Search

US-12627984-B2 - Identifying and disrupting data sessions in telecommunications networks

US12627984B2US 12627984 B2US12627984 B2US 12627984B2US-12627984-B2

Abstract

Aspects herein provide systems, devices, methods, and media for terminating malicious data sessions within a telecommunication network. In aspects, various mechanisms are deployed to identify malware infected devices by monitoring and identifying malicious communications.

Inventors

  • Geoffrey Todd Gibson
  • Jeffrey Scott SIMON, Jr.

Assignees

  • T-MOBILE INNOVATIONS LLC

Dates

Publication Date
20260512
Application Date
20241029

Claims (20)

  1. 1 . A computerized method comprising: identifying a first network entity for a first data session for a user equipment (UE); identifying a second network entity for a second data session for the UE; determining that the first network entity for the first data session is a malicious network entity; terminating the first data session with the UE while simultaneously maintaining the second data session with the UE.
  2. 2 . The computerized method of claim 1 , wherein determining that the first network entity for the first data session is a malicious network entity comprises, based on a domain name service response policy zone (DNS RPZ), determining that an IP address of the malicious network entity is associated with malicious activity, wherein the DNS RPZ specifies a plurality of IP addresses that are associated with malicious activity as determined using data traffic from a telecommunications network.
  3. 3 . The computerized method of claim 1 , wherein determining that the first network entity is a malicious network entity comprises determining whether an IP address of the first network entity is associated with a threshold-exceeding volume of data traffic within a particular time period.
  4. 4 . The computerized method of claim 1 , wherein determining whether the first network entity is a malicious network entity comprises: querying a database that is updated in near real-time using data traffic from the telecommunications network, wherein the database stores a plurality of network entity identities that are associated with malicious activity; and determining that the first network entity is associated with malicious activity when there is a match in the database with the first network entity and a first network entity identifier in the database.
  5. 5 . The computerized method of claim 1 , further comprising: identifying one or more patterns in data traffic from the telecommunications network that are indicators of malicious activity; updating a database to store the one or more patterns identified for subsequent malicious activity determinations; and determining the first network entity is associated with malicious activity when the first network entity is associated with the one or more patterns.
  6. 6 . The computerized method of claim 1 , wherein the first network entity is a Command and Control (C2) server.
  7. 7 . The computerized method of claim 1 , further comprising: receiving a packet data unit (PDU) session request; identifying a network entity associated with the PDU request as a Command and Control (C2) server; and denying the PDU session request.
  8. 8 . The computerized method of claim 1 , further comprising, when an IP address for the second network entity is determined to not be associated with malicious activity, communicating the IP address for the second network entity to the UE.
  9. 9 . The computerized method of claim 1 , further comprising, communicating a notification to the UE that indicates the first network entity is associated with malicious activity.
  10. 10 . One or more non-transitory computer-readable media storing instructions that when executed via one or more processors perform a computerized method, the instructions stored on the non-transitory computer-readable media comprising: via the one or more processors: identifying a first network entity for a first data session for a user equipment (UE); identifying a second network entity for a second data session for the UE; determining that the first network entity for the first data session is a malicious network entity; terminating the first data session with the UE while simultaneously maintaining the second data session with the UE.
  11. 11 . The media of claim 10 , further comprising receiving a packet data unit (PDU) session request.
  12. 12 . The media of claim 11 , wherein the PDU session request identifies a third network entity for a third data session, wherein the third network entity is a Command and Control (C2) server.
  13. 13 . The media of claim 12 , further comprising denying the PDU session request, such that the PDU session for the third network entity is not established.
  14. 14 . The media of claim 10 , wherein the first network entity for the first data session is a Command and Control (C2) server.
  15. 15 . A system comprising: one or more processors; and computer memory storing computer-usable instructions that, when executed by the one or more processors, perform operations comprising: identifying a first network entity for a first data session for a user equipment (UE); identifying a second network entity for a second data session for the UE; determining that the first network entity for the first data session is a malicious network entity; terminating the first data session with the UE while simultaneously maintaining the second data session with the UE.
  16. 16 . The system of claim 15 , wherein the first network entity for the first data session is a Command and Control (C2) server.
  17. 17 . The system of claim 15 , wherein the operations further comprise: identifying one or more patterns in telecommunications network data that are indicators of malicious activity; updating a database to store the one or more patterns identified for subsequent malicious activity determinations; and determining the first network entity is associated with malicious activity when an IP address of the first network entity is associated with the one or more patterns.
  18. 18 . The system of claim 15 , wherein the operations further comprise, when the first network entity is determined to be associated with malicious activity: selecting a plurality of user devices that are associated with one or more of: particular geographic area, a particular device type, or a particular user demographic; and communicating a notification to the plurality of user devices, the notification specifying a domain name of the first network entity is associated with malicious activity.
  19. 19 . The system of claim 15 , wherein the operations further comprise: receiving a packet data unit (PDU) session request subsequent to terminating the first data session with the first network entity; identifying an IP address for the PDU session request is associated with the first network entity; and denying the PDU session request.
  20. 20 . The system of claim 19 , wherein the operations further comprise blocking subsequent traffic for the IP address on the network.

