Service-based security per user location in mobile networks

US 10,477,391 B1
Filed: 03/28/2019
Issued: 11/12/2019
Est. Priority Date: 09/27/2018
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

monitor network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network, wherein the monitoring of the network traffic comprises to;

identify a data type SmContextCreateData or a data type PduSessionCreateData in the network traffic;

extract user location information for user traffic associated with the new session at the security platform, comprising to;

extract EutraLocation or NRLocation from the data type SmContextCreateData or the data type PduSessionCreateData of the network traffic, wherein the EutraLocation comprises Tracking Area Identity (TAI) and ECGI (EUTRA Cell Identity), wherein the NRLocation comprises Tracking Area Identity (TAI) and NR Cell Identity (NCGI); and

determine a security policy to apply at the security platform to the new session based on the user location information; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for providing service-based security per user location in mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for service-based security per user location in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network; extracting user location information for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the user location information.

28 Citations

View as Search Results

17 Claims

1. A system, comprising:
- a processor configured to;
  
  monitor network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network, wherein the monitoring of the network traffic comprises to;
  
  identify a data type SmContextCreateData or a data type PduSessionCreateData in the network traffic;
  
  extract user location information for user traffic associated with the new session at the security platform, comprising to;
  
  extract EutraLocation or NRLocation from the data type SmContextCreateData or the data type PduSessionCreateData of the network traffic, wherein the EutraLocation comprises Tracking Area Identity (TAI) and ECGI (EUTRA Cell Identity), wherein the NRLocation comprises Tracking Area Identity (TAI) and NR Cell Identity (NCGI); and
  
  determine a security policy to apply at the security platform to the new session based on the user location information; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system recited in claim 1, wherein the security platform parses HTTP/2 messages to extract the user location information.
  - 3. The system recited in claim 1, wherein the security platform monitors wireless interfaces including a plurality of interfaces for a control protocol and user data traffic in a mobile core network for a 4G and/or 5G network.
  - 4. The system recited in claim 1, wherein the security platform monitors wireless interfaces including a plurality of interfaces for a control protocol and user data traffic in a mobile core network for a 4G and/or 5G network to provide user location information based security to subscribers and subscriber devices that connect to the service provider network using 5G radio access technology and handover from/to 5G radio access technologies to non-5G radio access technologies.
  - 5. The system recited in claim 1, wherein the security platform is configured to perform a firewall service using the user location information.
  - 6. The system recited in claim 1, wherein the security platform is configured to perform threat detection for known threats using the user location information.
  - 7. The system recited in claim 1, wherein the security platform is configured to perform advanced threat detection for unknown threats using the user location information.
  - 8. The system recited in claim 1, wherein the security platform is configured to perform Uniform Resource Link (URL) filtering using the user location information.
  - 9. The system recited in claim 1, wherein the security platform is configured to perform application Denial of Service (DoS) detection using the user location information.
  - 10. The system recited in claim 1, wherein the security platform is configured to perform application Denial of Service (DoS) prevention using the user location information.
  - 11. The system recited in claim 1, wherein the processor is further configured to:
    - extract user location information for user traffic associated with the new session at the security platform; and
      
      determine a security policy to apply at the security platform to the new session based on the user location information.
  - 12. The system recited in claim 1, wherein the processor is further configured to:
    - block the new session from accessing a resource based on the security policy.

13. A method, comprising:
- monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network, wherein the monitoring of the network traffic comprises;
  
  identifying a data type SmContextCreateData or a data type PduSessionCreateData in the network traffic;
  
  extracting user location information for user traffic associated with the new session at the security platform, comprising;
  
  extracting EutraLocation or NRLocation from the data type SmContextCreateData or the data type PduSessionCreateData of the network traffic, wherein the EutraLocation comprises Tracking Area Identity (TAI) and ECGI (EUTRA Cell Identity), wherein the NRLocation comprises Tracking Area Identity (TAI) and NR Cell Identity (NCGI); and
  
  determining a security policy to apply at the security platform to the new session based on the user location information.
- View Dependent Claims (14, 15)
- - 14. The method of claim 13, wherein the security platform parses HTTP/2 messages to extract the user location information.
  - 15. The method of claim 13, wherein the security platform monitors wireless interfaces including a plurality of interfaces for a control protocol and user data traffic in a mobile core network for a 4G and/or 5G network to provide user location information based security to subscribers and subscriber devices that connect to the service provider network using 5G radio access technology and handover from/to 5G radio access technologies to non-5G radio access technologies.

16. A computer program product, the computer program product being embodied in a tangible computer readable storage medium and comprising computer instructions for:
- monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network, wherein the monitoring of the network traffic comprises;
  
  identifying a data type SmContextCreateData or a data type PduSessionCreateData in the network traffic;
  
  extracting user location information for user traffic associated with the new session at the security platform, comprising;
  
  extracting EutraLocation or NRLocation from the data type SmContextCreateData or the data type PduSessionCreateData of the network traffic, wherein the EutraLocation comprises Tracking Area Identity (TAI) and ECGI (EUTRA Cell Identity), wherein the NRLocation comprises Tracking Area Identity (TAI) and NR Cell Identity (NCGI); and
  
  determining a security policy to apply at the security platform to the new session based on the user location information.
- View Dependent Claims (17)
- - 17. The computer program product recited in claim 16, wherein the security platform parses HTTP/2 messages to extract the user location information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Verma, Sachin, Burakovsky, Leonid
Primary Examiner(s)
Milord, Marceau

Application Number

US16/368,762
Time in Patent Office

229 Days
Field of Search

455410
US Class Current
CPC Class Codes

H04L 63/1458   Denial of Service

H04L 63/20   for managing network securi...

H04W 12/037   of the control plane, e.g. ...

H04W 12/088   using filters or firewalls

H04W 12/104   Location integrity, e.g. se...

H04W 12/121   Wireless intrusion detectio...

H04W 12/37   Managing security policies ...

H04W 12/63   Location-dependent; Proximi...

H04W 8/12   between location registers ...

H04W 8/18   Processing of user or subsc...

Service-based security per user location in mobile networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Service-based security per user location in mobile networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others