Tech-invite  3GPPspecsRELsGlossariesSIP
Info21222324252627282931323334353637384‑5x

full Contents for  TS 23.288  Word version:   16.3.0

Top   Up   Prev   Next
1…   4…   6…   6.2…   6.3…   6.4…   6.5…   6.6…   6.7…   6.7.3…   6.7.4…   6.7.5…   6.8…   6.9…   7…

 

6.7.5  Abnormal behaviour related network data analyticsWord-p. 43
6.7.5.1  General
This clause defines how to identify a group of UEs or a specific UE with abnormal behaviour, e.g. being misused or hijacked, with the help of NWDAF.
NOTE 1:
The misused or hijacked UEs are UEs in which there are malicious applications running or UEs which have been stolen.
The consumer of this analytics could be a 5GC NF. The 5GC NF subscribes analytics on abnormal behaviour from a NWDAF based on the UE subscription, network configuration or application layer request.
The NWDAF performs data analytics on abnormal behaviour if there is a related subscription.
The consumer of this analytics shall indicate in the request:
  • Analytics ID set to "Abnormal behaviour";
  • The Target of Analytics Reporting can be one UE, any UE or an Internal Group Identifier;
  • An Analytics target period indicates the time period over which the statistics or predictions are requested;
  • Analytics Filter Information optionally including:
    • expected UE behaviour;
    • expected analytics type or list of Exception IDs with associated thresholds, where the expected analytics type can be mobility related, communication related or both;
    • Area of interest;
    • maximum number of objects;
    • maximum number of SUPIs;
    • Application ID;
    • DNN;
    • S-NSSAI.
    NOTE 2:
    The expected analytics type generally indicates whether mobility or communication related abnormal behaviour analytics or both are expected by the consumer, and the list of exception IDs indicates what specific analytics are expected by the consumer. Either the expected analytics type or the list of Exception IDs needs to be indicated, but they are not presented simultaneously. When the expected analytics type is indicated, the NWDAF performs corresponding abnormal behaviour analytics which are supported by the NWDAF. The relation between the expected analytics type and Exception IDs is defined in Table 6.7.5.1-1.
  • In a subscription, the Notification Correlation Id and the Notification Target Address are included.
Expected analytics type
Exception IDs matching the expected analytics type

mobility related
Unexpected UE location, Ping-ponging across neighbouring cells.
communication related
Unexpected long-live/large rate flows, Unexpected wakeup, Suspicion of DDoS attack, Wrong destination address, Too frequent Service Access/Abnormal traffic volume, Unexpected radio link failures.

When the NWDAF detects those UEs that deviate from the expected UE behaviour, e.g. unexpected UE location, abnormal traffic pattern, wrong destination address etc., the NWDAF shall notify the result of the analytics to the consumer as specified in clause 6.7.5.3.
Up
6.7.5.2  Input DataWord-p. 44
The Exceptions information from AF is as specified in Table 6.7.5.2-1.
On request of the service consumer, the NWDAF shall collect and analyse UE behavioural information and/or expected UE behavioural parameters from the 5GC NFs (SMF, AMF, AF), or OAM.
The UE behavioural information collected from 5GC NFs is as specified in clauses 6.7.2.2 and 6.7.3.2.
The expected UE behavioural parameters provided to the NWDAF are defined in clause 4.15.6.3 of TS 23.502.
Information
Description

IP address 5-tuple
To identify a data flow of a UE via the AF (such as the Firewall or a Threat Intelligence Sharing platform)
Exceptions (1..max) (NOTE)
>Exception ID
Indicating the Exception ID (such as Unexpected long-live/large rate flows and Suspicion of DDoS attack as defined in Table 6.7.5.3-2) of the data flow.
>Exception Level
Measured level, compared to the threshold
>Exception trend
Measured trend (up/down/unknown/stable)

NOTE:
The Exceptions information and the UE behavioural information as defined in clauses 6.7.2.2 and 6.7.3.2 could help NWDAF to train an Abnormal classifier, which could be used to classify a UE behaviour data into Normal behaviour or Exception.

