208) may include a network security function unit (210), or a network security monitoring and enforcement function (NSMEF) unit. A person of ordinary skill in the art will appreciate that the terms “network security function unit” and “network security monitoring and enforcement function unit” may be used interchangeably throughout the disclosure. In one implementation, the network security function unit (210) may be a part of the system (108), In another implementation, the network security function unit (210) may be the system (108) for managing the network security. The network security function unit (210) may include a plurality of units. The plurality of units may include, but is not limited to, a registering unit (212), and an analyzing unit (214).
[0082] The registering unit (212) within the network security function unit (210) is configured to handle the registration of the network function (NF) with the system (108). To handle the registration, the registering unit (212) may receive a registration request from the NF. Further, the registering unit (212) may validate the registration request. Upon validation, the registering unit (212) may register the NF with the network security function unit (210).
[0083] The network security function unit (210), or the NSMEF unit receives one or more security policies. In examples, the one or more security policies may be input by an operator. In some examples, the one or more security policies may be generated by the processing unit based on historical data and learning from existing policies. In some examples, the network security function unit (210) may include a machine learning (ML) or artificial intelligence module to generate the one or more security policies. In an embodiment, the one or more security policies are provisioned within the network security function unit (210). In an example, the one or more security policies provisioned within the network security function unit are received from at least one network source. The at least one network source includes one of an operations support system (OSS) or business support system (BSS).
[0084] Examples of the one or more security policies include, but are not limited to, access control policies, encryption policies, intrusion detection policies, traffic filtering policies, patch management policies, anomaly detection policies, data integrity policies, compliance policies, incident response policies, and audit and monitoring policies.
[0085] The access control policies define who or what can access the NF and under what conditions. Further, the access control policies may include rules for user authentication, authorization, and permissions. Further, the encryption policies specify the encryption standards and protocols to be used for securing data in transit and at rest within the NF. Further, the intrusion detection policies set the parameters for detecting and responding to unauthorized access attempts, including the use of intrusion detection systems (IDS) and intrusion prevention systems (IPS). Further, the traffic filtering policies establish rules for filtering network traffic to block malicious data packets, manage bandwidth usage, and prioritize certain types of traffic. Further, the patch management policies outline the process for applying software updates and patches to the NF to protect against vulnerabilities and ensure compliance with the latest security standards. Further, the anomaly detection policies define the criteria and methods for detecting anomalies in network behavior, such as unusual data traffic patterns, unauthorized access attempts, and unexpected spikes in network usage. Further, the data integrity policies ensure the accuracy and consistency of data stored and processed by the NF, including checksums and validation procedures. Further, the compliance policies ensure the NF adheres to relevant legal, regulatory, and industry standards for security and data protection. Further, the incident response policies provide procedures and protocols for responding to security incidents, including steps for containment, eradication, recovery, and post-incident analysis. Furthermore, the audit and monitoring policies specify the requirements for logging, monitoring, and auditing NF activities to detect and respond to security threats.
[0086] In some embodiments, the network security function unit (210) may process the one or more security policies to identify at least one security policy among the one or more security policies applicable to the NF based on one or more parameters associated with the NF. The one or more parameters includes a network slice, a use case, a NF type, a public land mobile network (PLMN). Further, the network security function unit (210) may segregate the one or more translated security policies to apply to the registered NF. In examples, the processing includes evaluating, by the network security function unit (210), the one or more parameters associated with the NF. Based on the evaluation, the network security function unit (210) identifies the at least one security policy among the one or more security policies applicable to the NF. For example, an NF may host a slice and may configured as a network repository function that maintains and provides information about available network functions and their capabilities. The network security function unit (210) may evaluate and