+

WO2016184505A1 - Identifying a misbehaving ue initiating a random access procedure - Google Patents

Identifying a misbehaving ue initiating a random access procedure Download PDF

Info

Publication number
WO2016184505A1
WO2016184505A1 PCT/EP2015/061021 EP2015061021W WO2016184505A1 WO 2016184505 A1 WO2016184505 A1 WO 2016184505A1 EP 2015061021 W EP2015061021 W EP 2015061021W WO 2016184505 A1 WO2016184505 A1 WO 2016184505A1
Authority
WO
WIPO (PCT)
Prior art keywords
procedure
random access
enb
identifying
determining
Prior art date
Application number
PCT/EP2015/061021
Other languages
French (fr)
Inventor
Prajwol Kumar NAKARMI
Johnny KAROUT
Michael Liljenstam
Johan Rune
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to PCT/EP2015/061021 priority Critical patent/WO2016184505A1/en
Publication of WO2016184505A1 publication Critical patent/WO2016184505A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W74/00Wireless channel access
    • H04W74/002Transmission of channel access control information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W74/00Wireless channel access
    • H04W74/08Non-scheduled access, e.g. ALOHA
    • H04W74/0833Random access procedures, e.g. with 4-step access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/75Temporary identity

Definitions

  • This application relates to methods and apparatus of identifying a misbehaving UE that is initiating random access procedure at least twice so as to access a radio access network.
  • LTE Long term Evolution
  • UE user equipment
  • RA Random Access Procedure
  • eNB E-UTRAN Node B
  • MME mobility management entity
  • NAS non-access stratum
  • inadvertently misbehaving UEs that are already in a RRC_CONNECTED state may misbehave in that they repeatedly initiate random access procedure although they are already connected to the network. This also overloads the network such that fewer resources are available for other legitimate UEs who are genuinely trying to connect to the network.
  • US20140206343 It is known from US20140206343 to provide a method for dealing with malicious devices sending jamming signals that include bogus RACH signals, thus causing the random access procedure to fail because the eNB does not receive further messages in response to the random access response.
  • the method proposed in US20140206343 to deal with these malicious devices includes using a Jammer Detection and Location server which determines the presence of a jamming signal and prompts the wireless network to reconfigure to avoid and prevent disruption from the jamming signal.
  • disadvantages of this method include that after the network is reconfigured the same device can resend jamming signals so as to further disrupt the network. Furthermore, it does not prevent devices that are in an RCC_Connected state that continue to send jamming signals.
  • a method, performed by an E-UTRAN, eNB, of identifying a misbehaving UE that is initiating random access procedure at least twice so as to access a radio access network comprises, receiving a random access request from a UE, identifying the UE based on transmission information and then determining if the UE has previously initiated random access procedure; and determining if the UE has used at least one resource block that it has previously been allocated as a result of an earlier random access procedure.
  • the step of determining if the UE has used at least one resource block previously allocated comprises determining if any further messages were received from the UE after the earlier random access procedure.
  • the method comprises the step of determining if the UE has used at least one resource block previously allocated comprises identifying a cell radio network temporary identity, C-RNTI, or temporary cell radio network temporary identity, TC-RNTI, received in the earlier random access procedure and thereafter determining if C-RNTI or TC-RNTI was used in any subsequent messages received from the UE.
  • the method may further comprise determining if the radio access network is overloaded.
  • the method may comprise determining if the availability of a radio access resource is below a predetermined level so as to determine if the radio access network is overloaded.
  • the method may further comprise performing protection procedure. If a misbehaving UE is identified and if the radio access network is overloaded, then the method may further comprise performing a protection procedure.
  • the protection procedure comprises nulling the random access procedure by the eNB being configured to not receive any further messages from the UE and/or not acting on any further messages received from the UE.
  • the protection procedure comprises nulling the random access request for a predetermined period of time.
  • the protection procedure may comprise delaying transmission of a message to the UE.
  • the method may further comprise informing an operator of the UE and receiving instructions from the operator on whether to execute the protection procedure.
  • the method further comprises sending a message to a server and then receiving instructions from the server on whether to execute the protection procedure.
  • the method comprises receiving a message from a mobility management entity, MME, the message comprising instructions to execute the protection procedure.
  • the transmission information comprises Angle of Arrival, Signal to noise ratio, transmission power, timing accuracy or pattern of random identifiers.
  • an apparatus of identifying a misbehaving UE that is initiating random access procedure at least twice so as to access a radio access network
  • the apparatus comprises, a receiving module for receiving a random access request from a UE, an identifying module for identifying the UE based on transmission information and then determining if the UE has previously initiated random access procedure; and a determination module for determining if the UE has used at least one resource block that it has previously been allocated as a result of an earlier random access procedure.
  • the determination module may further comprises mean for determining if any further messages were received from the UE after the earlier random access procedure.
  • the determination module further comprises means for determining if the UE has used at least one resource block previously allocated by identifying a cell radio network temporary identity, C-RNTI, or temporary cell radio network temporary identity, TC-RNTI, received in the earlier random access procedure and thereafter determining if C-RNTI or TC-RNTI was used in any subsequent messages received from the UE.
  • the apparatus comprises a detection module for determining if the radio access network is overloaded.
  • the detection module may further comprise means for determining if the availability of a radio access resource is below a predetermined level so as to determine if the radio access network is overloaded.
  • the apparatus may further comprise a protection module for performing a protection procedure should such a UE be identified.
  • the apparatus further comprises a protection module for performing a protection procedure.
  • the protection module comprises means for nulling the random access procedure by the eNB being configured to not receive any further messages from the UE and/or not acting on any further messages received from the UE. In another embodiment, the protection module further comprises means for nulling the random access request for a predetermined period of time.
  • the protection module may further comprise means for delaying transmission of a message to the UE.
  • the apparatus may further comprise an information module for informing an operator of the UE and receiving instructions from the operator on whether to execute the protection procedure.
  • the apparatus may further comprise a transmission module for sending a message to a server and then receiving instructions from the server on whether to execute the protection procedure.
  • the transmission module is for receiving a message from a mobility management entity, MME, the message comprising instructions to execute the protection process.
  • an E-UTRAN Node B comprising an apparatus as described above.
  • an apparatus comprising a processor and a memory, the memory containing instructions executable by the processor, such that the apparatus is operable to carry out a method according to any one of claims 1 to 13 appended hereto.
  • a method, performed by a Mobility Management Entity, MME, of identifying a misbehaving UE that is initiating random access procedure at least twice comprises, receiving a S1AP message from an E-UTRAN Node B, eNB, and identifying the UE, and establishing if the UE is already registered with the MME, and if so, initiating a protection procedure.
  • MME Mobility Management Entity
  • establishing if the UE is already registered with the MME comprises identifying an identifier of the UE included in the S1AP message.
  • the method comprises identifying SAE-Temporary Mobile Subscriber Identity, S-TMSI, included in the S1AP message and determining if a connection is already established for a UE with said S-TMSI.
  • the method comprises identifying the UE initiating random access procedure by its International Mobile Subscriber Identity, IMSI, and determining if a connection is already established for a UE with said IMSI.
  • the method may comprise determining if the Evolved Packet Core, EPC is overloaded and if so initiating the protection procedure.
  • the method may comprise determining if the availability of a control plane resource is below a predetermined level so as to determine if the EPC is overloaded.
  • initiating the protection procedure comprises informing the eNB if the UE is already registered with the MME.
  • the protection procedure further comprises instructing the eNB to execute a protection procedure comprising any of the features as claimed in claims 8 to 1 1 appended hereto.
  • initiating the protection procedure comprises ignoring the SA1 P message by not sending a S1AP Downlink NAS Transport message to the UE.
  • an apparatus of identifying a misbehaving UE that is initiating random access procedure at least twice, the apparatus comprises, a receiving module for receiving a S1AP message from an E- UTRAN Node B, eNB, an identification module for identifying a UE, a determination module for establishing if the UE is already registered with the MME, and a protection module for initiating a protection procedure if the UE is already registered with the MME.
  • the determination module further comprises means for identifying an identifier of the UE included in the S1 AP message so as to establish if the UE is already registered with the MME.
  • the determination module further comprises means for identifying SAE-Temporary Mobile Subscriber Identity, S-TMSI, included in the S1AP message so as to determine if a connection is already established for the UE with said S-TMSI.
  • the determination module further comprises means for identifying the UE initiating random access procedure by its International Mobile Subscriber Identity, I MSI, so as to determine if a connection is already established for the UE with said IMSI.
  • the apparatus may comprise an EPC module for determining if the Evolved Packet Core, EPC is overloaded and if so sending a message to the protection module to initiate the protection procedure.
  • the EPC module may further comprise means for determining if the availability of a control plane resource is below a predetermined level so as to determine if the EPC is overloaded.
  • the protection module for initiating the protection procedure further comprises an instruction module for informing the eNB if the UE is already registered with the MME.
  • the instruction module is for instructing the eNB to execute a protection procedure comprising any of the features as claimed in claims 9 to 13 appended hereto.
  • the protection module may be for ignoring the SA1 P message by not sending a S1AP Downlink NAS Transport message to the UE.
  • MME Mobility Management Entity
  • an apparatus comprising a processor and a memory, the memory containing instructions executable by the processor, such that the apparatus is operable to carry out a method according to any one of claims 16 to 24 appended hereto.
  • a computer program configured, when run on a computer, to carry out a method according to any one of claims 1 to 13 or 16 to 24 appended hereto.
  • a computer program product comprising computer readable medium and a computer program as previously described stored on the computer readable medium
  • Figure 1 illustrates an example of a random access procedure
  • Figure 2 illustrates an example of a flow chart according to an embodiment of the present invention
  • Figure 3 illustrates an example of an embodiment of the present invention
  • Figure 4 illustrates a format of a MAC PDU sent in a RAR message
  • Figure 5 illustrates a format of a MAC RAR message
  • Figure 6 illustrates an example of a flow chart according to another embodiment of the present invention.
  • Figure 7 illustrates another example of a message flow according to an embodiment of the present invention.
  • Figure 8 illustrates a flow chart according to an embodiment of the present invention
  • Figure 9a illustrates a flow chart according to another embodiment of the present invention
  • Figure 9b illustrates the optional features of the flow chart in figure 9a
  • Figure 10 illustrates a flow chart according to another embodiment of the present invention.
  • Figure 1 1 illustrates a flow chart according to yet another embodiment of the present invention
  • Figure 12 illustrates a box diagram of an apparatus such as an eNB
  • Figure 13 illustrates a box diagram of an apparatus such as an MME
  • Figure 14 illustrates a box diagram of an apparatus such as an eNB
  • Figure 15 illustrates a box diagram of an apparatus such as an eNB
  • Figure 16 illustrates a box diagram of an apparatus such as an eNB
  • Figure 17 illustrates a box diagram of an apparatus such as an MME
  • Figure 18 illustrates a box diagram of an apparatus such as an MME.
  • Figure 19 illustrates a box diagram of an apparatus such as an MME. DETAILED DESCRIPTION
  • the aspects of the present invention relates to a method performed, by an eNB of a Long-Term Evolution (LTE) network, of identifying a user equipment (UE) that is initiating random access procedure at least twice, or repeatedly, so as to access a radio access network.
  • the method performed by the eNB can identify maliciously or inadvertently misbehaving UEs including UEs that are already in a RRC_CONNECTED state and/or ECM_CONNECTED state.
  • the method can identify any kind of UE including, but not limited to, a user-operated portable communications device, such as smartphones, laptop computers or the like, or other portable devices, such as tracking devices or the like, and devices that are primarily intended to remain stationary in use, such as sensors, smart meters or the like.
  • the UE may not necessarily have to be enabled with a universal subscriber identity module (USIM) in order to initiate random access procedure and so aspects of the method includes identifying both UEs that are not provided with a USIM as well as UEs that are provided with a USIM that may or may not already be connected to the LTE network.
  • USIM universal subscriber identity module
  • misbehaving UE used herein is to include malicious UEs whose intentions are to cause harm or damage, as well as inadvertently misbehaving UEs that are malfunctioning or defective but authorized to perform a particular function.
  • the random access procedure (RA procedure) will now be described with reference to figure 1.
  • the network will learn for the first time that some UE 1 10 is trying to gain access and so prior to the RA procedure, the UE 1 10 does not yet have any resources or channels available to inform the network of its desire to connect. Therefore, to initiate RA procedure in LTE the UE 1 10 transmits a message 101 to an eNB 1 12 on Physical Random Access Channel (PRACH).
  • the message 101 comprises a preamble which is a specific pattern or signature.
  • the preamble differentiates requests coming in from different UEs. There are a total of 64 such patterns or signatures in LTE available to UEs and the UE 1 10 may decide any one of them randomly for contention-based random access procedure.
  • the eNB 1 12 then sends a random access response 102 (RAR) to the UE 1 10 using a broadcast identifier (random access radio network temporary identifier, RA-RNTI).
  • RAR random access radio network temporary identifier
  • RA-RNTI random access radio network temporary identifier
  • the RAR 102 carries information such as temporary cell radio network temporary identity (TC-RNTI) for further communication which gives another identity to the UE 1 10.
  • TC-RNTI temporary cell radio network temporary identity
  • the RAR 102 further carries a timing advance command, an uplink grant (UL Grant) and a reserved bit R.
  • the UE 1 10 thereafter sends a radio resource control (RRC) connection request message (RRCConnectionRequest) 103 to the eNB 1 12.
  • RRC radio resource control
  • the UE 1 10 is identified by TC-RNTI assigned in the previous RAR 102 sent by eNB 1 12, however the RRCConnectionRequest message 103 uses yet another UE identity S- TMSI (SAE-Temporary Mobile Subscriber Identity) or a random value.