Up
6.7.5.3  Output Analytics
The NWDAF services as defined in the clauses 7.2 and 7.3 are invoked to notify consumer NFs. A new Analytics ID named "Abnormal behaviour" is defined.
Corresponding to the Analytics ID, the analytics result provided by the NWDAF is defined in Table 6.7.5.3-1 and Table 6.7.5.3-2. When the level of an exception trespasses above or below the threshold, the NWDAF shall notify the consumer with the exception ID associated with the exception if the exception ID is within the list of exception IDs indicated by the consumer or matches the expected analytics type indicated by the consumer. The NWDAF shall provide the Exception Level and determine which of the other information elements to provide, depending on the observed exception.
Abnormal behaviour statistics information is defined in Table 6.7.5.3-1.
Information
Description

Exceptions (1..max)
List of observed exceptions
> Exception ID
The risk detected by NWDAF
> Exception Level
Measured level, compared to the threshold
> Exception trend
Measured trend (up/down/unknown/stable)
> UE characteristics
Internal Group Identifier, TAC
> SUPI list (1..SUPImax)
SUPI(s) of the UE(s) affected with the Exception
> Ratio
Estimated percentage of UEs affected by the Exception within the Target of Analytics Reporting
> Amount
Estimated number of UEs affected by the Exception (applicable when the Target of Analytics Reporting = "any UE")
> Additional measurement
Specific information for each risk

Abnormal behaviour predictions information is defined in Table 6.7.5.3-2.
Information
Description

Exceptions (1..max)
List of predicted exceptions
> Exception ID
The risk detected by NWDAF
> Exception Level
Measured level, compared to the threshold
> Exception trend
Measured trend (up/down/unknown/stable)
> UE characteristics
Internal Group Identifier, TAC
> SUPI list (1..SUPImax)
SUPI(s) of the UE(s) affected with the Exception
> Ratio
Estimated percentage of UEs affected by the Exception within the Target of Analytics Reporting
> Amount
Estimated number of UEs affected by the Exception (applicable when the Target of Analytics Reporting = "any UE")
> Additional measurement
Specific information for each risk
> Confidence
Confidence of this prediction

The UE characteristics may provide a set of features common to all UEs affected with the exception.
The number of exceptions and the length of the SUPI list shall respectively be lower than the parameters maximum number of objects and Maximum number of SUPIs provided as input parameter.
If PCF subscribes notifications on "Abnormal behaviour", the NWDAF shall send the PCF notifications about the risk, which may trigger the PCF to update the AM/SM policies.
The NWDAF also sends the notification directly to the AMF or SMF, if the AMF or SMF subscribes the notification, so that the AMF or SMF may, based on operator local policies defined on a per S-NSSAI or per (DNN,S-NSSAI), take actions for risk solving. The following Table 6.7.5.3-2 gives examples of additional measurement, AM/SM policies and corresponding actions for solving each risk.
Exception ID and description
Additional measurement
AM/SM policy
Actions of NFs

Unexpected UE location
Unexpected UE location (TA or cells which the UE stays)
Add the area of current UE location into mobility restriction
PCF may extend the Service Area Restrictions. AMF may extend the mobility restriction
Ping-ponging across neighbouring cells
Numbers, frequency, time and location information, assumption about the possible circumstances of the ping-ponging
NWDAF notifies the AMF or AF (Service Provider)
If the amount of ping-ponging across neighbouring cells is above the thresholds set by the service provider, the service provider may adjust and improve the antenna tilts of the neighbouring cells or the overlapping coverage conditions in the affected location.
If the ping-ponging are per UE, then:
1. the AMF may adjust the UE (e.g. a stationary UE) registration area.
2. the AMF and/or the AF may allow the use of Coverage Enhancement for the affected UE.
Unexpected long-live/large rate flows
Unexpected flow template (IP address 5 tuple)
Decrease the MBR for the related QoS flow
SMF updates the QoS rule.
PCF, if dynamic PCC applies for corresponding DNN, S-NSSAI, updates PCC Rules that triggers SMF updates the QoS rule.
Unexpected wakeup
Time of unexpected wake-up
Apply MM back-off timer to the UE
AMF applies MM back-off timer to the UE
Suspicion of DDoS attack
Victim's address (target IP address list)
Release the PDU session and Apply SM back-off timer
PCF may request SMF to release the PDU session.
SMF may release the PDU session and applies SM back-off timer
Wrong destination address
Wrong destination address (target IP address list)
Update the packet filter of the related QoS flow to block the wrong SDF
PCF updates the packet filter in the PCC Rules that triggers the SMF to update the related QoS flow and configures the UPF
Too frequent Service Access/Abnormal traffic volume
Volume, frequency, time, assumptions about the possible circumstances
NWDAF notifies AF (Service Provider)
Unexpected radio link failures
Numbers, frequency, time and location, assumptions about the possible circumstances
Not applicable
If the unexpected radio link failures are per UE location bases, the AMF may allow the use of CE (Coverage Enhancement) in the affected location. Also, the Operator may improve the coverage conditions in the affected location.
If the unexpected radio link failures are per UE bases, then the AMF and/or the AF may allow the use of CE for the affected UE.