identify one or more parameters of the NF described in the examples, including a slice and a type of NF (a network repository function). Based on the evaluation, the network repository function unit (210) may identify that an access control policy and intrusion detection policy are applicable to the NF. Further, the network security function unit (210) may apply the access control policy and intrusion detection policy to the NF. In other words, processing the security policies involves adjusting the one or more security policies to fit into the specific needs and context of the NF. For instance, different network slices may have distinct security requirements based on their intended purposes and the services the network slices support. A network slice dedicated to emergency services may require severe security measures compared to a slice used for regular internet browsing.
[0087] Similarly, use cases play a crucial role in determining the nature of the security policies. For example, a use case involving financial transactions may necessitate higher levels of encryption and stricter access controls than a use case for social media applications. The NF type is another critical parameter, different types of network functions such as routers, firewalls, and load balancers have unique security requirements. A firewall NF may need specific intrusion detection policies, while a load balancer NF may require policies focused on traffic management and integrity.
[0088] Furthermore, the PLMN ensures that security policies are compliant with the regulations and standards of the geographic region where the network operates. This includes adherence to local laws regarding data privacy and protection, which can vary significantly from one region to another.
[0089] Once the one or more security policies are processed, the network security function unit (210) segregates the translated policies to apply to the registered NF. Segregation involves categorizing and organizing the processed policies based on their relevance and applicability to the specific NF. The segregation ensures that each NF receives a customized set of security policies that address its unique security challenges and operational requirements.
[0090] Post the application of at least one security policy among the one or more security policies, the network security function unit (210) may receive real-time network data from the registered NF. The real-time network data may include a variety of dynamic information that is continuously generated and updated as the NF operate. Examples of real-time network data may include, but are not limited to, traffic patterns, connection states, security events, system health metrics, anomalous behavior, and configuration changes.
[0091] The traffic patterns may include information on the volume and flow of data packets traversing the network. This includes metrics such as bandwidth usage, packet rates, and latency, which help in understanding the current load and performance of the network. Further, the connection states include data about the status of ongoing connections, including the number of active connections, the duration of each connection, and the endpoints involved. Further, the user activity includes details of user interactions with the network, such as login attempts, resource access logs, and session durations. Further, the security events include logs of security-related occurrences, including successful and failed authentication attempts, firewall alerts, intrusion detection system (IDS) triggers, and any detected malware or phishing attempts. Further, the system health metrics include information on the health and status of network hardware and software components, such as CPU and memory usage, disk space, error rates, and system uptime. Further, the anomalous behavior includes data points that signify deviations from normal network behavior. This includes unusual spikes in traffic, unexpected drops in connection quality, irregular access patterns, and other indicators that may suggest a potential threat or network issue. Furthermore, the configuration changes include real-time updates on any changes made to network configurations, including routing table updates, policy changes, and software upgrades.
[0092] The analyzing unit (214) of the network security function unit (210) may analyze the received real-time network data based on the applied at least one security policy to identify one or more anomalies associated with the NF. In examples, the analysis may include inspecting packet headers, payloads, traffic patterns, IP addresses, protocols used, data volumes, any unusual timing or behavior, unauthorized access attempts, unusual data transfers, suspicious network traffic, attempts to exploit vulnerabilities, etc. The one or more anomalies may include unusual data traffic patterns, unauthorized access attempts, unexpected spikes in network usage, and other activities indicative of security threats. During analysis, the network security function unit (210) compares any events in NFs with the applied at least one security policy to detect a breach of the security policy (for example, violation or deviation from the policy). In examples, the analysis may include signature-based analysis, behavior-based analysis, heuristic analysis, etc. The network security function unit (210) identifies the one or more breaches as one or more anomalies associated with the registered NF. Based on the events, the analyzing unit (214) may classify events as normal (activity or event aligns with the security policy), suspicious (activity or event deviates from the security policy, but does not appear malicious and requires further monitoring or investigation) or a security threat (activity or event violates the security policy requiring immediate action).
