This clause defines how to identify a group of UEs or a specific UE with abnormal behaviour, e.g. being misused or hijacked, with the help of NWDAF.
The consumer of this analytics could be a 5GC NF. The 5GC NF subscribes analytics on abnormal behaviour from a NWDAF based on the UE subscription, network configuration or application layer request.
The NWDAF performs data analytics on abnormal behaviour if there is a related subscription and returns exception reports that result from the analysis of the correlations between behavioural variables. The exception reports contain an Exception Level expressed in the form of a scalar value, possibly supplemented by additional measurements.
The consumer of this analytics shall indicate in the request:
Analytics ID = "Abnormal behaviour";
Target of Analytics Reporting: a single UE, any UE or an Internal Group Identifier;
An Analytics target period indicates the time period over which the statistics or predictions are requested;
Analytics Filter Information optionally including:
expected UE behaviour parameters;
expected analytics type or list of Exception IDs with associated thresholds for the Exception Level, where the expected analytics type can be mobility related, communication related or both;
Area of interest;
Optionally, maximum number of objects and maximum number of SUPIs;
In a subscription, the Notification Correlation Id and the Notification Target Address are included.
Exception IDs matching the expected analytics type
Unexpected UE location, Ping-ponging across neighbouring cells, Unexpected wakeup, Unexpected radio link failures.
Unexpected long-live/large rate flows, Unexpected wakeup, Suspicion of DDoS attack, Wrong destination address, Too frequent Service Access.
If the Target of Analytics Reporting is any UE, then the Analytics Filter should at least include:
Area of Interest or S-NSSAI, if the expected analytics type or the list of Exception IDs is mobility related.
Area of Interest, application ID, DNN or S-NSSAI, if the expected analytics type or the list of Exception IDs is communication related.
If the Target of Analytics Reporting is any UE, the consumer of this analytics shall request either mobility related only or communication related only abnormal behaviour analytics, but not both at the same time.
The expected UE behaviour parameters that the consumer can indicate in the request when known depend on the Exception ID that the consumer expects. They may encompass UE behaviour parameters as defined in clause 220.127.116.11 of TS 23.502 and other parameters. Table 18.104.22.168-2 shows the mapping between each Exception ID and UE behaviour parameters.
When the NWDAF detects those UEs that deviate from the expected UE behaviour, e.g. unexpected UE location, abnormal traffic pattern, unexpected transaction dispersion amount, wrong destination address, etc. the NWDAF shall notify the result of the analytics to the consumer as specified in clause 22.214.171.124.
The Exceptions information from AF is as specified in Table 126.96.36.199-1.
On request of the service consumer, the NWDAF shall collect and analyse UE behavioural information from the 5GC NFs (SMF, AMF, AF), or OAM as specified in clauses 188.8.131.52 and 184.108.40.206 and/or expected UE behavioural parameters from UDM as defined in clause 220.127.116.11 of TS 23.502, depending on Exception IDs.
To identify a data flow of a UE via the AF (such as the Firewall or a Threat Intelligence Sharing platform)
Exceptions (1..max) (NOTE 1)
Indicating the Exception ID (such as Unexpected long-live/large rate flows and Suspicion of DDoS attack as defined in Table 18.104.22.168-2) of the data flow.
Scalar value indicating the severity of the abnormal behaviour.
Measured trend (up/down/unknown/stable)
The Exceptions information and the UE behavioural information as defined in clauses 22.214.171.124 and 126.96.36.199 could help NWDAF to train an Abnormal classifier, which could be used to classify a UE behaviour data into Normal behaviour or Exception.
Corresponding to the "abnormal behaviour" Analytics ID, the analytics result provided by the NWDAF is defined in Table 188.8.131.52-1 and Table 184.108.40.206-2. When the level of an exception trespasses above or below the threshold, the NWDAF shall notify the consumer with the exception ID associated with the exception if the exception ID is within the list of exception IDs indicated by the consumer or matches the expected analytics type indicated by the consumer. The NWDAF shall provide the Exception Level and determine which of the other information elements to provide, depending on the observed exception.
Abnormal behaviour statistics information is defined in Table 220.127.116.11-1.
The predictions are provided with a Validity Period, as defined in clause 6.1.3.
The UE characteristics may provide a set of features common to all UEs affected with the exception.
The number of exceptions and the length of the SUPI list shall respectively be lower than the parameters maximum number of objects and Maximum number of SUPIs provided as part of Analytics Reporting Information.
If PCF subscribes to notifications on "Abnormal behaviour", the NWDAF shall send the PCF notifications about the risk, which may trigger the PCF to update the AM/SM policies.
The NWDAF also sends the notification directly to the AMF or SMF, if the AMF or SMF subscribes to the notification, so that the AMF or SMF may, based on operator local policies defined on a per S-NSSAI basis (for AMF) or on a per S-NSSAI, per DNN, or per (DNN,S-NSSAI) basis (for SMF), take actions for risk solving.
If the AF subscribes to notifications on "Abnormal behaviour", the NWDAF sends the notifications to the AF so that the AF may take actions for risk solving.
The following Table 18.104.22.168-3 gives examples of additional measurement provided by the NWDAF and examples of NF actions for solving each risk.
Unexpected UE location (TA or cells which the UE stays)
PCF may extend the Service Area Restrictions with current UE location. AMF may extend the mobility restriction with current UE location.
Ping-ponging across neighbouring cells
Numbers, frequency, time and location information, assumption about the possible circumstances of the ping-ponging
If the ping-ponging are per UE, then:
1. the AMF may adjust the UE (e.g. a stationary UE) registration area.