Up
6.7.5.4  ProcedureWord-p. 47
Up
Step 1a.
A consumer NF subscribes to/requests NWDAF using Nnwdaf_AnalyticsSubscription_Subscribe/ Nnwdaf_AnalyticsInfo_Request (Analytics ID set to "Abnormal behaviour", Target of Analytics Reporting = Internal-Group-Identifier or SUPI).
A consumer NF may subscribe to/request abnormal behaviour notification/response from NWDAF for a group of UEs or a specific UE. The Analytics ID indicates the NWDAF to identify misused or hijacked UEs through abnormal behaviour analytic.
Step 1b.
AF to NWDAF: Nnwdaf_AnalyticsSubscription_Subscribe or Nnwdaf_AnalyticsInfo_Request (Analytics ID, Target of Analytics Reporting = External-group identifier or External UE ID).
For untrusted AFs, the AF sends the subscription via a NEF, where the AF invokes NEF service Nnef_AnalyticsExposure_Subscribe or Nnef_AnalyticsExposure_Fetch (Analytics ID, Target of Analytics Reporting = External-group-identifier or External UE ID).
An AF may also subscribe to/request abnormal behaviour notification/response from NWDAF for a group of UEs or a specific UE, where the subscription/request message may contain expected UE behaviour parameters identified on the application layer. If an External-Group-Identifier is provided by the AF, the NEF interrogates UDM to map the External-Group-Identifier to the Internal-Group-Identifier and obtain SUPI list corresponding to the Internal-Group-Identifier.
Step 2.
NWDAF to AMF (Conditional): Namf_EventExposure_Subscribe (Event ID(s), Event Filter(s), Internal-Group-Identifier or SUPI).
The NWDAF sends subscription requests to the related AMF to collect UE behavioural information if it has not subscribed such data.
NOTE 1:
The NWDAF determines the AMF serving the UE as described in clause 6.2.2.1.
The AMF sends event reports to the NWDAF based on the report requirements contained in the subscription request received from the NWDAF.
If requested by NWDAF via Event Filter(s), the AMF checks whether the UE's behaviour matches its expected UE behavioural information. In this case, the AMF sends event reports to the NWDAF only when it detects that the UE's behaviour deviated from its expected UE behaviour.
Step 3.
NWDAF to SMF (Conditional): Nsmf_EventExposure_Subscribe (Event ID(s), Event Filter(s), Internal-Group-Identifier or SUPI).
The NWDAF sends subscription requests to the related SMF if it has not subscribed such data.
NOTE 2:
The NWDAF determines the SMF serving the UE as described in clause 6.2.2.1.
The SMF sends event reports to the NWDAF based on the report requirements contained in the subscription request received from the NWDAF.
If requested by NWDAF via Event Filter(s), the SMF checks whether the UE's behaviour matches its expected UE behavioural information. In this case, the SMF sends event reports to the NWDAF only when it detects that the UE's behaviour deviated from its expected UE behaviour.
Step 4.
The NWDAF performs data analytics for misused or hijacked UEs identification. Based on the analytics and operator's policies the NWDAF determines whether to send a notification to 5GC NFs or the AF.
5a. NWDAF to consumer NF (AMF or PCF or SMF depending on the subscription) (Conditional): Nnwdaf_AnalyticsSubscription_Notify or Nnwdaf_AnalyticsInfo_Response (Analytics ID, (Exception ID, Internal-Group-Identifier or SUPI, Exception level)) (which is used depending on the service used in step 1a).
If the NWDAF determines to send a notification/response to the consumer 5GC NFs, the NWDAF invokes Nnwdaf_EventSubscription_Notify or Nnwdaf_AnalyticsInfo_Response services. Based on the notification/response, the 5G NFs adopt configured actions to resolve/mitigate/avoid the risks as described in the Table 6.7.5.3-1.
Step 5b.
NWDAF to AF (Conditional): Nnwdaf_AnalyticsSubscription_Notify or Nnwdaf_AnalyticsInfo_Response (Analytics ID, (Exception ID, External UE ID)) (which is used depending on the service used in step 1b).
If the NWDAF determines to send a notification/response to the consumer AF, the NWDAF needs to include external UE ID of the identified UE into the notification/response message.
NOTE 3:
Based on the notification, the AF can adopt corresponding actions, e.g. adjusting recommended TCP Window Size, adjusting recommended Service Start and End.
NOTE 4:
The call flow only shows a subscribe-notify model for the interaction of NWDAF and consumer NF for simplicity instead of both request-response model and subscription-notification model.
Up

Up   Top   ToC