[0093] In some embodiments, the real-time data is analyzed using a computing model. The computing model may be an Artificial Intelligence (AI) model. By employing Al model such as, machine learning algorithms and deep learning algorithms, the AI model may identify complex patterns and correlations within the real-time network data.
[0094] In a more elaborate way, the AI model may be trained on historical network data to recognize normal and anomalous behavior patterns. The AI model continuously learns from the incoming data, adapting its analysis to evolving network conditions and emerging threats. The AI model may detect subtle anomalies in traffic patterns, user behavior, and system performance metrics that may indicate security breaches, performance issues, or potential failures. In some embodiments, the AI model may also prioritize alerts based on the severity and potential impact of detected anomalies, allowing network operators to focus on the most critical issues.
[0095] In some embodiments, to identify the one or more anomalies, network security function unit (210) may communicate real time network data metrics with a network data analytics function (NWDAF) and a network slice selection function (NSSF), for further analysis. The NWDAF may be configured to identify network load anomalies, and the NSSF may be configured to identify network slice anomalies.
[0096] The network load anomalies are irregularities in the expected load patterns on the network, such as unexpected spikes in traffic, unusual congestion levels, or uneven distribution of data load across the network. The network security function unit (210) may utilize the NWDAF to analyze these patterns. The NWDAF uses advanced analytics and machine learning techniques to monitor network performance metrics continuously, identify deviations from normal behavior, and provide information for the root causes of these anomalies. By detecting network load anomalies early, the network security function unit (210) may take proactive measures to redistribute load, optimize network resources, and prevent potential service disruptions.
[0097] The network slice level anomalies, on the other hand, are irregularities specific to the individual network slices within the network. Network slicing allows for the creation of multiple virtual networks on a shared physical infrastructure, each designed to meet the specific needs of different services or customer segments. Anomalies at the slice level may include unauthorized access attempts, violations of slice-specific security policies, or performance degradation within a particular slice. The network security function unit (210) may communicate with the NSSF to monitor and manage these anomalies. The NSSF manages the selection of the network slices, ensuring that each slice operates according to its defined parameters. By identifying and addressing slice level anomalies, the network security function unit (210) ensures that each network slice remains secure.
[0098] Although FIG. 2 shows exemplary components of the system (108), in other embodiments, the system (108) may include fewer components, different components, differently arranged components, or additional functional components than depicted in FIG. 2. Additionally, or alternatively, one or more components of the system (108) may perform functions described as being performed by one or more other components of the system (108).
[0099] Referring to FIG. 3, an exemplary system architecture (300) for managing network security in the network is illustrated, in accordance with an embodiment of the present disclosure. The system architecture (300) provides NSMEF unit (302) to manage security of the NFs, and standardized interfaces between the NFs and the NSMEF unit (302) for implementing one or more security policies from a data source, real-time data exchange to ensure the overall security of the network, trigger functions when there are anomalies and supply of security metrics for real time analysis to NSMEF or other units. With the NSMEF unit (302) and the interface, the system architecture (300) provides a single network function configured to cater to disjoint and distinct security requirements of heterogenous use-cases in the network. The system architecture (300) establishes a unified centralized network function configured to continuously assess and implement one or more security policies in real time to the NFs.
[00100] As illustrated in FIG. 3, the system architecture (300) includes the NSMEF unit (302) (analogous to the network security function unit (210)), an operations support system (OSS) and/or a business support system (BSS) (304), a network data analytics function (NWDAF) (306), a network slice selection function (NSSF) (308), one or more network functions (NFs) (e.g., a NF (310-1), a NF (310-2), a NF (310-3), and a NF (310-4)) (collectively referred to as a NF (310)). The system architecture (300) further includes one or more network slices (e.g., a network slice (312-1) and a network slice (312-2)) (collectively referred to as a network slice (112)).