  • S-TMSI is used if the UE 1 10 has previously connected to the same network. With S-TMSI, the UE 1 10 is identified in the core network. Alternatively, the random value may be used if the UE 1 10 is connecting to the network for the very first time.
  • the S-TMSI or random value is needed as there is a possibility that TC-RNTI has been assigned to more than one UE in the previous steps due to multiple requests coming in at the same time.
  • the eNB 1 12 responds to the UE 1 10 by sending an RRCConnectionSetup message 104 to the UE 1 10.
  • RRCConnectionSetup message 104 concludes contention resolution, meaning it resolves possible preamble collisions.
  • the contention resolution serves to resolve a situation wherein two or more UEs have used the same random access preamble in the initial message 101 and being assigned the same TC-RNTI. These two UEs would both assume that they are intended recipient of RAR 102 and send
  • RRCConnectionRequest message 103 to the eNB 1 12.
  • the eNB 1 12 will at best correctly receive one of these messages and by including the received UE identity (S- TMSI or random value) in the response message 104 to the UE 1 10 the eNB 1 12 indicates which of the UEs it is responding to.
  • the TC-RNTI is then promoted to C- RNTI (cell radio network temporary identity) and will be used to address the UE 1 10 in further communications.
  • the UE to which the RRCConnectionSetup 104 was not addressed will repeat the RA procedure.
  • the UE sends an RRCConnectionSetupComplete message to the eNB which then in turn sends a S1AP Initial UE Message to a Mobility
  • MME Management Entity
  • the method is performed by an eNB and the eNB identifies a maliciously or inadvertently misbehaving UE during the RA procedure and thereafter takes appropriate action in order to minimise overloading the network.
  • the eNB is configured to minimise disruption of legitimate UEs that are genuinely attempting to access the network.
  • the eNB awaits a random access message as represented by step 201 in figure 2.
  • the eNB receives a RA message from a UE, step 202. This message corresponds to message 101 or 103 described with reference to figure 1.
  • the eNB Upon receiving such a RA message from a UE, the eNB records transmission information 203 comprising features specific to the UE. Transmission information is any information identifying the UE transmitted from said UE to the eNB. Examples of this include angle of arrival (AoA), signal to noise ratio (SNR), transmission power of the signal or accuracy in timing.
  • AoA angle of arrival
  • SNR signal to noise ratio
  • Angle of arrival is measured by the eNB by determining the direction of propagation of the radio frequency wave sent by the UE incident on an antenna of the eNB. It may be that the eNB is configured to measure the angle of arrival with a greater or a lower level of accuracy. For example, it may be that the cell of an eNB is divided into several predetermined regions and the eNB records the AoA as it falls within one of these said regions. The number of predetermined regions can vary depending on the level of accuracy required. Alternatively, the eNB can be configured to measure the angle of arrival using of multi-input multi-output (MIMO) antennas.
  • MIMO multi-input multi-output
  • Signal to noise ratio (SNR) of any available channel can be measured, for example, the PRACH or the Physical Uplink Shared Channel (PUSCH).
  • SNR can be specific to a UE
  • the eNB can identify the UE by the SNR.
  • the level of transmission power of the signal sent by the UE can also be measured by the eNB in order to identify said UE.
  • accuracy in timing of receiving messages or signals from UE may also be measured as a feature to identify a UE.
  • the eNB may rely on any other transmission information and so it should be understood that the present invention is not limited to AoA, SNR, level of transmission power or timing accuracy.
  • the eNB may use other transmission information, for example, the eNB may be configured to establish a pattern of random identifiers that a UE is sending to the eNB. Random identifiers may include the preamble chosen by UE in message 101 , and/or the random value or S-TMSI in message 103. Furthermore, it should be understood that the eNB may use only one of the transmission information mentioned above, or a combination thereof.
  • step 204 determines if the transmission information or those features are associated with a maliciously or inadvertently misbehaving UE, step 204.
  • This step comprises the eNB determining if the transmission information recorded in step 203 has previously been recorded and if so, if the transmission information has been associated with a misbehaving UE.
  • the eNB determines that the identified UE is a legitimate UE that is not misbehaving then the eNB monitors the usage of resource blocks allocated in the RA procedure step 206. The eNB then determines if the resource blocks allocated during the RA procedure are being used, step 207. Unused resource blocks can be indicative of the UE being maliciously or inadvertently misbehaving as will be explained in more detail below.
  • the eNB determining if the UE has used at least one resource block allocated in the RA procedure will now be described.
  • a resource block in LTE is a unit of a carrier in a frequency and time domain.
  • a resource block consists of 12 consecutive subcarriers in the frequency domain and one 0.5ms slot in the time domain as is known to the skilled person in the art.
  • the eNB determines if the UE has used at least one resource block allocated as a result of the RA procedure by determining if any further messages, Mn 305, has been received from the UE after said RA procedure M1 to M4, 301 , 302, 303, 304 as seen in figure 3. If a further message, Mn 305, has been received from the UE, then the UE must have used at least one resource block in order to send said message.
  • a further message, Mn 305 may be a message relating to authentication of the UE, configuration of the connection or other uplink data.
  • the MAC PDU comprises a MAC header 402 and MAC RARs 403.
  • the MAC header 402 comprises amongst other things, the preamble initially sent by the UE.
  • the MAC RARs 403 comprises actual response information for the UE.
  • the format of a MAC RAR 501 is shown in figure 5, where it can be seen that it comprises an Uplink Grant (UL Grant) 502.
  • the UL Grant 502 comprises a resource block allocation which is resource blocks allocated by the eNB for the UE to send information to the eNB.
  • the method of determining if the UE has used at least one resource block allocated during the RA procedure may therefore comprise determining if the resource blocks sent in the UL Grant in the RA procedure has been used.
  • the eNB determines that the resource blocks allocated during the RA procedure are being used then it is determined that the UE is not a maliciously or inadvertently misbehaving UE and the eNB and the UE proceed as normal, step 208. On the other hand, if the eNB determines that the resource blocks are not being used, then the detection counter of unused resource blocks are increased, step 209.
  • step 210 the eNB records the UE and its transmission information as a potential malicious or advertent misbehaving UE 21 1 so that should the UE perform RA procedure again it would be identified as a misbehaving UE (step 205) and necessary protection procedural steps will be taken as is described in more detail below. Additionally or alternatively, the necessary protection procedural steps may also be instantly implemented so as to null the UE.
  • step 210 if the detection counter does not exceed a threshold, then the eNB and the UE proceed as normal, step 208.
  • the eNB determines that the transmission information or the features of the UE is associated with malicious or inadvertent behaviour then the eNB knows that the identified UE has previously initiated RA procedure without using at least one resource block allocated during said previous RA procedure.
  • the eNB may execute a protection procedure or preventative action, step 205.
  • the preventative action may comprise nulling by blocking or ignoring the RA request such that the eNB no longer acts upon any further received messages. Nulling may be achieved by beamforming, advanced signal processing or antenna techniques.
  • the protection procedure may alternatively comprise nulling including blocking, ignoring or cancelling the RA procedure for a pre-determined period of time, such as 30 seconds. This would eliminate a maliciously or inadvertently misbehaving UE from overloading or harming the network, whilst at the same time limiting disruption of legitimate UEs that are genuinely trying to access to the network.
  • the protection procedure may comprise the eNB delaying transmitting any response messages to the UE by for example delaying transmitting the RAR 102 or the RRCConnectionSetup message 104 (see figure 1 ) to the UE.
  • This method reduces the overloading impact such a UE may have on the network whilst causing minimal disruption to a legitimate UE trying to gain access to the network.
  • the protection procedure may comprise informing an Operation and Maintenance centre (O&M) such as a Network Operation Centre (NOC).
  • O&M Operation and Maintenance centre
  • NOC Network Operation Centre
  • the information may be handled by a person or by a software. For example, a person may assess whether the UE is malicious, malfunctioning or legitimate, and thereafter decide on the most appropriate action and inform the eNB accordingly.
  • the information may be handled by a software which analyses the information and by applying an algorithm determines the status of the UE and which, if any, protection procedure needs to be performed by the eNB.
  • the software may have information at a larger scale, for example information from several eNBs, such that the software can discover a large scale attack of malicious or misbehaving UEs.
  • step 601 a The eNB determines whether the radio access network is overloaded by directly measuring the availability of a radio access resource such as number of resource blocks available, or the processing capacity of the eNB. These are just examples of network access resources and it should be understood that any appropriate radio access resource may be used. When the level of one of these radio access resources is below a predetermined level the eNB determines that the radio access network is overloaded and that its resources are at or near depletion. The eNB then decides to implement method 200, such that number of maliciously or
  • the steps 601 to 61 1 correspond to the method steps 201 to 21 1 in figure 2 and so will not be described in any detail.
  • the eNB may determine the load of the network by using key performance indicator, KPI, and when the KPI reaches a certain level, the eNB determines that the network is overloaded.
  • KPI key performance indicator
  • the advantage of the preliminary step 601 a is that it determines when steps 601 to 61 1 are required. For example, when the network is not overloaded, malicious or inadvertently misbehaving UEs do not affect the operation of the network or legitimate UEs and so there is no need to execute steps 601 to 61 1 . Furthermore, by only executing steps 601 to 61 1 when required, the risk of legitimate UEs being
  • the preliminary step 601 a can continuously run in the background such that the loading of the network is constantly monitored. Alternatively, the preliminary step 601 a may be initiated periodically.
  • the preliminary step 601 a may be introduced as an intermediary step, for example after step 604 when a UE has been identified as maliciously or inadvertently misbehaving.
  • the eNB can then determine if the network is overloaded and thereafter decided whether to execute the preventative action in step 605.
  • Advantages of the embodiments described above include that the eNB can identify or discern UEs that are legitimate from UEs that are maliciously or inadvertently misbehaving as the UEs initiate RA procedure. The eNB can then prevent these identified misbehaving UEs from repeatedly performing RA procedure and overloading the network with RA messages. Thus, eNB can maintain Quality of Service.
  • a method 700 according to another embodiment is shown.
  • an eNB 701 and an MME 703 are cooperating so as to determine if a UE that is repeatedly performing RA procedure is maliciously or inadvertently misbehaving.
  • Advantages of this method include that several eNBs can cooperate with the same MME 703 such that the MME can establish a comprehensive picture of resource availability across the radio access network and the core network.
  • method 700 also identifies UEs that are enabled with a Universal subscriber identity module (USIM) and are already connected to the network but are maliciously or defectively initiating RA procedure. These UEs may deceive the eNB by transitioning to a
  • USIM Universal subscriber identity module
  • RRC_CONNECTED state and/or ECM_CONNECTED state during normal connection set up and thereafter sending pseudo-data using the allocated resource blocks such that an eNB may not identify UEs repeatedly initiating RA procedure, or RRCJDLE to RRC_CONNECTED state transition procedure, thereby overloading the network.
  • the method 700 comprises a UE 701 initiating a RA procedure with eNB 702.
  • the RA procedure comprises steps 704, 705, 706, 707 which correspond to the exchange of messages 101 , 102, 103, 104, respectively described above with reference to figure 1 .
  • the eNB may initiate recordal of transmission information after the first RA message 704 and/or the RRCConnectionRequest message 706, similar to that described in method 200 and 600.
  • the UE After the RA procedure is completed, the UE sends an RRCConnectionSetupComplete 708 message to eNB. The eNB then sends a S1AP initial UE message 709 to the MME 703. The MME 703 determines if a S1 connection already exists for the UE 710. The MME does so by detecting if the S-TMSI provided by the UE in the
  • RRCConnectionRequest message 706 and forwarded by the eNB to the MME in the S1AP message belongs to a UE for which there is already an S1 connection established. If an S1 connection already exists, then the MME informs the eNB 71 1 , using a new or a modified S1AP message, that the RA procedure is from a potentially maliciously or inadvertently misbehaving UE. The eNB then stores the recorded transmission information and the information received from the MME so that the eNB can null future attacks from the same UE. Alternatively, the eNB may also execute a protection procedure as in methods 200 and 600.
  • the eNB may run a miss-behaviour detection algorithm 712 in order to determine which action of the protection procedure to perform.
  • the protection procedure may be any of those described above with reference to method 200 and 600. However, it may be that the UE is not malicious but that there has been a loss of state synchronization between the UE and the network. In these cases, the MME may accept a predetermined number of requests from the UE before nulling the UE.
  • the MME may simply ignore the UE and discard the Initial UE Message. This provides the advantage that the S1 AP protocol is not impacted and hence proprietary implementations would be possible.
  • the UE 701 may try to avoid detection by the MME 703 by using a random value, rather than the S-TMSI, sent in RRCConnectionRequest message 706 to eNB such that the MME to which the eNB sends the SA1 P
  • Initial UE Message may be a MME different to the MME which is already aware of the UEs presence.
  • the UE may go undetected for a number of RRCJDLE to RRC_CONNECTED state procedures.
  • the number of MMEs in a pool is typically small and so the UE will eventually connect to an MME where it is already known.
  • the method 700 may comprise a preliminary step similar to preliminary step 601 a as described above with reference to figure 6.
  • the MME will only perform step 710 if the evolved packet core (EPC) is overloaded.
  • the MME determines if the EPS is overloaded before executing step 710.
  • the MME may determine, as an intermediary step, if the EPC is overloaded after it has identified a malicious or misbehaving UE, step 710, but before informing the eNB 71 1 of its findings.
  • the MME may establish if the EPC is overloaded by determining if the availability of a control plane resource is below a predetermined level.
  • a control plane resource may be number of messages that the MME is able to send or receive, or the processing capacity of the MME.
  • the control plane resource may be MME available/idle CPU time. It should be understood that these are only examples of control plane resources and that it may include other parameters.
  • a Key Performance Indicator, KPI of the EPS is determined. If the KPI is above or below a predetermined level then the MME determines that the EPS is overloaded.
  • the preliminary and intermediary steps provide the advantage that the MME does not ignore a UE or inform the eNB of a malicious or misbehaving UE unless the core network is overloaded, or control plane resources are at or near depletion. Thus, the chances of genuine UEs (for example, where state synchronization between the UE and the network has been lost) being disrupted is reduced.