2. the AMF and/or the AF may allow the use of Coverage Enhancement for the affected UE.
Unexpected long-live/large rate flows
Unexpected flow template (IP address 5 tuple)
SMF updates the QoS rule, e.g. decrease the MBR for the related QoS flow.
PCF, if dynamic PCC applies for corresponding DNN, S-NSSAI, updates PCC Rules that triggers SMF updates the QoS rule, e.g. decrease the MBR for the related QoS flow.
Time of unexpected wake-up
AMF applies MM back-off timer to the UE.
Suspicion of DDoS attack
Victim's address (target IP address list)
PCF may request SMF to release the PDU session.
SMF may release the PDU session and apply SM back-off timer.
Wrong destination address
Wrong destination address (target IP address list)
PCF updates the packet filter in the PCC Rules that triggers the SMF to update the related QoS flow and configures the UPF.
Too frequent Service Access
Volume, frequency, time, assumptions about the possible circumstances
AF may release the AF session.
PCF may request SMF to release the PDU session.
SMF may release the PDU session and apply SM back-off timer.
Unexpected radio link failures
Numbers, frequency, time and location, assumptions about the possible circumstances
If the unexpected radio link failures are per UE location bases, the AMF may allow the use of CE (Coverage Enhancement) in the affected location. Also, the Operator may improve the coverage conditions in the affected location.
If the unexpected radio link failures are per UE bases, then the AMF and/or the AF may allow the use of CE for the affected UE.
A consumer NF subscribes to/requests NWDAF using Nnwdaf_AnalyticsSubscription_Subscribe/ Nnwdaf_AnalyticsInfo_Request (Analytics ID = Abnormal behaviour, Target of Analytics Reporting = Internal-Group-Identifier, any UE or SUPI, Analytics Filter Information).
A consumer NF may subscribe to/request abnormal behaviour notification/response from NWDAF for a group of UEs, any UE or a specific UE. The Analytics ID indicates the NWDAF to identify misused or hijacked UEs through abnormal behaviour analytic.
AF to NWDAF: Nnwdaf_AnalyticsSubscription_Subscribe or Nnwdaf_AnalyticsInfo_Request (Analytics ID, Target of Analytics Reporting = External-group identifier, any UE or External UE ID, Analytics Filter Information).
For untrusted AFs, the AF sends the subscription via a NEF, where the AF invokes NEF service Nnef_AnalyticsExposure_Subscribe or Nnef_AnalyticsExposure_Fetch (Analytics ID, Target of Analytics Reporting = External-group-identifier, any UE or External UE ID, Analytics Filter Information).
An AF may also subscribe to/request abnormal behaviour notification/response from NWDAF for a group of UEs, a specific UE or any UE, where the subscription/request message may contain expected UE behaviour parameters identified on the application layer. If an External-Group-Identifier is provided by the AF, the NEF interrogates UDM to map the External-Group-Identifier to the Internal-Group-Identifier and obtain SUPI list corresponding to the Internal-Group-Identifier.
[Conditional] NWDAF to AMF: Namf_EventExposure_Subscribe (Event ID(s), Event Filter(s), Internal-Group-Identifier, any UE or SUPI).
The NWDAF sends subscription requests to the related AMF to collect UE behavioural information if it has not subscribed such data.
The AMF sends event reports to the NWDAF based on the report requirements contained in the subscription request received from the NWDAF.
If requested by NWDAF via Event Filter(s), the AMF checks whether the UE's behaviour matches its expected UE behavioural information. In this case, the AMF sends event reports to the NWDAF only when it detects that the UE's behaviour deviated from its expected UE behaviour.
Depending on the Exception ID, the NWDAF may in addition perform data collection from OAM as specified in clause 22.214.171.124.
[Conditional] NWDAF to SMF: Nsmf_EventExposure_Subscribe (Event ID(s), Event Filter(s), Internal-Group-Identifier, any UE or SUPI).
The NWDAF sends subscription requests to the related SMF(s) if it has not subscribed to such data.
The SMF sends event reports to the NWDAF based on the report requirements contained in the subscription request received from the NWDAF.
If requested by NWDAF via Event Filter(s), the SMF checks whether the UE's behaviour matches its expected UE behavioural information. In this case, the SMF sends event reports to the NWDAF only when it detects that the UE's behaviour deviated from its expected UE behaviour.
The NWDAF performs data analytics for misused or hijacked UEs identification. Based on the analytics and operator's policies the NWDAF determines whether to send a notification to the consumer NF or AF.
[Conditional] NWDAF to consumer NF (AMF or PCF or SMF depending on the subscription): Nnwdaf_AnalyticsSubscription_Notify or Nnwdaf_AnalyticsInfo_Request response (Analytics ID, Exception ID, Internal-Group-Identifier or SUPI, Exception level) (which is used depending on the service used in step 1a).
If the NWDAF determines to send a notification/response to the consumer 5GC NFs, the NWDAF invokes Nnwdaf_AnalyticsSubscription_Notify or Nnwdaf_AnalyticsInfo_Request response service operations. Based on the notification/response, the 5G NFs adopt configured actions to resolve/mitigate/avoid the risks as described in the Table 126.96.36.199-1.
[Conditional] NWDAF to AF: Nnwdaf_AnalyticsSubscription_Notify or Nnwdaf_AnalyticsInfo_Request response (Analytics ID, Exception ID, External UE ID, Exception level) (which is used depending on the service used in step 1b).
If the NWDAF determines to send a notification/response to the consumer AF, the NWDAF needs to include external UE ID of the identified UE into the notification/response message.