[00101] The NSMEF unit (302) is a unified, centralized network function configured for assessing and implementing one or more security policies for NFs. The NSMEF unit (302) is configured to continuously monitor the NFs to check if the NFs are compliant with the security policies (e.g., whether data is encrypted, whether access control rules are enforced). On detecting a non-compliant NF (e.g., an NF handling sensitive data without encryption), the NSMEF unit (302) automatically implements one or more security policies applicable to the ND by reconfiguring the NF to comply with the security policies. In other words, the NSMEF unit (302) provides centralized control and application of security policies across all NFs. The NSMEF unit (302) also provides real time or dynamic application of the one or more security policies.
[00102] In an implementation, the NF (310-1) and the NF (310-2) may be deployed in the network slice (312-1). Additionally, the NF (310-2), the NF (310-3) and the NF (310-4) may be deployed in the network slice (312-2). In an implementation, the NSMEF unit (302) may communicate with the OSS/BSS (304), the NWDAF (306), the NSSF (308), the NF (310), and the network slice (312), via the network (106). The network (106) may be, for example, but not limited to, a 5G network, a 6G network, or a next generation network. In an implementation, the network (106) may be a core network of an operator. Accordingly, the network (106) is deployed as the core network of the operator. Additionally, the NF (310) may be a control plane NF and/or a user plane NF.
[00103] In operation, the OSS/BSS (404) may provision one or more security policies into the NSMEF unit (302). In an example, the one or more security policies may be applicable to Layer 2, Layer 3, Layer 4, Layer 5, Layer 6, and/or Layer 7 of open systems interconnection (OSI) model.
[00104] In an implementation, the NSMEF unit (302) may receive one or more security policies from the OSS/BSS (304). The one or more security policies may be operator-defined policies or automatically generated security policies. The NSMEF unit (302) may further communicate with the NF (310) and ensure the incorporation of applicable one or more security policies. In an implementation, the NSMEF unit (302) may integrate with the NF (310) and manage the overall network security of the NF (310). The NSMEF unit (302) is configured to exchange the one or more security policies and real-time network data with the NF (310). According to an implementation, there may be a standardized interface between the NF (310) and the NSMEF unit (302), such that the NF (310) may receive the one or more security policies from the NSMEF unit (302) and report real-time network data to the NSMEF unit (302) for analysis.
[00105] In an implementation, to identify and apply the one or more security policies to the NFs, the NSMEF unit (102) may process the one or more security policies based on at least one of a network slice, a use case, a NF type, and a public land mobile network (PLMN) and apply the one or more applicable security policies to the NF (310).
[00106] In other words, to process and apply the one or more security policies, the NSMEF unit (102) may, for example, translate the one or more security policies from their original format into a format that is suitable for the NF (310). In some embodiments, apart from the format translation, the translation may also involve adapting or modifying the policies based on various parameters. The parameters include, but not limited to, the network slice, the specific use case, the type of NF, and the PLMN. This translation process ensures that the security policies are compatible with the specific requirements and capabilities of the NF (310).
[00107] For example, each network slice may have distinct security requirements depending on its purpose and the services it supports. For example, a slice dedicated to emergency services may have more stringent security policies compared to a slice used for general internet access. Thus, the security policies may be adjusted according to the particular network slice (e.g., dedicated for IoT, public safety, or consumer services), which may have unique security needs.
[00108] Further, the security policies may be adjusted based on the application or different use case (e.g., streaming services, or financial transactions) to ensure that the security policies address specific security threats and requirements.
[00109] Further, the security policies may be adjusted based on the type of NF (e.g., firewall, or load balancer) to ensure the security policies are suitable for the role and capabilities of the NF.
[00110] Moreover, the security policies may be adjusted to comply with regional regulations and operator-specific requirements, ensuring alignment with local standards and practices.