  • the above methods provide the advantage of identifying a UE that is initiating RA procedure more than once. If the identified UE is identified and determined as being a maliciously or inadvertently misbehaving UE, then the eNB or the MME can initiate protection procedure to reduce the network resources that are used on the
  • the above methods enable UEs to be identified and tracked such that a UE initiating RA procedure more than once can be identified already after the initial RA message and thereafter nulled before the eNB sends a RAR message to the UE.
  • a method performed by an eNB is shown.
  • the method is for identifying a maliciously or inadvertently misbehaving UE that is initiating random access procedure at least twice so as to access a radio access network.
  • the method comprises receiving a random access request from a UE 801 , and identifying the UE based on transmission information 802 and then determining if the UE has previously initiated random access procedure 803. If so, the method further comprises determining if the UE has used at least one resource block that it has previously been allocated as a result of an earlier random access procedure.
  • This embodiment comprises corresponding steps to steps 801 , 802, 803 and 804 that are denoted 901 , 902, 903 and 904.
  • the method further comprises determining if the UE has used at least one resource block previously allocated by determining if any further messages were received from the UE after the earlier random access procedure. In one embodiment, this is achieved by identifying a cell radio network temporary identity, C-RNTI, or temporary cell radio network temporary identity, TC- RNTI, received in the earlier random access procedure and thereafter determining if C- RNTI or TC-RNTI was used in any subsequent messages received from the UE 906.
  • the method 900 further comprises determining if the radio access network is overloaded 907. This may be achieved by determining if the availability of a radio access resource is below a predetermined level so as to determine if the radio access network is overloaded 908. If the radio access network is overloaded and a UE is identified as initiating random access procedure at least twice, then the method further comprises performing a protection procedure 909.
  • the method comprises performing the protection procedure if a UE is identified as initiating random access procedure at least twice, regardless of whether the network is overloaded or not, 909.
  • One step in figure 9b shows the protection procedure 910 comprising nulling the random access procedure by the eNB being configured to not receive any further messages from the UE and/or not acting on any further messages received from the UE 910a.
  • the nulling of the random access request may occur for a predetermined period of time so as not to disrupt genuine UEs trying to access the network.
  • the protection procedure may comprise delaying transmission of a message to the UE 910b.
  • the method may further comprise step 91 1 of informing an operator of the identified UE and receiving instructions from the operator on whether to execute the protection procedure in steps 910a, 910b.
  • the method comprises sending a message to a server and then receiving instructions from the server on whether to execute the protection procedure 912.
  • the eNB receives a message from a mobility management entity, MME, 913 the message comprising instructions to execute the protection procedure as described in steps 910a and 910b.
  • transmission information used to identify a UE may comprise Angle of Arrival, Signal to noise ratio, transmission power, timing accuracy or pattern of random identifiers as described previously.
  • the eNB may be configured to establish a pattern of random identifiers that a UE is sending to the eNB so as to identify the UE. Random identifiers may include the preamble chosen by UE in message 101 , and/or the random value or S-TMSI in message 103 as described in figure 1 .
  • the eNB may use only one of the transmission information mentioned above, or a combination thereof.
  • a method 1000 performed by an MME will now be described with reference to figure 10.
  • the method is for identifying a maliciously or inadvertently misbehaving UE that is initiating random access procedure at least twice.
  • the method comprises, receiving a S1 AP message from an eNB 1001 , identifying the UE 1002, and establishing if the UE is already registered with the MME 1003, and if so, initiating a protection procedure 1004.
  • This method identifies maliciously or inadvertently misbehaving UEs that have not been identified by eNBs. This may happen when a UE transitions to a
  • RRC_CONNECTED state and/or ECM_CONNECTED state during normal connection set up and thereafter sends pseudo-data to the eNB using the allocated resource blocks such that an eNB may not identify UEs repeatedly initiating RA procedure, thereby overloading the network.
  • method 1 100 Another embodiment of a method 1 100 performed by an MME will now be described with reference to figure 1 1.
  • This method 1 100 is similar to that of method 1000 and steps 1 101 , 1 102, 1 103 and 1 108 correspond to steps 1001 , 1002, 1003 and 1004.
  • method 1 100 comprises a few optional alternative steps as indicated by dashed lines.
  • the MME may establish if the UE is already registered with the MME by identifying an identifier of the UE included or embedded in the S1 AP message 1 104.
  • Such an identifier may be S-TMSI included in the S1AP message 1 105.
  • other identifiers may be used that is included in the NAS embedded in the S1AP message, for example, Globally Unique Temporary ID (GUTI) or
  • the method may further comprise determining if the Evolved Packet Core, EPC is overloaded and if so initiating the protection procedure 1 106. Determining if the EPC is overloaded may be achieved by determining if the availability of a control plane resource is below a predetermined level 1 107.
  • the protection procedure may comprise informing the eNB if the UE is already registered with the MME 1 109.
  • the protection procedure may further comprise instructing the eNB to execute a protection procedure comprising any of the features as described with reference to figures 8, 9a and 9b, 1 1 10.
  • the protection procedure comprises ignoring the SA1 P message by not sending a S1 AP Downlink NAS Transport message to the UE 1 1 1 1 .
  • method 1 100 is shown in figure 1 1 as steps in a specific order, it should be understood that the method 1 100 is not limited to the shown order.
  • the step of determining if the EPC is overloaded may occur before step 1 101 .
  • Methods 800, 900, 1000 and 1 100 described above provide the same advantages as those described above with reference to methods 200, 600, 700.
  • the methods 200, 600, 800 and 900 described above may be conducted by an eNB or an apparatus forming part of an eNB.
  • the methods may be conducted on receipt of suitable computer readable instructions, which may be embodied within a computer program running on the apparatus or the eNB.
  • Figure 12 illustrate an example of an apparatus forming part of an eNB, or an eNB, 1200, which may execute the methods 200, 600, 800 and 900 of the present invention, for example on receipt of suitable instructions from a computer program.
  • the apparatus or eNB comprises a processor and a memory.
  • the memory containing instructions executable by the processor, such that the apparatus or eNB is operable to carry out any of the embodiments of methods 200, 600, 800 and 900.
  • the methods 700, 1000 and 1 100 described above may be conducted by an MME or an apparatus forming part of an MME.
  • the methods may be conducted on receipt of suitable computer readable instructions, which may be embodied within a computer program running on the apparatus or the MME.
  • Figure 13 illustrate an example of an apparatus forming part of an MME, or an MME, 1300, which may execute the methods 700, 1000, 1 100 of the present invention, for example on receipt of suitable instructions from a computer program.
  • the apparatus or MME comprises a processor and a memory.
  • the memory containing instructions executable by the processor, such that the apparatus or MME is operable to carry out any of the embodiments of methods 700, 1000, 1 100.
  • FIG 14 illustrates functional modules in another embodiment of an apparatus which may form part of an eNB.
  • the apparatus is for identifying a misbehaving UE that is initiating random access procedure at least twice so as to access a radio access network and may execute any of methods 200, 600, 800 and 900 described herein, for example, according to computer readable instructions received from a computer program.
  • the modules illustrated in figure 14 are software implemented functional modules, and may be realised in any appropriate combination of software modules.
  • the apparatus comprises a receiving module 1401 for receiving a random access request from a UE, an identifying module 1402 for identifying the UE based on transmission information and then determining if the UE has previously initiated random access procedure.
  • the apparatus further comprises a determination module 1403 for determining if the UE has used at least one resource block that it has previously been allocated as a result of an earlier random access procedure.
  • the apparatus also comprises a processor for executing the software or modules and a memory for storing the different modules.
  • a processor for executing the software or modules
  • a memory for storing the different modules.
  • the apparatus 1500 comprises a receiving module 1501 , identifying module 1502 and a determination module 1503.
  • the determination module 1503 may further comprise means for determining if any further messages were received from the UE after the earlier random access procedure.
  • the determination module 1503 further comprises means for determining if the UE has used at least one resource block previously allocated by identifying a cell radio network temporary identity, C-RNTI, or temporary cell radio network temporary identity, TC-RNTI, received in the earlier random access procedure and thereafter determining if C-RNTI or TC-RNTI was used in any subsequent messages received from the UE.
  • the apparatus 1500 further comprising a detection module 1504 for determining if the radio access network is overloaded.
  • the detection module 1504 may further comprise means for determining if the availability of a radio access resource is below a predetermined level so as to determine if the radio access network is overloaded.
  • the apparatus further comprises a protection module 1505 for performing a protection procedure should such a UE be identified.
  • the protection module 1505 may alternatively perform a protection procedure once the misbehaving UE has been identified and the detection module 1504 has determined that the radio access network is overloaded.
  • the protection module 1505 comprises means for nulling the random access procedure by the eNB being configured to not receive any further messages from the UE and/or not acting on any further messages received from the UE.
  • the protection module 1505 further comprises means for nulling the random access request for a predetermined period of time, or means for delaying transmission of a message to the UE by a predetermined time such as 30 seconds.
  • the apparatus further comprises an information module 1506 for informing an operator of the UE and receiving instructions from the operator on whether to execute the protection procedure.
  • the apparatus 1500 may also comprise a transmission module 1507 for sending a message to a server and then receiving instructions from the server on whether to execute the protection procedure.
  • the transmission module may additionally and/or alternatively be for receiving a message from a mobility management entity, MME, the message comprising instructions to execute the protection process.
  • apparatus in figure 15 may be an eNB or form part of an eNB and that it provides the same advantages as method 200, 600, 800 and 900.
  • an apparatus may form part or be an eNB.
  • the apparatus comprises a processor 1601 and a memory 1602, and an input/out (I/O) interface 1603 for receiving and sending messages to a UE and an MME.
  • the apparatus is configured so as to identify a misbehaving UE that is initiating random access procedure at least twice so as to access a radio access network.
  • the apparatus is further configured to receive a random access request from a UE, identify the UE based on transmission information and then determine if the UE has previously initiated random access procedure; and determine if the UE has used at least one resource block that it has previously been allocated as a result of an earlier random access procedure.
  • the apparatus may be further configured to perform any of methods 200, 600, 800 and 900.
  • FIG 17 illustrates functional modules in another embodiment of an apparatus which may form part of an MME.
  • the apparatus is for identifying a misbehaving UE that is initiating random access procedure at least twice and may execute any of methods 700, 1000 and 1 100 described herein, for example, according to computer readable instructions received from a computer program.
  • the modules illustrated in figure 16 are software implemented functional modules, and may be realised in any appropriate combination of software modules.
  • the apparatus comprises, a receiving module 1701 for receiving a S1AP message from an E-UTRAN Node B, eNB, and an identification module 1702 for identifying the UE, a determination module1703 for establishing if the UE is already registered with the MME, and a protection module 1704 for initiating a protection procedure if the UE is already registered with the MME.
  • the apparatus also comprises a processor for executing the software or modules and a memory for storing the different modules.
  • Figure 18 shows another embodiment of functional modules of an apparatus 1800 that may form part of an MME.
  • the apparatus 1800 is similar to that shown in figure 17 and comprises functional modules; receiving module, 1801 , identification module 1802, determination module 1803 and protection module 1804 corresponding to modules 1701 , 1702, 1703 and 1704.
  • determination module 1803 may further comprise means for identifying an identifier of the UE included in the S1 AP message so as to establish if the UE is already registered with the MME.
  • the determination module 1803 may for example identify SAE-Temporary Mobile Subscriber Identity, S-TMSI, included in the S1AP message so as to determine if a connection is already established for the UE with said S-TMSI.
  • the determination module 1803 may identify GUTI or IMEI included in the NAS embedded in the S1AP message.
  • the determination module 1803 may further comprise means for identifying the UE initiating random access procedure by its International Mobile Subscriber Identity, I MSI, so as to determine if a connection is already established for the UE with said IMSI.
  • I MSI International Mobile Subscriber Identity
  • the apparatus may comprise an EPC module 1805 for determining if the Evolved Packet Core, EPC is overloaded and if so sending a message to the protection module to initiate the protection procedure.
  • the EPC module 1805 may further comprise means for determining if the availability of a control plane resource is below a predetermined level so as to determine if the EPC is overloaded.
  • the protection module 1804 may comprise an instruction module 1806 for informing the eNB if the UE is already registered with the MME. Alternatively, the instruction module 1806 may be for instructing the eNB to execute a protection procedure comprising any of the features as described in methods 200, 600, 800 and 900.
  • the protection module 1804 comprises means for ignoring the SA1 P message by not sending a S1 AP Downlink NAS Transport message to the UE.
  • the apparatus 1700 and 1800 shown in figures 17 and 18 may form part of or be an MME.
  • an apparatus 1900 is shown that may form part or be an MME.
  • the apparatus comprises a processor 1901 and a memory 1902, and an input/out (I/O) interface 1903 for receiving and sending messages to an eNB.
  • the apparatus 1900 is configured to identify a misbehaving UE that is initiating random access procedure at least twice.
  • the apparatus is further configured to receive a S1 AP message from an eNB, identify a UE, establish if the UE is already registered with the MME, and initiate a protection procedure if the UE is already registered with the MME.
  • the apparatus may also be configured to carry out any of methods 700, 1000 and 1 100. Aspects of the present invention thus provide methods, apparatus and computer programs enabling an apparatus of an eNB and an MME, or an eNB or MME, to prevent or reduce the number of random access procedures initiated by maliciously or inadvertently misbehaving UEs.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method, performed by an E-UTRAN, eNB, of identifying a misbehaving UE that is initiating random access procedure at least twice so as to access a radio access network is provided. The method comprises receiving a random access request from a UE, identifying the UE based on transmission information and then determining if the UE has previously initiated random access procedure; and determining if the UE has used at least one resource block that it has previously been allocated as a result of an earlier random access procedure.

