Search

EP-4531342-B1 - METHODS FOR PROTECTING 5G CORE NETWORKS FROM ATTACKS

EP4531342B1EP 4531342 B1EP4531342 B1EP 4531342B1EP-4531342-B1

Inventors

  • MANTHA, RAVI SANKAR
  • DASGUPTA, SANDEEP

Dates

Publication Date
20260513
Application Date
20240924

Claims (8)

  1. A method implemented by a network traffic management system comprising one or more network traffic management devices and network functions, NFs, the method comprising: receiving a user plane status from a network repository function indicating whether a user plane restarted; determining whether an amount of error messages flowing from the user plane to a gNodeB for a source exceeds a predetermined threshold; in response to determining the amount of error messages exceeds a predetermined threshold and determining that the user plane was not restarted, blocking all messages flowing to the gNodeB for the source, wherein the messages comprise error messages and legitimate messages; determining an amount of echo messages flowing from the user plane to a gNodeB and whether the user plane restarted; and in response to determining the amount of echo messages from the user plane to the gNodeB is below a second predetermined threshold and that the user plane did not restart, storing the source as a bad actor.
  2. The method of claim 1, wherein the messages are not blocked from flowing to the gNodeB for the source in response to determining that the amount of error messages does not exceed a predetermined threshold or determining that the user plane was restarted.
  3. The method of claim 1, further comprising: in response to determining the amount of echo messages from the user plane to the gNodeB is above the second predetermined threshold, determining whether an updated amount of error messages flowing from the user plane to the gNodeB for a source is less than a previous amount of error messages, wherein the previous amount of error messages is the amount of error messages; and in response to determining that the updated amount of error messages flowing from the user plane to the gNodeB for the source is less than the previous amount of error messages, unblocking all the messages from flowing to the gNodeB for the source.
  4. The method of claim 3, wherein all the messages flowing to the gNodeB for the source continue to be blocked in response to determining that the updated amount of error messages flowing from the user plane to the gNodeB for the source is equal to or greater than the previous amount of error messages.
  5. The method of claim 1, wherein when the amount of error messages exceeds the predetermined threshold, the source is stored as a grey list actor, and wherein the messages to the source continue to be blocked until the source is not stored as the grey list actor.
  6. A network traffic management device, comprising memory comprising programmed instructions stored thereon and one or more processors configured to be capable of executing the stored programmed instructions to carry out the steps of the method according to one or more of claims 1 to 5.
  7. A non-transitory computer readable medium having stored thereon instructions comprising executable code that, when executed by one or more processors, causes the one or more processors to carry out the steps of the method according to one or more of claims 1 to 5.
  8. A network traffic management system, comprising one or more network traffic management devices and network functions, NFs, with memory comprising programmed instructions stored thereon and one or more processors configured to be capable of executing the stored programmed instructions to carry out the steps of the method according to one or more of claims 1 to 5.

Description

This technology relates to methods and systems for providing protection of a 5G core network from scanning attacks. WO 2023/078970 A1; CN 116 419 235 A; CN 113 452 707 A; CN 112 801 157 A, disclose prior art methods for detecting network attacks on mobile networks. BACKGROUND In previous generations, mobile networks were close and secure. However, since mobile network architecture advanced to 4G, mobile networks have become vulnerable to new threat vectors and attacks. Prominent attacks on mobile networks includes an insertion of rogue evolved-next generation node Bs (e(g)NBs) into mobile networks for TEID scanning attacks. Once an attacker detects TEIDs, more sophisticated attacks can be launched which can consume network resources, user plane function resources, and gain access to a data network of the mobile network. Currently, GTP firewalls are evolving to protect mobile core networks from such attacks, but due to the introduction of new architecture in 4G and 5G networks, these solutions remain inefficient. As a result, a new method to detect and prevent TEID scanning attacks of mobile core networks from such attacks is necessary. SUMMARY A method implemented by a network traffic management system that includes receiving the user plane status from a network repository function indicating whether a user plane restarted. Then the system can determine whether an amount of error messages flowing from the user plane to a gNodeB for a source exceeds a predetermined threshold. In response to determining the amount of error messages exceeds a predetermined threshold and determining that the user plane was not restarted, all messages flowing to the gNodeB for the source can be blocked. Lastly, in response to determining the amount of echo messages from the user plane to the gNodeB is below a second predetermined threshold and that the user plane did not restart, the source can be stored as a bad actor. A network traffic management device includes a memory including programmed instructions stored thereon and one or more processors configured to be capable of executing the stored programmed instructions to receive the user plane status from a network repository function indicating whether a user plane restarted. Then the system can determine whether an amount of error messages flowing from the user plane to a gNodeB for a source exceeds a predetermined threshold. In response to determining the amount of error messages exceeds a predetermined threshold and determining that the user plane was not restarted, all messages flowing to the gNodeB for the source can be blocked. Lastly, in response to determining the amount of echo messages from the user plane to the gNodeB is below a second predetermined threshold and that the user plane did not restart, the source can be stored as a bad actor. A non-transitory computer readable medium having stored thereon instructions for including executable code that, when executed by one or more processors, causes the processors to receive the user plane status from a network repository function indicating whether a user plane restarted. Then the system can determine whether an amount of error messages flowing from the user plane to a gNodeB for a source exceeds a predetermined threshold. In response to determining the amount of error messages exceeds a predetermined threshold and determining that the user plane was not restarted, all messages flowing to the gNodeB for the source can be blocked. Lastly, in response to determining the amount of echo messages from the user plane to the gNodeB is below a second predetermined threshold and that the user plane did not restart, the source can be stored as a bad actor. A network traffic management system with memory comprising programmed instructions stored thereon, and one or more processors configured to be capable of executing the stored programmed instructions to receive the user plane status from a network repository function indicating whether a user plane restarted. Then the system can determine whether an amount of error messages flowing from the user plane to a gNodeB for a source exceeds a predetermined threshold. In response to determining the amount of error messages exceeds a predetermined threshold and determining that the user plane was not restarted, all messages flowing to the gNodeB for the source can be blocked. Lastly, in response to determining the amount of echo messages from the user plane to the gNodeB is below a second predetermined threshold and that the user plane did not restart, the source can be stored as a bad actor. This technology provides a number of advantages including providing methods, non-transitory computer readable media, network traffic management devices, and network traffic management systems that can provide protection of a 5G core network by detecting and preventing scanning attacks of mobile core networks. By blocking error messages to a malicious source, the malicious source is prevented from