[00111] After processing the security policies, the NSMEF unit (302) then segregates the one or more translated security policies for application of these security policies into the NF (310). In one implementation, the segregation may involve classifying the security policies into different groups based on their relevance to specific network slices, use cases, NF types, or the PLMNs. In another implementation, the segregation may involve arranging the security policies according to their importance or urgency, ensuring that critical security policies are applied first. In some examples, the NSMEF unit (102) evaluates the one or more parameters associated with the NF (310). Based on the evaluation, the NSMEF unit (302) identifies and applies the at least one security policy among the one or more security policies applicable to the NF (310).
[00112] In examples, the NSMEF unit (302) may process the real-time network data by comparing the real-time network data corresponding to the applied at least one security policy to determine one or more breaches of the applied at least one security policy, The NSMEF unit (302) may identify the one or more breaches as one or more anomalies associated with the registered NF (310). In an implementation, an event may be triggered when an anomality or any anomalous behavior is detected in the NF (310) based on the analysis. In an example, there may be a continuous transmission of real-time network data or security events data for real-time analysis at the NSMEF unit (302). The one or more anomalies may include unusual data traffic patterns, unauthorized access attempts, unexpected spikes in network usage, and other activities indicative of security threats.
[00113] In an implementation, in order to detect the one or more specific network load anomaly or a network slice level anomaly, the NSMEF unit (302) may process the real-time network data by communicating with a network data analytics function (NWDAF) and a network slice selection function (NSSF), respectively.
[00114] FIG. 4 illustrates an exemplary sequence diagram representing a process (400) for managing network security in the network, in accordance with embodiments of the present disclosure. The sequence diagram includes the NSMEF unit (302), the operations support system (OSS) and/or a business support system (BSS) (304), the NF (310), the NWDAF (306), and the NSSF) (308).
[00115] In order to manage the network security, the NSMEF unit (302) may receive one or more security policies from the OSS/BSS (304), at step 402. On receiving the one or more security policies from the OSS/BSS (304), the NSMEF unit (302) may send an acknowledgement response to the OSS/BSS (304), at step 404.
[00116] At step 406, the NF (310) may send a request for registration to the NSMEF unit (302). In response to receiving the request for registration, the NSMEF unit (302) may perform registration of the NF (310). Upon registration, the NSMEF unit (302) may download the one or more security policies to the NF (310), at step 408.
[00117] Further, the NSMEF unit (302) may apply the downloaded one or more security policies at the NFs (310), at step 410. At step (412-1), step (412-2), and step (412-3), the NF (310) may communicate with the NSMEF unit (302) for continuously transmitting real-time network data or other security events for real-time data analysis.
[00118] On receiving the real-time network data and other security events from the NF (310), the NSMEF unit (302) may send an acknowledgment response to the NF (310), at step 414. In an implementation, the NSMEF unit (302) may analyze the real-time network data or other security events to detect one or more anomalies in the received real-time network data and other security events.
[00119] In order to detect a network load anomaly, the NSMEF unit (302) may forward the received real-time network data to the NWDAF (306), at step 416. On receiving the real-time network data or other security events, the NWDAF (306) may send an acknowledgement response to the NSMEF unit (302), at step 418.
[00120] Additionally, in order to detect a network slice level anomaly, the NSMEF unit (302) may forward the received real-time network data or other security events to the NSSF (308), at step 420. On receiving the real-time network data or other security events, the NSSF (308) may send an acknowledgement response to the NSMEF unit (302), at step 422. In an event of identifying one or more anomalies, the NSMEF unit (302) may trigger an alert network administrator indicating actions such as blocking or isolating the NF’s where the one or more anomalies are found, storing the security event, logs, the anomalies etc., for analysis and auditing and providing corrective actions to invalidate any security threat caused by anomalies, by for example, patching vulnerabilities, applying firewall rules, etc.
[00121] The process (400) achieves a network security functionality implemented using the architecture of FIG. 3, and continuously assessing and implementing security policies in real time to the NFs (310). The process (400) causes detection of any anomalies in the NFs, leading to triggering of an event to alert the network administration for corrective actions.
[00122] FIG. 5 illustrates an exemplary flow diagram of a method (500) for managing network security in the network, in accordance with an embodiment of the present disclosure.
[00123] At step (502), the method (500) includes receiving, by the network security function unit (210), one or more security policies from at least one network source.
[00124] At step (504), the method (500) includes receiving, by the network security function unit (210), a registration request to register a network function (NF) (310).