Description

Identifying A Misbehaving UE Initiating A Random Access Procedure TECHNICAL FIELD
This application relates to methods and apparatus of identifying a misbehaving UE that is initiating random access procedure at least twice so as to access a radio access network.
BACKGROUND
Long term Evolution (LTE) is a wireless communication of high-speed data for user equipment (UE) such as mobile communication devices and other data terminals. For a UE to transmit and receive information it first needs to connect to a network. When a UE is switched on for the very first time, it will connect to a network by first searching for its network with which it has a subscription. Once it has identified its network, the UE initiates a Random Access Procedure (RA procedure) for synchronizing with the network and for gaining initial access. Once initial access is gained, further procedures can be performed including authentication of the UE, configuration of the connection, and establishing appropriate states on higher layers, through for example, S1 AP signalling between an E-UTRAN Node B (eNB) and mobility management entity (MME), or non-access stratum (NAS) signalling between the UE and the MME.
During random access procedure, there is no way for the network to be made aware of the identity of the UE which is trying to access the network. The identity of the UE is first established at a later stage during successful authentication or when the UE has proven to be in possession of a previously agreed integrity protection key. Thus, maliciously misbehaving or inadvertently misbehaving UEs can overload the network and deplete resources by repeatedly initiating random access procedures.
In addition, inadvertently misbehaving UEs that are already in a RRC_CONNECTED state may misbehave in that they repeatedly initiate random access procedure although they are already connected to the network. This also overloads the network such that fewer resources are available for other legitimate UEs who are genuinely trying to connect to the network.
It is known from US20140206343 to provide a method for dealing with malicious devices sending jamming signals that include bogus RACH signals, thus causing the random access procedure to fail because the eNB does not receive further messages in response to the random access response. The method proposed in US20140206343 to deal with these malicious devices includes using a Jammer Detection and Location server which determines the presence of a jamming signal and prompts the wireless network to reconfigure to avoid and prevent disruption from the jamming signal.
However, disadvantages of this method include that after the network is reconfigured the same device can resend jamming signals so as to further disrupt the network. Furthermore, it does not prevent devices that are in an RCC_Connected state that continue to send jamming signals. SUMMARY
According to an aspect of the invention, there is provided a method, performed by an E-UTRAN, eNB, of identifying a misbehaving UE that is initiating random access procedure at least twice so as to access a radio access network, the method comprises, receiving a random access request from a UE, identifying the UE based on transmission information and then determining if the UE has previously initiated random access procedure; and determining if the UE has used at least one resource block that it has previously been allocated as a result of an earlier random access procedure. In one embodiment, the step of determining if the UE has used at least one resource block previously allocated comprises determining if any further messages were received from the UE after the earlier random access procedure.
In another embodiment, the method comprises the step of determining if the UE has used at least one resource block previously allocated comprises identifying a cell radio network temporary identity, C-RNTI, or temporary cell radio network temporary identity, TC-RNTI, received in the earlier random access procedure and thereafter determining if C-RNTI or TC-RNTI was used in any subsequent messages received from the UE. The method may further comprise determining if the radio access network is overloaded. The method may comprise determining if the availability of a radio access resource is below a predetermined level so as to determine if the radio access network is overloaded.
If a misbehaving UE is identified, then the method may further comprise performing protection procedure. If a misbehaving UE is identified and if the radio access network is overloaded, then the method may further comprise performing a protection procedure. In one embodiment, the protection procedure comprises nulling the random access procedure by the eNB being configured to not receive any further messages from the UE and/or not acting on any further messages received from the UE.
In another embodiment, the protection procedure comprises nulling the random access request for a predetermined period of time.
The protection procedure may comprise delaying transmission of a message to the UE.
In one embodiment, the method may further comprise informing an operator of the UE and receiving instructions from the operator on whether to execute the protection procedure.
In another embodiment, the method further comprises sending a message to a server and then receiving instructions from the server on whether to execute the protection procedure.
In one embodiment, the method comprises receiving a message from a mobility management entity, MME, the message comprising instructions to execute the protection procedure.
In one embodiment, the transmission information comprises Angle of Arrival, Signal to noise ratio, transmission power, timing accuracy or pattern of random identifiers.
According to another aspect of the invention, there is provided an apparatus of identifying a misbehaving UE that is initiating random access procedure at least twice so as to access a radio access network, the apparatus comprises, a receiving module for receiving a random access request from a UE, an identifying module for identifying the UE based on transmission information and then determining if the UE has previously initiated random access procedure; and a determination module for determining if the UE has used at least one resource block that it has previously been allocated as a result of an earlier random access procedure. The determination module may further comprises mean for determining if any further messages were received from the UE after the earlier random access procedure. In one embodiment, the determination module further comprises means for determining if the UE has used at least one resource block previously allocated by identifying a cell radio network temporary identity, C-RNTI, or temporary cell radio network temporary identity, TC-RNTI, received in the earlier random access procedure and thereafter determining if C-RNTI or TC-RNTI was used in any subsequent messages received from the UE..
In another embodiment, the apparatus comprises a detection module for determining if the radio access network is overloaded. The detection module may further comprise means for determining if the availability of a radio access resource is below a predetermined level so as to determine if the radio access network is overloaded.
The apparatus may further comprise a protection module for performing a protection procedure should such a UE be identified.
In an alternative embodiment, if a misbehaving UE is identified and the radio access network is overloaded, then the apparatus further comprises a protection module for performing a protection procedure.
In one embodiment, the protection module comprises means for nulling the random access procedure by the eNB being configured to not receive any further messages from the UE and/or not acting on any further messages received from the UE. In another embodiment, the protection module further comprises means for nulling the random access request for a predetermined period of time.
The protection module may further comprise means for delaying transmission of a message to the UE. The apparatus may further comprise an information module for informing an operator of the UE and receiving instructions from the operator on whether to execute the protection procedure. The apparatus may further comprise a transmission module for sending a message to a server and then receiving instructions from the server on whether to execute the protection procedure.
In one embodiment, the transmission module is for receiving a message from a mobility management entity, MME, the message comprising instructions to execute the protection process.
In another aspect of the invention, there is provided an E-UTRAN Node B comprising an apparatus as described above.
In yet another aspect of the invention, there is provided an apparatus comprising a processor and a memory, the memory containing instructions executable by the processor, such that the apparatus is operable to carry out a method according to any one of claims 1 to 13 appended hereto.
In a further aspect of the invention, there is provided a method, performed by a Mobility Management Entity, MME, of identifying a misbehaving UE that is initiating random access procedure at least twice, the method comprises, receiving a S1AP message from an E-UTRAN Node B, eNB, and identifying the UE, and establishing if the UE is already registered with the MME, and if so, initiating a protection procedure.
In one embodiment, establishing if the UE is already registered with the MME comprises identifying an identifier of the UE included in the S1AP message. In another embodiment, the method comprises identifying SAE-Temporary Mobile Subscriber Identity, S-TMSI, included in the S1AP message and determining if a connection is already established for a UE with said S-TMSI.
In yet another embodiment, the method comprises identifying the UE initiating random access procedure by its International Mobile Subscriber Identity, IMSI, and determining if a connection is already established for a UE with said IMSI. The method may comprise determining if the Evolved Packet Core, EPC is overloaded and if so initiating the protection procedure. The method may comprise determining if the availability of a control plane resource is below a predetermined level so as to determine if the EPC is overloaded.
In one embodiment, initiating the protection procedure comprises informing the eNB if the UE is already registered with the MME.
In another embodiment, the protection procedure further comprises instructing the eNB to execute a protection procedure comprising any of the features as claimed in claims 8 to 1 1 appended hereto. In one embodiment, initiating the protection procedure comprises ignoring the SA1 P message by not sending a S1AP Downlink NAS Transport message to the UE.
In another aspect of the present invention, there is provided an apparatus of identifying a misbehaving UE that is initiating random access procedure at least twice, the apparatus comprises, a receiving module for receiving a S1AP message from an E- UTRAN Node B, eNB, an identification module for identifying a UE, a determination module for establishing if the UE is already registered with the MME, and a protection module for initiating a protection procedure if the UE is already registered with the MME.
In one embodiment, the determination module further comprises means for identifying an identifier of the UE included in the S1 AP message so as to establish if the UE is already registered with the MME. In another embodiment, the determination module further comprises means for identifying SAE-Temporary Mobile Subscriber Identity, S-TMSI, included in the S1AP message so as to determine if a connection is already established for the UE with said S-TMSI. In yet another embodiment, the determination module further comprises means for identifying the UE initiating random access procedure by its International Mobile Subscriber Identity, I MSI, so as to determine if a connection is already established for the UE with said IMSI.
The apparatus may comprise an EPC module for determining if the Evolved Packet Core, EPC is overloaded and if so sending a message to the protection module to initiate the protection procedure.
The EPC module may further comprise means for determining if the availability of a control plane resource is below a predetermined level so as to determine if the EPC is overloaded.
In one embodiment, the protection module for initiating the protection procedure further comprises an instruction module for informing the eNB if the UE is already registered with the MME.
In another embodiment, the instruction module is for instructing the eNB to execute a protection procedure comprising any of the features as claimed in claims 9 to 13 appended hereto. Alternatively, the protection module may be for ignoring the SA1 P message by not sending a S1AP Downlink NAS Transport message to the UE.
According to another aspect of the invention, there is provided a Mobility Management Entity, MME, comprising an apparatus as described above.
According to yet another aspect of the invention, there is provided an apparatus comprising a processor and a memory, the memory containing instructions executable by the processor, such that the apparatus is operable to carry out a method according to any one of claims 16 to 24 appended hereto.
According to a further aspect of the invention, there is provided a computer program configured, when run on a computer, to carry out a method according to any one of claims 1 to 13 or 16 to 24 appended hereto. According to another aspect of the invention, there is provided a computer program product comprising computer readable medium and a computer program as previously described stored on the computer readable medium
BRIEF DESCRIPTION OF THE DRAWINGS
Embodiments will now be described by way of example only in relation to the enclosed drawings, in which:
Figure 1 illustrates an example of a random access procedure;
