Multi-access distributed edge security in mobile networks

US 10,574,670 B1
Filed: 03/28/2019
Issued: 02/25/2020
Est. Priority Date: 09/27/2018
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

monitor network traffic on a service provider network at a security platform to identify a new session, wherein the security platform monitors wireless interfaces including a plurality of interfaces for a control protocol and user data traffic in a mobile core network for a 5G network to provide multi-access distributed edge security for the 5G network, and wherein the service provider network includes the 5G network or a converged 5G network, wherein the monitoring of the network traffic comprises to;

identify data type SmContextCreateData and/or data type PduSessionCreateData in the network traffic;

extract subscription and/or equipment identifier information for user traffic associated with the new session at the security platform, wherein the subscription and/or equipment identifier information is identified by a Subscription Permanent Identifier (SUPI), a General Public Subscription Identifier (GPSI), and/or a Permanent Equipment Identifier (PEI), wherein the extracting of the subscription and/or equipment identifier information comprises to;

extract the subscription and/or equipment identifier information from the data type SmContextCreateData and/or data type PduSessionCreateData;

determine a security policy to apply at the security platform to the new session based on the subscription and/or equipment identifier information; and

block the new session from accessing a resource based on the security policy; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for providing multi-access distributed edge security in mobile networks (e.g., service provider networks for mobile subscribers, such as for 5G networks) are disclosed. In some embodiments, a system/process/computer program product for multi-access distributed edge security in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network; extracting subscription and/or equipment identifier information for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the subscription and/or equipment identifier information.

47 Citations

View as Search Results

16 Claims

1. A system, comprising:
- a processor configured to;
  
  monitor network traffic on a service provider network at a security platform to identify a new session, wherein the security platform monitors wireless interfaces including a plurality of interfaces for a control protocol and user data traffic in a mobile core network for a 5G network to provide multi-access distributed edge security for the 5G network, and wherein the service provider network includes the 5G network or a converged 5G network, wherein the monitoring of the network traffic comprises to;
  
  identify data type SmContextCreateData and/or data type PduSessionCreateData in the network traffic;
  
  extract subscription and/or equipment identifier information for user traffic associated with the new session at the security platform, wherein the subscription and/or equipment identifier information is identified by a Subscription Permanent Identifier (SUPI), a General Public Subscription Identifier (GPSI), and/or a Permanent Equipment Identifier (PEI), wherein the extracting of the subscription and/or equipment identifier information comprises to;
  
  extract the subscription and/or equipment identifier information from the data type SmContextCreateData and/or data type PduSessionCreateData;
  
  determine a security policy to apply at the security platform to the new session based on the subscription and/or equipment identifier information; and
  
  block the new session from accessing a resource based on the security policy; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system recited in claim 1, wherein the security platform is configured with a plurality of security policies based on the subscription and/or equipment identifier information.
  - 3. The system recited in claim 1, wherein the subscription and/or equipment identifier information is identified by an International Mobile Subscription Identity (IMSI), International Mobile Equipment Identifier (IMEI), and/or Mobile Subscriber ISDN (MSISDN) related information.
  - 4. The system recited in claim 1, wherein the security platform parses Packet Forwarding Control Protocol (PFCP) Session Establishment Request and PFCP Session Establishment Response messages to extract the subscription and/or equipment identifier information, and wherein the subscription and/or equipment identifier information is identified by an International Mobile Subscription Identity (IMSI), International Mobile Equipment Identifier (IMEI), and/or Mobile Subscriber ISDN (MSISDN) related information.
  - 5. The system recited in claim 1, wherein the security platform monitors wireless interfaces including a plurality of interfaces for a control protocol and user data traffic in a mobile core network for a 5G network.
  - 6. The system recited in claim 1, wherein the security platform is configured to perform a firewall service using the subscription and/or equipment identifier information.
  - 7. The system recited in claim 1, wherein the security platform is configured to perform threat detection for known threats using the subscription and/or equipment identifier information.
  - 8. The system recited in claim 1, wherein the security platform is configured to perform advanced threat detection for unknown threats using the subscription and/or equipment identifier information.
  - 9. The system recited in claim 1, wherein the security platform is configured to perform Uniform Resource Link (URL) filtering using the subscription and/or equipment identifier information.
  - 10. The system recited in claim 1, wherein the processor is further configured to:
    - extract network slice information for the user traffic associated with the new session at the security platform; and
      
      determine a security policy to apply at the security platform to the new session based on the network slice information.