[00125] At step (506), the method (500) includes registering, by the network security function unit (210), the NF (310) with a network security function unit (210) based on the registration request.
[00126] At step (508), the method (500) includes processing by the network security function unit (210), the one or more security policies to identify at least one security policy among the one or more security policies applicable to the NF (310) based on one or more parameters associated with the NF (310). The processing includes evaluating, by the network security function unit (210), the one or more parameters associated with the NF (310). Based on the evaluation, the network security function unit (210) identifies the at least one security policy among the one or more security policies applicable to the NF (310). The ne or more parameters include at least one of a slice associated with the NF (310), the type of the NF (310), the public land mobile network (PLMN) associated with the NF (310), and the use case of the NF (310).
[00127] At step (510), the method (500) includes applying, by the network security function unit (210), the identified at least one security policy to the NF (310).At step (512), the method (500) includes receiving, by the network security function unit, real-time network data from the NF.
[00128] At step (514), the method (500) includes analyzing, by the network security function unit, the received real-time network data to identify one or more anomalies associated with the registered NF. The identification of the one or more anomalies includes processing, by the network security function unit (210), the real-time network data by comparing the real-time network data corresponding to the applied at least one security policy to determine one or more breaches of the applied at least one security policy. The one or more breaches are identified as one or more anomalies associated with the registered NF (310) by the network security function unit (210). In some embodiments, the one or more anomalies includes unusual data traffic patterns, unauthorized access attempts, unexpected spikes in network usage, and other activities indicative of security threats.
[00129] In some embodiments, the real-time data is analyzed using a computing model. In order to identify the one or more anomalies, the method (500) includes processing, by the network security function unit (210), the real-time network data to detect at least one of a network load anomaly and a network slice level anomaly by communicating with the NWDAF (306) and the NSSF (308), respectively.
[00130] In an event of identifying one or more anomalies, the network security function unit (210) may trigger an alert network administrator indicating actions such as blocking or isolating the NF’s where the one or more anomalies are found, storing the security event, logs, the anomalies etc., for analysis and auditing and providing corrective actions to invalidate any security threat caused by anomalies, by for example, patching vulnerabilities, applying firewall rules, etc.
[00131] FIG. 6 illustrates an example computer system (600) in which or with which the embodiments of the present disclosure may be implemented.
[00132] As shown in FIG. 6, the computer system (600) may include an external storage device (610), a bus (620), a main memory (630), a read-only memory (640), a mass storage device (650), a communication port(s) (660), and a processor (670). A person skilled in the art will appreciate that the computer system (300) may include more than one processor and communication ports. The processor (670) may include various modules associated with embodiments of the present disclosure. The communication port(s) (660) may be any of an RS-232 port for use with a modem-based dialup connection, a 10/100 Ethernet port, a Gigabit or 10 Gigabit port using copper or fiber, a serial port, a parallel port, or other existing or future ports. The communication ports(s) (660) may be chosen depending on a network, such as a Local Area Network (LAN), Wide Area Network (WAN), or any network to which the computer system (600) connects.
[00133] In an embodiment, the main memory (630) may be Random Access Memory (RAM), or any other dynamic storage device commonly known in the art. The read-only memory (640) may be any static storage device(s) e.g., but not limited to, a Programmable Read Only Memory (PROM) chip for storing static information e.g., start-up or basic input/output system (BIOS) instructions for the processor (670). The mass storage device (650) may be any current or future mass storage solution, which can be used to store information and/or instructions. Exemplary mass storage solutions include, but are not limited to, Parallel Advanced Technology Attachment (PATA) or Serial Advanced Technology Attachment (SATA) hard disk drives or solid-state drives (internal or external, e.g., having Universal Serial Bus (USB) and/or Firewire interfaces).
[00134] In an embodiment, the bus (620) may communicatively couple the processor(s) (670) with the other memory, storage, and communication blocks. The bus (620) may be, e.g. a Peripheral Component Interconnect (PCI) / PCI Extended (PCI-X) bus, Small Computer System Interface (SCSI), Universal Serial Bus (USB), or the like, for connecting expansion cards, drives, and other subsystems as well as other buses, such a front side bus (FSB), which connects the processor (670) to the computer system (600).