Figure 2 illustrates an example of a flow chart according to an embodiment of the present invention;
Figure 3 illustrates an example of an embodiment of the present invention;
Figure 4 illustrates a format of a MAC PDU sent in a RAR message;
Figure 5 illustrates a format of a MAC RAR message;
Figure 6 illustrates an example of a flow chart according to another embodiment of the present invention;
Figure 7 illustrates another example of a message flow according to an embodiment of the present invention;
Figure 8 illustrates a flow chart according to an embodiment of the present invention; Figure 9a illustrates a flow chart according to another embodiment of the present invention;
Figure 9b illustrates the optional features of the flow chart in figure 9a;
Figure 10 illustrates a flow chart according to another embodiment of the present invention;
Figure 1 1 illustrates a flow chart according to yet another embodiment of the present invention;
Figure 12 illustrates a box diagram of an apparatus such as an eNB;
Figure 13 illustrates a box diagram of an apparatus such as an MME;
Figure 14 illustrates a box diagram of an apparatus such as an eNB;
Figure 15 illustrates a box diagram of an apparatus such as an eNB;
Figure 16 illustrates a box diagram of an apparatus such as an eNB;
Figure 17 illustrates a box diagram of an apparatus such as an MME;
Figure 18 illustrates a box diagram of an apparatus such as an MME; and
Figure 19 illustrates a box diagram of an apparatus such as an MME. DETAILED DESCRIPTION
The aspects of the present invention relates to a method performed, by an eNB of a Long-Term Evolution (LTE) network, of identifying a user equipment (UE) that is initiating random access procedure at least twice, or repeatedly, so as to access a radio access network. The method performed by the eNB can identify maliciously or inadvertently misbehaving UEs including UEs that are already in a RRC_CONNECTED state and/or ECM_CONNECTED state.
It should also be understood that the method can identify any kind of UE including, but not limited to, a user-operated portable communications device, such as smartphones, laptop computers or the like, or other portable devices, such as tracking devices or the like, and devices that are primarily intended to remain stationary in use, such as sensors, smart meters or the like. The UE may not necessarily have to be enabled with a universal subscriber identity module (USIM) in order to initiate random access procedure and so aspects of the method includes identifying both UEs that are not provided with a USIM as well as UEs that are provided with a USIM that may or may not already be connected to the LTE network.
It should also be understood that the term misbehaving UE used herein is to include malicious UEs whose intentions are to cause harm or damage, as well as inadvertently misbehaving UEs that are malfunctioning or defective but authorized to perform a particular function.
The random access procedure (RA procedure) will now be described with reference to figure 1.
During the RA procedure the network will learn for the first time that some UE 1 10 is trying to gain access and so prior to the RA procedure, the UE 1 10 does not yet have any resources or channels available to inform the network of its desire to connect. Therefore, to initiate RA procedure in LTE the UE 1 10 transmits a message 101 to an eNB 1 12 on Physical Random Access Channel (PRACH). The message 101 comprises a preamble which is a specific pattern or signature. The preamble differentiates requests coming in from different UEs. There are a total of 64 such patterns or signatures in LTE available to UEs and the UE 1 10 may decide any one of them randomly for contention-based random access procedure. However, it may be that two UEs use the same preamble at the same time which would result in a collision. The eNB 1 12 then sends a random access response 102 (RAR) to the UE 1 10 using a broadcast identifier (random access radio network temporary identifier, RA-RNTI). The RA-RNTI identifies the UE 1 10 and it is determined from the time slot number in which the preamble was sent.
The RAR 102 carries information such as temporary cell radio network temporary identity (TC-RNTI) for further communication which gives another identity to the UE 1 10. The RAR 102 further carries a timing advance command, an uplink grant (UL Grant) and a reserved bit R.
The UE 1 10 thereafter sends a radio resource control (RRC) connection request message (RRCConnectionRequest) 103 to the eNB 1 12. As mentioned above, the UE 1 10 is identified by TC-RNTI assigned in the previous RAR 102 sent by eNB 1 12, however the RRCConnectionRequest message 103 uses yet another UE identity S- TMSI (SAE-Temporary Mobile Subscriber Identity) or a random value. S-TMSI is used if the UE 1 10 has previously connected to the same network. With S-TMSI, the UE 1 10 is identified in the core network. Alternatively, the random value may be used if the UE 1 10 is connecting to the network for the very first time. The S-TMSI or random value is needed as there is a possibility that TC-RNTI has been assigned to more than one UE in the previous steps due to multiple requests coming in at the same time.
In the last message 104 of the RA procedure, the eNB 1 12 responds to the UE 1 10 by sending an RRCConnectionSetup message 104 to the UE 1 10. The
RRCConnectionSetup message 104 concludes contention resolution, meaning it resolves possible preamble collisions. The contention resolution serves to resolve a situation wherein two or more UEs have used the same random access preamble in the initial message 101 and being assigned the same TC-RNTI. These two UEs would both assume that they are intended recipient of RAR 102 and send
RRCConnectionRequest message 103 to the eNB 1 12. The eNB 1 12 will at best correctly receive one of these messages and by including the received UE identity (S- TMSI or random value) in the response message 104 to the UE 1 10 the eNB 1 12 indicates which of the UEs it is responding to. The TC-RNTI is then promoted to C- RNTI (cell radio network temporary identity) and will be used to address the UE 1 10 in further communications. The UE to which the RRCConnectionSetup 104 was not addressed will repeat the RA procedure. After the RA procedure, the UE sends an RRCConnectionSetupComplete message to the eNB which then in turn sends a S1AP Initial UE Message to a Mobility
Management Entity (MME). Thereafter, further messages are exchanged, however these will not be described herein.
A method according to an embodiment of the present invention will now be described with reference to the flow chart shown in figure 2. In this embodiment, the method is performed by an eNB and the eNB identifies a maliciously or inadvertently misbehaving UE during the RA procedure and thereafter takes appropriate action in order to minimise overloading the network. However, when taking such action, the eNB is configured to minimise disruption of legitimate UEs that are genuinely attempting to access the network. At first, the eNB awaits a random access message as represented by step 201 in figure 2. The eNB then receives a RA message from a UE, step 202. This message corresponds to message 101 or 103 described with reference to figure 1. Upon receiving such a RA message from a UE, the eNB records transmission information 203 comprising features specific to the UE. Transmission information is any information identifying the UE transmitted from said UE to the eNB. Examples of this include angle of arrival (AoA), signal to noise ratio (SNR), transmission power of the signal or accuracy in timing.
Angle of arrival is measured by the eNB by determining the direction of propagation of the radio frequency wave sent by the UE incident on an antenna of the eNB. It may be that the eNB is configured to measure the angle of arrival with a greater or a lower level of accuracy. For example, it may be that the cell of an eNB is divided into several predetermined regions and the eNB records the AoA as it falls within one of these said regions. The number of predetermined regions can vary depending on the level of accuracy required. Alternatively, the eNB can be configured to measure the angle of arrival using of multi-input multi-output (MIMO) antennas.
Signal to noise ratio (SNR) of any available channel can be measured, for example, the PRACH or the Physical Uplink Shared Channel (PUSCH). As the SNR can be specific to a UE, the eNB can identify the UE by the SNR. The level of transmission power of the signal sent by the UE can also be measured by the eNB in order to identify said UE. As mentioned above accuracy in timing of receiving messages or signals from UE may also be measured as a feature to identify a UE.
The eNB may rely on any other transmission information and so it should be understood that the present invention is not limited to AoA, SNR, level of transmission power or timing accuracy. The eNB may use other transmission information, for example, the eNB may be configured to establish a pattern of random identifiers that a UE is sending to the eNB. Random identifiers may include the preamble chosen by UE in message 101 , and/or the random value or S-TMSI in message 103. Furthermore, it should be understood that the eNB may use only one of the transmission information mentioned above, or a combination thereof. Referring now again to figure 2, once the transmission information has been recorded, the eNB determines if the transmission information or those features are associated with a maliciously or inadvertently misbehaving UE, step 204. This step comprises the eNB determining if the transmission information recorded in step 203 has previously been recorded and if so, if the transmission information has been associated with a misbehaving UE.
If the eNB determines that the identified UE is a legitimate UE that is not misbehaving then the eNB monitors the usage of resource blocks allocated in the RA procedure step 206. The eNB then determines if the resource blocks allocated during the RA procedure are being used, step 207. Unused resource blocks can be indicative of the UE being maliciously or inadvertently misbehaving as will be explained in more detail below.
The eNB determining if the UE has used at least one resource block allocated in the RA procedure will now be described.
A resource block in LTE is a unit of a carrier in a frequency and time domain. A resource block consists of 12 consecutive subcarriers in the frequency domain and one 0.5ms slot in the time domain as is known to the skilled person in the art. The eNB determines if the UE has used at least one resource block allocated as a result of the RA procedure by determining if any further messages, Mn 305, has been received from the UE after said RA procedure M1 to M4, 301 , 302, 303, 304 as seen in figure 3. If a further message, Mn 305, has been received from the UE, then the UE must have used at least one resource block in order to send said message. A further message, Mn 305, may be a message relating to authentication of the UE, configuration of the connection or other uplink data.
Referring now to figure 4, a Media Access Control Protocol Data Unit (MAC PDU) 401 for a Random Access Response RAR 102 is shown. The MAC PDU comprises a MAC header 402 and MAC RARs 403. The MAC header 402 comprises amongst other things, the preamble initially sent by the UE. The MAC RARs 403 comprises actual response information for the UE.
The format of a MAC RAR 501 is shown in figure 5, where it can be seen that it comprises an Uplink Grant (UL Grant) 502. The UL Grant 502 comprises a resource block allocation which is resource blocks allocated by the eNB for the UE to send information to the eNB.
The method of determining if the UE has used at least one resource block allocated during the RA procedure may therefore comprise determining if the resource blocks sent in the UL Grant in the RA procedure has been used.
Referring again to figure 2, if the eNB determines that the resource blocks allocated during the RA procedure are being used then it is determined that the UE is not a maliciously or inadvertently misbehaving UE and the eNB and the UE proceed as normal, step 208. On the other hand, if the eNB determines that the resource blocks are not being used, then the detection counter of unused resource blocks are increased, step 209. If the detection counter exceeds a threshold, step 210, then the eNB records the UE and its transmission information as a potential malicious or advertent misbehaving UE 21 1 so that should the UE perform RA procedure again it would be identified as a misbehaving UE (step 205) and necessary protection procedural steps will be taken as is described in more detail below. Additionally or alternatively, the necessary protection procedural steps may also be instantly implemented so as to null the UE.
Referring again to step 210, if the detection counter does not exceed a threshold, then the eNB and the UE proceed as normal, step 208. Referring now again to step 204 in figure 2, if the eNB determines that the transmission information or the features of the UE is associated with malicious or inadvertent behaviour then the eNB knows that the identified UE has previously initiated RA procedure without using at least one resource block allocated during said previous RA procedure. As a result, the eNB may execute a protection procedure or preventative action, step 205. The preventative action may comprise nulling by blocking or ignoring the RA request such that the eNB no longer acts upon any further received messages. Nulling may be achieved by beamforming, advanced signal processing or antenna techniques.
The protection procedure may alternatively comprise nulling including blocking, ignoring or cancelling the RA procedure for a pre-determined period of time, such as 30 seconds. This would eliminate a maliciously or inadvertently misbehaving UE from overloading or harming the network, whilst at the same time limiting disruption of legitimate UEs that are genuinely trying to access to the network.