11. A method, comprising:
- monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the security platform monitors wireless interfaces including a plurality of interfaces for a control protocol and user data traffic in a mobile core network for a 5G network to provide multi-access distributed edge security for the 5G network, and wherein the service provider network includes the 5G network or a converged 5G network, wherein the monitoring of the network traffic comprises;
  
  identifying data type SmContextCreateData and/or data type PduSessionCreateData in the network traffic;
  
  extracting subscription and/or equipment identifier information for user traffic associated with the new session at the security platform, wherein the subscription and/or equipment identifier information is identified by a Subscription Permanent Identifier (SUPI), a General Public Subscription Identifier (GPSI), and/or a Permanent Equipment Identifier (PEI), wherein the extracting of the subscription and/or equipment identifier information comprises;
  
  extracting the subscription and/or equipment identifier information from the data type SmContextCreateData and/or data type PduSessionCreateData;
  
  determining a security policy to apply at the security platform to the new session based on the subscription and/or equipment identifier information; and
  
  blocking the new session from accessing a resource based on the security policy.
- View Dependent Claims (12, 13)
- - 12. The method of claim 11, wherein the subscription and/or equipment identifier information is identified by an International Mobile Subscription Identity (IMSI), International Mobile Equipment Identifier (IMEI), and/or Mobile Subscriber ISDN (MSISDN) related information.
  - 13. The method of claim 11, wherein the security platform parses Packet Forwarding Control Protocol (PFCP) Session Establishment Request and PFCP Session Establishment Response messages to extract the subscription and/or equipment identifier information, and wherein the subscription and/or equipment identifier information is identified by an International Mobile Subscription Identity (IMSI), International Mobile Equipment Identifier (IMEI), and/or Mobile Subscriber ISDN (MSISDN) related information.

14. A computer program product, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
- monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the security platform monitors wireless interfaces including a plurality of interfaces for a control protocol and user data traffic in a mobile core network for a 5G network to provide multi-access distributed edge security for the 5G network, and wherein the service provider network includes the 5G network or a converged 5G network, wherein the monitoring of the network traffic comprises;
  
  identifying data type SmContextCreateData and/or data type PduSessionCreateData in the network traffic;
  
  extracting subscription and/or equipment identifier information for user traffic associated with the new session at the security platform, wherein the subscription and/or equipment identifier information is identified by a Subscription Permanent Identifier (SUPI), a General Public Subscription Identifier (GPSI), and/or a Permanent Equipment Identifier (PEI), wherein the extracting of the subscription and/or equipment identifier information comprises;
  
  extracting the subscription and/or equipment identifier information from the data type SmContextCreateData and/or data type PduSessionCreateData;
  
  determining a security policy to apply at the security platform to the new session based on the subscription and/or equipment identifier information; and
  
  blocking the new session from accessing a resource based on the security policy.
- View Dependent Claims (15)
- - 15. The computer program product recited in claim 14, wherein the subscription and/or equipment identifier information is identified by an International Mobile Subscription Identity (IMSI), International Mobile Equipment Identifier (IMEI), and/or Mobile Subscriber ISDN (MSISDN) related information.

16. A system, comprising:
- a processor configured to;
  
  monitor network traffic on a service provider network at a security platform to identify a new session, wherein the security platform monitors wireless interfaces including a plurality of interfaces for a control protocol and user data traffic in a mobile core network for a 5G network to provide multi-access distributed edge security for the 5G network, and wherein the service provider network includes the 5G network or a converged 5G network, wherein the monitoring of the network traffic comprises to;
  
  identify data type SmContextCreateData and/or data type PduSessionCreateData in the network traffic;
  
  extract network access identifier information for user traffic associated with the new session at the security platform, wherein the network access identifier information is identified by a Network Access Identifier (NAI) related information, wherein the NAI is associated with a user identity submitted by a client during a network access authentication, wherein the extracting of the network access identifier information comprises to;
  
  extract the network access identifier information from the data type SmContextCreateData and/or data type PduSessionCreateData;
  
  determine a security policy to apply at the security platform to the new session based on the network access identifier information; and
  
  block the new session from accessing a resource based on the security policy; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Verma, Sachin, Burakovsky, Leonid
Primary Examiner(s)
Le, Khoi V

Application Number

US16/368,759
Time in Patent Office

334 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/028   by filtering

H04L 63/0236   Filtering by address, proto...

H04L 63/1408   by monitoring network traff...

H04L 63/205   involving negotiation or de...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/088   using filters or firewalls

H04W 12/72   Subscriber identity

H04W 24/08   Testing, supervising or mon...

H04W 76/11   Allocation or use of connec...

H04W 76/12   Setup of transport tunnels

H04W 80/10   adapted for application ses...

Multi-access distributed edge security in mobile networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

47 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-access distributed edge security in mobile networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links