Description

SUMMARY A high-level overview of various aspects of the disclosure is provided here to offer an overview of the disclosure and to introduce a selection of concepts that are further described below in the detailed description section. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in isolation to determine the scope of the claimed subject matter. Various aspects herein protect user devices and a telecommunications network from malware infected user equipment (UE). In aspects, malicious activity can be identified within the telecommunications network, and further, a packet data unit (PDU) session associated with the malicious activity can be terminated while simultaneously maintaining a connection with other existing PDU sessions for the UE determined to be infected with malware. BRIEF DESCRIPTION OF THE DRAWINGS Aspects are described in detail below with reference to the attached drawings figures, wherein: FIG. 1 depicts an example of a system environment, in accordance with one or more aspects; FIG. 2 depicts a flowchart of a method in accordance with one or more aspects; and FIG. 3 depicts a simplified block diagram of an example device that is suitable for implementing one or more aspects discussed herein DETAILED DESCRIPTION The subject matter of the present disclosure is being described with specificity herein to meet statutory requirements. However, the description itself is not intended to limit the scope of this patent. Rather, the inventors have contemplated that the claimed subject matter might also be embodied in other ways to include different steps or combinations of steps similar to the ones described in this document, in conjunction with other present or future technologies. Terms should not be interpreted as implying any particular order among or between various steps herein disclosed unless and except when the order of individual steps is explicitly described. As such, although the terms “step” and/or “block” may be used herein to connote different elements of systems and/or methods, the terms should not be interpreted as implying any particular order and/or dependencies among or between various components and/or steps herein disclosed unless and except when the order of individual steps is explicitly described. The present disclosure will now be described more fully herein with reference to the accompanying drawings, which may not be drawn to scale and which are not to be construed as limiting. Indeed, the present disclosure can be embodied in many different forms and should not be construed as limited to the embodiments and aspects set forth herein. Throughout this disclosure, several acronyms and shorthand notations are used to aid the understanding of certain concepts pertaining to the associated system and services. These acronyms and shorthand notations are intended to help provide an easy methodology of communicating the ideas expressed herein and are not meant to limit the scope of the present disclosure. The following is a list of these acronyms: 3G Third-Generation Wireless Access Technology4G Fourth-Generation Wireless Access Technology5G/5G NR Fifth-Generation Wireless Access Technology/New Radio5GC Fifth-Generation Wireless Access Technology Core NetworkAAU Active Antenna UnitBRS Broadband Radio ServiceCD-ROM Compact Disk Read-Only MemoryCDMA Code Division Multiple AccessCU Central UnitDU Distribution UnitEIRP Equivalent Isotropically Radiated PowereNodeB Evolved Node BEVDO Evolution-Data OptimizedGIS Geographic/Geographical/Geospatial Information SystemgNodeB/gNB Next Generation Node BgNB CU Next Generation Node B Central UnitgNB DU Next Generation Node B Distribution UnitGPRS General Packet Radio ServiceGSM Global System for Mobile CommunicationiDEN Integrated Digital Enhanced NetworkDVD Digital Versatile DiscEEPROM Electrically Erasable Programmable Read-Only MemoryFD-MIMO Full Dimension Multiple-Input Multiple-OutputIOT Internet of ThingsIIOT Industry Internet of ThingsIP Internet ProtocolLED Light Emitting DiodeLTE Long Term EvolutionMEC Mobile Far Edge ComputerMD Mobile DeviceMIMO Multiple-Input Multiple-OutputmMIMO Massive Multiple-Input Multiple-OutputMMU Massive Multiple-Input Multiple-Output Unitmm Wave Millimeter WaveNEXRAD Next-Generation RadarNR New RadioOOBE Out-of-Band-EmissionOTN Optical Transport NetworkPC Personal ComputerPCS Personal Communications ServicePDA Personal Digital AssistantPLMN Public Land Mobile NetworkPRB Physical Resource BlockvPRB Virtualized Physical Resource BlockRAN Radio Access NetworkRAM Random Access MemoryRET Remote Electrical TiltRF Radio-FrequencyRF Radio-Frequency InterferenceRIC Radio Intelligent ControllerRLF Radio Link FailureR/N Relay NodeRNR Reverse Noise RiseROM Read-Only MemoryRRU Remote Radio UnitRSRP Reference Signal Receive PowerRSRQ Reference Signal Receive QualityRSSI Received Signal Strength IndicatorRU Radio UnitSINR Signa