Alternatively, the protection procedure may comprise the eNB delaying transmitting any response messages to the UE by for example delaying transmitting the RAR 102 or the RRCConnectionSetup message 104 (see figure 1 ) to the UE. This method reduces the overloading impact such a UE may have on the network whilst causing minimal disruption to a legitimate UE trying to gain access to the network.
In yet another embodiment, the protection procedure may comprise informing an Operation and Maintenance centre (O&M) such as a Network Operation Centre (NOC). At the O&M the information may be handled by a person or by a software. For example, a person may assess whether the UE is malicious, malfunctioning or legitimate, and thereafter decide on the most appropriate action and inform the eNB accordingly. Alternatively, the information may be handled by a software which analyses the information and by applying an algorithm determines the status of the UE and which, if any, protection procedure needs to be performed by the eNB. The software may have information at a larger scale, for example information from several eNBs, such that the software can discover a large scale attack of malicious or misbehaving UEs. An alternative embodiment of a method 600 will now be described with reference to figure 6. This embodiment differs from the method 200 in that it further comprises a preliminary step wherein the eNB determines whether the radio access resources are near depletion, or in other words whether the radio access network is overloaded. This is shown as step 601 a. The eNB determines whether the radio access network is overloaded by directly measuring the availability of a radio access resource such as number of resource blocks available, or the processing capacity of the eNB. These are just examples of network access resources and it should be understood that any appropriate radio access resource may be used. When the level of one of these radio access resources is below a predetermined level the eNB determines that the radio access network is overloaded and that its resources are at or near depletion. The eNB then decides to implement method 200, such that number of maliciously or
inadvertently misbehaving UEs repeatedly initiating RA procedure is reduced. The steps 601 to 61 1 correspond to the method steps 201 to 21 1 in figure 2 and so will not be described in any detail.
As an alternative to directly measuring the availability of resources, the eNB may determine the load of the network by using key performance indicator, KPI, and when the KPI reaches a certain level, the eNB determines that the network is overloaded.
The advantage of the preliminary step 601 a is that it determines when steps 601 to 61 1 are required. For example, when the network is not overloaded, malicious or inadvertently misbehaving UEs do not affect the operation of the network or legitimate UEs and so there is no need to execute steps 601 to 61 1 . Furthermore, by only executing steps 601 to 61 1 when required, the risk of legitimate UEs being
unintentionally nulled by the eNB is reduced.
The preliminary step 601 a can continuously run in the background such that the loading of the network is constantly monitored. Alternatively, the preliminary step 601 a may be initiated periodically.
In yet another embodiment, the preliminary step 601 a may be introduced as an intermediary step, for example after step 604 when a UE has been identified as maliciously or inadvertently misbehaving. The eNB can then determine if the network is overloaded and thereafter decided whether to execute the preventative action in step 605. Advantages of the embodiments described above include that the eNB can identify or discern UEs that are legitimate from UEs that are maliciously or inadvertently misbehaving as the UEs initiate RA procedure. The eNB can then prevent these identified misbehaving UEs from repeatedly performing RA procedure and overloading the network with RA messages. Thus, eNB can maintain Quality of Service.
In figure 7, a method 700 according to another embodiment is shown. In this method an eNB 701 and an MME 703 are cooperating so as to determine if a UE that is repeatedly performing RA procedure is maliciously or inadvertently misbehaving. Advantages of this method include that several eNBs can cooperate with the same MME 703 such that the MME can establish a comprehensive picture of resource availability across the radio access network and the core network. Additionally, method 700 also identifies UEs that are enabled with a Universal subscriber identity module (USIM) and are already connected to the network but are maliciously or defectively initiating RA procedure. These UEs may deceive the eNB by transitioning to a
RRC_CONNECTED state and/or ECM_CONNECTED state during normal connection set up, and thereafter sending pseudo-data using the allocated resource blocks such that an eNB may not identify UEs repeatedly initiating RA procedure, or RRCJDLE to RRC_CONNECTED state transition procedure, thereby overloading the network.
The method 700 comprises a UE 701 initiating a RA procedure with eNB 702. The RA procedure comprises steps 704, 705, 706, 707 which correspond to the exchange of messages 101 , 102, 103, 104, respectively described above with reference to figure 1 . The eNB may initiate recordal of transmission information after the first RA message 704 and/or the RRCConnectionRequest message 706, similar to that described in method 200 and 600.
After the RA procedure is completed, the UE sends an RRCConnectionSetupComplete 708 message to eNB. The eNB then sends a S1AP initial UE message 709 to the MME 703. The MME 703 determines if a S1 connection already exists for the UE 710. The MME does so by detecting if the S-TMSI provided by the UE in the
RRCConnectionRequest message 706 and forwarded by the eNB to the MME in the S1AP message belongs to a UE for which there is already an S1 connection established. If an S1 connection already exists, then the MME informs the eNB 71 1 , using a new or a modified S1AP message, that the RA procedure is from a potentially maliciously or inadvertently misbehaving UE. The eNB then stores the recorded transmission information and the information received from the MME so that the eNB can null future attacks from the same UE. Alternatively, the eNB may also execute a protection procedure as in methods 200 and 600. The eNB may run a miss-behaviour detection algorithm 712 in order to determine which action of the protection procedure to perform. The protection procedure may be any of those described above with reference to method 200 and 600. However, it may be that the UE is not malicious but that there has been a loss of state synchronization between the UE and the network. In these cases, the MME may accept a predetermined number of requests from the UE before nulling the UE.
As an optional alternative to informing the eNB, step 71 1 , the MME may simply ignore the UE and discard the Initial UE Message. This provides the advantage that the S1 AP protocol is not impacted and hence proprietary implementations would be possible.
The UE 701 may try to avoid detection by the MME 703 by using a random value, rather than the S-TMSI, sent in RRCConnectionRequest message 706 to eNB such that the MME to which the eNB sends the SA1 P Initial UE Message may be a MME different to the MME which is already aware of the UEs presence. Depending on the number of MMEs forming an MME pool to which the eNB is connected, the UE may go undetected for a number of RRCJDLE to RRC_CONNECTED state procedures. However, the number of MMEs in a pool is typically small and so the UE will eventually connect to an MME where it is already known. It shall be understood that the method 700 may comprise a preliminary step similar to preliminary step 601 a as described above with reference to figure 6. In such an embodiment, the MME will only perform step 710 if the evolved packet core (EPC) is overloaded. Thus, the MME determines if the EPS is overloaded before executing step 710. Alternatively, the MME may determine, as an intermediary step, if the EPC is overloaded after it has identified a malicious or misbehaving UE, step 710, but before informing the eNB 71 1 of its findings.
The MME may establish if the EPC is overloaded by determining if the availability of a control plane resource is below a predetermined level. A control plane resource may be number of messages that the MME is able to send or receive, or the processing capacity of the MME. For example, in one embodiment, the control plane resource may be MME available/idle CPU time. It should be understood that these are only examples of control plane resources and that it may include other parameters.
In one embodiment, a Key Performance Indicator, KPI, of the EPS is determined. If the KPI is above or below a predetermined level then the MME determines that the EPS is overloaded.
The preliminary and intermediary steps provide the advantage that the MME does not ignore a UE or inform the eNB of a malicious or misbehaving UE unless the core network is overloaded, or control plane resources are at or near depletion. Thus, the chances of genuine UEs (for example, where state synchronization between the UE and the network has been lost) being disrupted is reduced.
The above methods provide the advantage of identifying a UE that is initiating RA procedure more than once. If the identified UE is identified and determined as being a maliciously or inadvertently misbehaving UE, then the eNB or the MME can initiate protection procedure to reduce the network resources that are used on the
misbehaving UE. Advantageously, the above methods enable UEs to be identified and tracked such that a UE initiating RA procedure more than once can be identified already after the initial RA message and thereafter nulled before the eNB sends a RAR message to the UE.
Alternative embodiments will now be described with reference to figures 8 to 19.
In figure 8, a method performed by an eNB is shown. The method is for identifying a maliciously or inadvertently misbehaving UE that is initiating random access procedure at least twice so as to access a radio access network. The method comprises receiving a random access request from a UE 801 , and identifying the UE based on transmission information 802 and then determining if the UE has previously initiated random access procedure 803. If so, the method further comprises determining if the UE has used at least one resource block that it has previously been allocated as a result of an earlier random access procedure. Another embodiment of a method will now be described with reference to figure 9. This embodiment comprises corresponding steps to steps 801 , 802, 803 and 804 that are denoted 901 , 902, 903 and 904. In addition, the method further comprises determining if the UE has used at least one resource block previously allocated by determining if any further messages were received from the UE after the earlier random access procedure. In one embodiment, this is achieved by identifying a cell radio network temporary identity, C-RNTI, or temporary cell radio network temporary identity, TC- RNTI, received in the earlier random access procedure and thereafter determining if C- RNTI or TC-RNTI was used in any subsequent messages received from the UE 906.
The method 900 further comprises determining if the radio access network is overloaded 907. This may be achieved by determining if the availability of a radio access resource is below a predetermined level so as to determine if the radio access network is overloaded 908. If the radio access network is overloaded and a UE is identified as initiating random access procedure at least twice, then the method further comprises performing a protection procedure 909.
Alternatively, the method comprises performing the protection procedure if a UE is identified as initiating random access procedure at least twice, regardless of whether the network is overloaded or not, 909.
Further alternative steps of the method 900 will now be described with reference to figure 9b. The method steps described in this figure show what an eNB may do if a misbehaving UE is identified as initiating random access procedure at least twice. The steps are shown in dashed lined boxes indicative of them being optional. Furthermore, as these steps may be alternative to one another and do not necessarily follow a specific order, the different steps are not shown with preceding and succeeding arrows.
One step in figure 9b shows the protection procedure 910 comprising nulling the random access procedure by the eNB being configured to not receive any further messages from the UE and/or not acting on any further messages received from the UE 910a. The nulling of the random access request may occur for a predetermined period of time so as not to disrupt genuine UEs trying to access the network.
Alternatively, the protection procedure may comprise delaying transmission of a message to the UE 910b. The method may further comprise step 91 1 of informing an operator of the identified UE and receiving instructions from the operator on whether to execute the protection procedure in steps 910a, 910b. In yet another embodiment, the method comprises sending a message to a server and then receiving instructions from the server on whether to execute the protection procedure 912.
In another embodiment, the eNB receives a message from a mobility management entity, MME, 913 the message comprising instructions to execute the protection procedure as described in steps 910a and 910b.
It should be understood that transmission information used to identify a UE may comprise Angle of Arrival, Signal to noise ratio, transmission power, timing accuracy or pattern of random identifiers as described previously. Regarding random identifiers, the eNB may be configured to establish a pattern of random identifiers that a UE is sending to the eNB so as to identify the UE. Random identifiers may include the preamble chosen by UE in message 101 , and/or the random value or S-TMSI in message 103 as described in figure 1 . Furthermore, it should be understood that the eNB may use only one of the transmission information mentioned above, or a combination thereof.