[00135] In another embodiment, operator, and administrative interfaces, e.g., a display, keyboard, and cursor control device may also be coupled to the bus (620) to support direct operator interaction with the computer system (600). Other operator and administrative interfaces can be provided through network connections connected through the communication port(s) (660). Components described above are meant only to exemplify various possibilities. In no way should the aforementioned exemplary computer system (600) limit the scope of the present disclosure.
[00136] The method and system of the present disclosure may be implemented in a number of ways. For example, the methods and systems of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustration only, and the steps of the method of the present disclosure are not limited to the order specifically described above unless specifically stated otherwise. Further, in some embodiments, the present disclosure may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.
[00137] While considerable emphasis has been placed herein on the preferred embodiments, it will be appreciated that many embodiments can be made and that many changes can be made in the preferred embodiments without departing from the principles of the disclosure. These and other changes in the preferred embodiments of the disclosure will be apparent to those skilled in the art from the disclosure herein, whereby it is to be distinctly understood that the foregoing descriptive matter to be implemented merely as illustrative of the disclosure and not as limitation.
[00138] The present disclosure provides technical advancement related to network security management in the telecommunications network. This advancement addresses the limitations of existing solutions by introducing a centralized network security function unit that continuously assesses and implements security policies in real-time across all network functions. The disclosure involves a new network security function unit (e.g., the NSMEF unit) and a standardized interface for real-time data exchange and policy application, which offer significant improvements in security monitoring, anomaly detection, and compliance enforcement. By implementing the centralized security function unit, the present disclosure enhances the overall security and reliability of the network, resulting in improved protection against attacks, anomaly detection, and efficient compliance with the security policies.
ADVANTAGES OF THE PRESENT DISCLOSURE
[00139] The present disclosure provides a system and a method for managing network security in a telecommunication network.
[00140] The present disclosure provides a centralized network security function unit (e.g., the NSMEF) that establishes a consistent security baseline across the network, reducing vulnerabilities and enhancing overall network integrity.
[00141] The present disclosure enables a real-time monitoring and detection of the security threats, allowing for immediate responses to potential intrusions and attacks.
[00142] The present disclosure enables the NSMEF unit to continuously monitor the NFs for compliance with the latest security patch updates, ensuring that all components adhere to the latest security standards.
[00143] The present disclosure actively monitors distributed denial-of-service (DDoS) attacks, helping to mitigate and respond to such threats effectively.
[00144] The present disclosure utilizes the computing models (e.g., AI-based techniques) to detect anomalies (such as unusual signaling and data traffic behavior). The utilization of the computing models enhances the detection of network load anomalies and network slice level anomalies, enabling more accurate and efficient identification of issues.
[00145] The present disclosure enables the NSMEF unit to apply one or more security policies to the NFs based on various parameters such as network slice, use-case, NF type, and geographical area, ensuring effective security measures.
[00146] The present disclosure provides real-time compliance status of individual NFs, thereby enhancing the reliability and robustness of the network.
,CLAIMS:CLAIMS
We Claim:
1. A method (500) for managing network security in a network, the method (500) comprising:
receiving (502), by a network security function unit (210), one or more security policies from at least one network source;
receiving (504), by the network security function unit (210), a registration request to register a network function (NF) (310);
registering (506), by the network security function unit (210), the NF (310) with a network security function unit (210) based on the registration request;
processing (508), by the network security function unit (210), the one or more security policies to identify at least one security policy among the one or more security policies applicable to the NF (310) based on one or more parameters associated with the NF (310);
applying (510), by the network security function unit (210), the identified at least one security policy to the NF (310);
receiving (512), by the network security function unit (210), real-time network data from the NF (310); and
analyzing (510), by the network security function unit (210), the received real-time network data based on the applied at least one security policy to identify one or more anomalies associated with the registered NF (310).