A method 1000 performed by an MME will now be described with reference to figure 10. The method is for identifying a maliciously or inadvertently misbehaving UE that is initiating random access procedure at least twice. The method comprises, receiving a S1 AP message from an eNB 1001 , identifying the UE 1002, and establishing if the UE is already registered with the MME 1003, and if so, initiating a protection procedure 1004. This method identifies maliciously or inadvertently misbehaving UEs that have not been identified by eNBs. This may happen when a UE transitions to a
RRC_CONNECTED state and/or ECM_CONNECTED state during normal connection set up, and thereafter sends pseudo-data to the eNB using the allocated resource blocks such that an eNB may not identify UEs repeatedly initiating RA procedure, thereby overloading the network.
Another embodiment of a method 1 100 performed by an MME will now be described with reference to figure 1 1. This method 1 100 is similar to that of method 1000 and steps 1 101 , 1 102, 1 103 and 1 108 correspond to steps 1001 , 1002, 1003 and 1004. In addition, method 1 100 comprises a few optional alternative steps as indicated by dashed lines. For example, the MME may establish if the UE is already registered with the MME by identifying an identifier of the UE included or embedded in the S1 AP message 1 104. Such an identifier may be S-TMSI included in the S1AP message 1 105. Alternatively, other identifiers may be used that is included in the NAS embedded in the S1AP message, for example, Globally Unique Temporary ID (GUTI) or
International Mobile Station Equipment Identify (IMEI). The method may further comprise determining if the Evolved Packet Core, EPC is overloaded and if so initiating the protection procedure 1 106. Determining if the EPC is overloaded may be achieved by determining if the availability of a control plane resource is below a predetermined level 1 107.
In one embodiment, the protection procedure may comprise informing the eNB if the UE is already registered with the MME 1 109. The protection procedure may further comprise instructing the eNB to execute a protection procedure comprising any of the features as described with reference to figures 8, 9a and 9b, 1 1 10.
In an alternative embodiment, the protection procedure comprises ignoring the SA1 P message by not sending a S1 AP Downlink NAS Transport message to the UE 1 1 1 1 .
Although method 1 100 is shown in figure 1 1 as steps in a specific order, it should be understood that the method 1 100 is not limited to the shown order. For example, the step of determining if the EPC is overloaded, may occur before step 1 101 . Methods 800, 900, 1000 and 1 100 described above provide the same advantages as those described above with reference to methods 200, 600, 700.
The methods 200, 600, 800 and 900 described above may be conducted by an eNB or an apparatus forming part of an eNB. The methods may be conducted on receipt of suitable computer readable instructions, which may be embodied within a computer program running on the apparatus or the eNB. Figure 12 illustrate an example of an apparatus forming part of an eNB, or an eNB, 1200, which may execute the methods 200, 600, 800 and 900 of the present invention, for example on receipt of suitable instructions from a computer program. Referring to figure 12 the apparatus or eNB comprises a processor and a memory. The memory containing instructions executable by the processor, such that the apparatus or eNB is operable to carry out any of the embodiments of methods 200, 600, 800 and 900.
Similarly, the methods 700, 1000 and 1 100 described above may be conducted by an MME or an apparatus forming part of an MME. The methods may be conducted on receipt of suitable computer readable instructions, which may be embodied within a computer program running on the apparatus or the MME. Figure 13 illustrate an example of an apparatus forming part of an MME, or an MME, 1300, which may execute the methods 700, 1000, 1 100 of the present invention, for example on receipt of suitable instructions from a computer program. Referring to figure 13 the apparatus or MME comprises a processor and a memory. The memory containing instructions executable by the processor, such that the apparatus or MME is operable to carry out any of the embodiments of methods 700, 1000, 1 100. Figure 14, illustrates functional modules in another embodiment of an apparatus which may form part of an eNB. The apparatus is for identifying a misbehaving UE that is initiating random access procedure at least twice so as to access a radio access network and may execute any of methods 200, 600, 800 and 900 described herein, for example, according to computer readable instructions received from a computer program. It will be understood that the modules illustrated in figure 14 are software implemented functional modules, and may be realised in any appropriate combination of software modules.
Referring again to figure 14, the apparatus comprises a receiving module 1401 for receiving a random access request from a UE, an identifying module 1402 for identifying the UE based on transmission information and then determining if the UE has previously initiated random access procedure. The apparatus further comprises a determination module 1403 for determining if the UE has used at least one resource block that it has previously been allocated as a result of an earlier random access procedure.
The apparatus also comprises a processor for executing the software or modules and a memory for storing the different modules. In figure 15, another embodiment of functional modules is shown. Similarly to figure 14, the apparatus 1500 comprises a receiving module 1501 , identifying module 1502 and a determination module 1503. The determination module 1503 may further comprise means for determining if any further messages were received from the UE after the earlier random access procedure.
In one embodiment, the determination module 1503 further comprises means for determining if the UE has used at least one resource block previously allocated by identifying a cell radio network temporary identity, C-RNTI, or temporary cell radio network temporary identity, TC-RNTI, received in the earlier random access procedure and thereafter determining if C-RNTI or TC-RNTI was used in any subsequent messages received from the UE..
In another embodiment, the apparatus 1500 further comprising a detection module 1504 for determining if the radio access network is overloaded. The detection module 1504 may further comprise means for determining if the availability of a radio access resource is below a predetermined level so as to determine if the radio access network is overloaded.
In yet another embodiment, the apparatus further comprises a protection module 1505 for performing a protection procedure should such a UE be identified. The protection module 1505 may alternatively perform a protection procedure once the misbehaving UE has been identified and the detection module 1504 has determined that the radio access network is overloaded.
The protection module 1505 comprises means for nulling the random access procedure by the eNB being configured to not receive any further messages from the UE and/or not acting on any further messages received from the UE.
Alternatively, the protection module 1505 further comprises means for nulling the random access request for a predetermined period of time, or means for delaying transmission of a message to the UE by a predetermined time such as 30 seconds. In one embodiment, the apparatus further comprises an information module 1506 for informing an operator of the UE and receiving instructions from the operator on whether to execute the protection procedure. The apparatus 1500 may also comprise a transmission module 1507 for sending a message to a server and then receiving instructions from the server on whether to execute the protection procedure. The transmission module may additionally and/or alternatively be for receiving a message from a mobility management entity, MME, the message comprising instructions to execute the protection process.
It should be understood that the apparatus in figure 15 may be an eNB or form part of an eNB and that it provides the same advantages as method 200, 600, 800 and 900.
In figure 16, an apparatus is shown that may form part or be an eNB. In this embodiment, the apparatus comprises a processor 1601 and a memory 1602, and an input/out (I/O) interface 1603 for receiving and sending messages to a UE and an MME. The apparatus is configured so as to identify a misbehaving UE that is initiating random access procedure at least twice so as to access a radio access network. The apparatus is further configured to receive a random access request from a UE, identify the UE based on transmission information and then determine if the UE has previously initiated random access procedure; and determine if the UE has used at least one resource block that it has previously been allocated as a result of an earlier random access procedure. The apparatus may be further configured to perform any of methods 200, 600, 800 and 900.
Figure 17, illustrates functional modules in another embodiment of an apparatus which may form part of an MME. The apparatus is for identifying a misbehaving UE that is initiating random access procedure at least twice and may execute any of methods 700, 1000 and 1 100 described herein, for example, according to computer readable instructions received from a computer program. It will be understood that the modules illustrated in figure 16 are software implemented functional modules, and may be realised in any appropriate combination of software modules.
Referring again to figure 17, the apparatus comprises, a receiving module 1701 for receiving a S1AP message from an E-UTRAN Node B, eNB, and an identification module 1702 for identifying the UE, a determination module1703 for establishing if the UE is already registered with the MME, and a protection module 1704 for initiating a protection procedure if the UE is already registered with the MME.
The apparatus also comprises a processor for executing the software or modules and a memory for storing the different modules.
Figure 18 shows another embodiment of functional modules of an apparatus 1800 that may form part of an MME. The apparatus 1800 is similar to that shown in figure 17 and comprises functional modules; receiving module, 1801 , identification module 1802, determination module 1803 and protection module 1804 corresponding to modules 1701 , 1702, 1703 and 1704.
In addition, determination module 1803 may further comprise means for identifying an identifier of the UE included in the S1 AP message so as to establish if the UE is already registered with the MME. The determination module 1803 may for example identify SAE-Temporary Mobile Subscriber Identity, S-TMSI, included in the S1AP message so as to determine if a connection is already established for the UE with said S-TMSI. Alternatively, the determination module 1803 may identify GUTI or IMEI included in the NAS embedded in the S1AP message. Additionally and/or alternatively, the determination module 1803 may further comprise means for identifying the UE initiating random access procedure by its International Mobile Subscriber Identity, I MSI, so as to determine if a connection is already established for the UE with said IMSI.
The apparatus may comprise an EPC module 1805 for determining if the Evolved Packet Core, EPC is overloaded and if so sending a message to the protection module to initiate the protection procedure. The EPC module 1805 may further comprise means for determining if the availability of a control plane resource is below a predetermined level so as to determine if the EPC is overloaded. The protection module 1804 may comprise an instruction module 1806 for informing the eNB if the UE is already registered with the MME. Alternatively, the instruction module 1806 may be for instructing the eNB to execute a protection procedure comprising any of the features as described in methods 200, 600, 800 and 900.
In an alternative embodiment, the protection module 1804 comprises means for ignoring the SA1 P message by not sending a S1 AP Downlink NAS Transport message to the UE. It should be understood that the apparatus 1700 and 1800 shown in figures 17 and 18 may form part of or be an MME. In figure 19, an apparatus 1900 is shown that may form part or be an MME. In this embodiment, the apparatus comprises a processor 1901 and a memory 1902, and an input/out (I/O) interface 1903 for receiving and sending messages to an eNB. The apparatus 1900 is configured to identify a misbehaving UE that is initiating random access procedure at least twice. The apparatus is further configured to receive a S1 AP message from an eNB, identify a UE, establish if the UE is already registered with the MME, and initiate a protection procedure if the UE is already registered with the MME. The apparatus may also be configured to carry out any of methods 700, 1000 and 1 100. Aspects of the present invention thus provide methods, apparatus and computer programs enabling an apparatus of an eNB and an MME, or an eNB or MME, to prevent or reduce the number of random access procedures initiated by maliciously or inadvertently misbehaving UEs. It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended claims. The word "comprising" does not exclude the presence of elements or steps other than those listed in a claim, "a" or "an" does not exclude a plurality, and a single feature or other unit may fulfil the functions of several units recited in the claims. Any reference signs in the claims shall not be construed so as to limit their scope.