2. The method (500) as claimed in claim 1, wherein identifying the one or more anomalies comprises:
processing, by the network security function unit (210), the real-time network data by determining whether the real-time network data complies with the applied at least one security policy, to identify one or more breaches of the applied at least one security policy; and
identifying, by the network security function unit (210), the one or more breaches as the one or more anomalies associated with the registered NF (310).

3. The method (500) as claimed in claim 2, further comprising
communicating, by the network security function unit (210), the one or more anomalies to a network data analytics function (NWDAF) (306) and notifying a network slice selection function (NSSF) (308).

4. The method (500) as claimed in claim 1, wherein the at least one network source comprises one of an operations support system (OSS) or business support system (BSS) (304).

5. The method (500) as claimed in claim 1, wherein the one or more parameters comprises at least one of a slice associated with the NF (310), type of the NF (310), public land mobile network (PLMN) associated with the NF (310) and use case of the NF (310).

6. The method (500) as claimed in claim 1, wherein the processing comprises:
evaluating, by the network security function unit (210), the one or more parameters associated with the NF (310); and
based on the evaluation, identifying, by the network security function unit (210), the at least one security policy among the one or more security policies applicable to the NF (310).

7. The method (500) as claimed in claim 1, wherein the real-time network data is analyzed using a computing model.

8. The method (500) as claimed in claim 1, wherein the one or more anomalies comprise unusual data traffic patterns, unauthorized access attempts, unexpected spikes in network usage, and other activities indicative of security threats.

9. A system (108) for managing network security in a network, the system (108) comprising:
a memory (204); and
a processing engine (208) communicatively coupled with the memory (204), the processing engine (208) comprising a network security function unit (210) configured to:
receive one or more security policies from at least one network source;
receive a registration request to register a network function (NF (310));
register the NF (310) based on the registration request;
process the one or more security policies to identify at least one security policy among the one or more security policies applicable to the NF (310) based on one or more parameters associated with the NF (310);

apply the identified at least one security policy to the NF (310);receive real-time network data from the registered NF (310); and
analyze, , the received real-time network data to identify one or more anomalies associated with the registered NF (310).

10. The system (108) as claimed in claim 9, wherein to identify the one or more anomalies, the network security function unit (210) is further configured to:
process the real-time network data by determining whether the real-time network data complies with the applied at least one security policy, to identify one or more breaches of the applied at least one security policy; and
identify the one or more breaches as the one or more anomalies associated with the NF (310).
11. The system (108) as claimed in claim 9, the network security function unit (210) is further configured to:
communicate the one or more anomalies to at least one of a network data analytics function (NWDAF) (306) and notify a network slice selection function (NSSF) (308).

12. The system (108) as claimed in claim 9, wherein the at least one network source comprises one of an operations support system (OSS) or business support system (BSS) (304).

13. The system (108) as claimed in claim 9, wherein the one or more parameters comprises at least one of a slice associated with the NF (310), type of the NF (310), public land mobile network (PLMN) associated with the NF (310) and use case of the NF (310)
.

14. The system (108) as claimed in claim 9, wherein the real-time network data is analyzed using a computing model.

15. The system (108) as claimed in claim 9, wherein the one or more anomalies comprise unusual data traffic patterns, unauthorized access attempts, unexpected spikes in network usage, and other activities indicative of security threats.

16. A user equipment (UE) (104) communicatively coupled with a network (106), the coupling comprises steps of:
receiving, by the network (106), a connection request from the UE (104);
sending, by the network (106), an acknowledgment of the connection request to the UE (104); and
transmitting a plurality of signals in response to the connection request, wherein the network is configured to execute a method (500) for managing network security in a network as claimed in claim 1.