Claims

1 . A method, performed by an E-UTRAN, eNB, of identifying a misbehaving UE that is initiating random access procedure at least twice so as to access a radio access network, the method comprises,
receiving a random access request from a UE,
identifying the UE based on transmission information and then determining if the UE has previously initiated random access procedure; and
determining if the UE has used at least one resource block that it has previously been allocated as a result of an earlier random access procedure.
2. A method according to claim 1 , wherein the step of determining if the UE has used at least one resource block previously allocated comprises determining if any further messages were received from the UE after the earlier random access procedure.
3. A method according to any preceding claims, wherein the step of determining if the UE has used at least one resource block previously allocated comprises identifying a cell radio network temporary identity, C-RNTI, or temporary cell radio network temporary identity, TC-RNTI, received in the earlier random access procedure and thereafter determining if C-RNTI or TC-RNTI was used in any subsequent messages received from the UE.
4. A method according to any of claims 1 to 3, wherein the method further comprises determining if the radio access network is overloaded.
5. A method according to claim 4, wherein the method further comprises
determining if the availability of a radio access resource is below a predetermined level so as to determine if the radio access network is overloaded.
6. A method according to any of claims 1 to 5, wherein, if such a UE is identified, then the method further comprises performing a protection procedure.
7. A method according to any of claims 4 or 5, wherein, if such a UE is identified and if the radio access network is overloaded, then the method further comprises performing a protection procedure.
8. A method according to claims 6 or 7, wherein the protection procedure comprises nulling the random access procedure by the eNB being configured to not receive any further messages from the UE and/or not acting on any further messages received from the UE.
9. A method according to claim 8, wherein the protection procedure comprises nulling the random access request for a predetermined period of time.
10. A method according to any of claims 6 to 9, wherein the method further comprises informing an operator of the UE and receiving instructions from the operator on whether to execute the protection procedure.
1 1 . A method according to any of claims 6 to 9, wherein the method further comprises sending a message to a server and then receiving instructions from the server on whether to execute the protection procedure.
12. A method according to any of claims 6 to 9, further comprising receiving a message from a mobility management entity, MME, the message comprising instructions to execute the protection procedure.
13. A method according to any preceding claim, wherein transmission information comprises Angle of Arrival, Signal to noise ratio, transmission power, timing accuracy or pattern of random identifiers.
14. An apparatus of identifying a misbehaving UE that is initiating random access procedure at least twice so as to access a radio access network, the apparatus comprises,
a receiving module for receiving a random access request from a UE, an identifying module for identifying the UE based on transmission information and then determining if the UE has previously initiated random access procedure; and a determination module for determining if the UE has used at least one resource block that it has previously been allocated as a result of an earlier random access procedure.
15. An apparatus comprising a processor and a memory, the memory containing instructions executable by the processor, such that the apparatus is operable to carry out a method according to any one of claims 1 to 13.
16. A method, performed by a Mobility Management Entity, MME, of identifying a misbehaving UE that is initiating random access procedure at least twice, the method comprises,
receiving a S1 AP message from an E-UTRAN Node B, eNB, and identifying the UE, and
establishing if the UE is already registered with the MME, and if so, initiating a protection procedure.
17. A method according to claim 16, wherein establishing if the UE is already registered with the MME comprises identifying an identifier of the UE included in the S1AP message.
18. A method according to claims 16 or 17, wherein the method comprises identifying SAE-Temporary Mobile Subscriber Identity, S-TMSI, included in the S1AP message and determining if a connection is already established for a UE with said S-TMSI.
19. A method according to claim 16 or 17, wherein the method comprises identifying the UE initiating random access procedure by its International Mobile Subscriber Identity, IMSI, and determining if a connection is already established for a UE with said IMSI.
20. A method according to any of claims 16 to 19, comprising determining if the Evolved Packet Core, EPC is overloaded and if so initiating the protection procedure.
21 . A method according to claim 20, wherein the method comprises determining if the availability of a control plane resource is below a predetermined level so as to determine if the EPC is overloaded.
22. A method according to any of claims 16 to 21 , wherein initiating the protection procedure comprises informing the eNB if the UE is already registered with the MME.
23. A method according to claim 22, wherein the protection procedure further comprises instructing the eNB to execute a protection procedure comprising any of the features as claimed in claims 8 to 1 1 .
24. A method according to any of claims 16 to 21 , wherein initiating the protection procedure comprises ignoring the SA1 P message by not sending a S1 AP Downlink NAS Transport message to the UE.
25. An apparatus of identifying a misbehaving UE that is initiating random access procedure at least twice, the apparatus comprises,
a receiving module for receiving a S1AP message from an E-UTRAN Node B, eNB,
an identification module for identifying a UE,
a determination module for establishing if the UE is already registered with the MME, and
a protection module for initiating a protection procedure if the UE is already registered with the MME.
26. An apparatus comprising a processor and a memory, the memory containing instructions executable by the processor, such that the apparatus is operable to carry out a method according to any one of claims 16 to 24.
27. A computer program configured, when run on a computer, to carry out a method according to any one of claims 1 to 13 or 16 to 24.
28. A computer program product comprising computer readable medium and a computer program according to claim 27 stored on the computer readable medium
PCT/EP2015/061021 2015-05-19 2015-05-19 Identifying a misbehaving ue initiating a random access procedure WO2016184505A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2015/061021 WO2016184505A1 (en) 2015-05-19 2015-05-19 Identifying a misbehaving ue initiating a random access procedure

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2015/061021 WO2016184505A1 (en) 2015-05-19 2015-05-19 Identifying a misbehaving ue initiating a random access procedure

Publications (1)

Publication Number Publication Date
WO2016184505A1 true WO2016184505A1 (en) 2016-11-24

Family

ID=53276844

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2015/061021 WO2016184505A1 (en) 2015-05-19 2015-05-19 Identifying a misbehaving ue initiating a random access procedure

Country Status (1)

Country Link
WO (1) WO2016184505A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109275145A (en) * 2018-09-21 2019-01-25 腾讯科技(深圳)有限公司 Device behavior detection and blocking processing method, medium and electronic device
WO2023099113A1 (en) * 2021-12-01 2023-06-08 Telefonaktiebolaget Lm Ericsson (Publ) Open radio access network blocking policy

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030171120A1 (en) * 2002-03-06 2003-09-11 Mustapha Mazlyn Mona Method of setting up a call connection, a method of preventing or alleviating denial of service attacks, a ratio telecommunications network, and a base station
US20120155274A1 (en) * 2010-12-20 2012-06-21 Yi-Pin Eric Wang DENIAL OF SERVICE (DoS) ATTACK PREVENTION THROUGH RANDOM ACCESS CHANNEL RESOURCE REALLOCATION
US20140206343A1 (en) 2013-01-21 2014-07-24 Eden Rock Communications, Llc Method for uplink jammer detection and avoidance in long-term evolution (lte) networks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030171120A1 (en) * 2002-03-06 2003-09-11 Mustapha Mazlyn Mona Method of setting up a call connection, a method of preventing or alleviating denial of service attacks, a ratio telecommunications network, and a base station
US20120155274A1 (en) * 2010-12-20 2012-06-21 Yi-Pin Eric Wang DENIAL OF SERVICE (DoS) ATTACK PREVENTION THROUGH RANDOM ACCESS CHANNEL RESOURCE REALLOCATION
US20140206343A1 (en) 2013-01-21 2014-07-24 Eden Rock Communications, Llc Method for uplink jammer detection and avoidance in long-term evolution (lte) networks

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109275145A (en) * 2018-09-21 2019-01-25 腾讯科技(深圳)有限公司 Device behavior detection and blocking processing method, medium and electronic device
EP3780690A4 (en) * 2018-09-21 2022-02-09 Tencent Technology (Shenzhen) Company Limited Device behavior detection method, blocking processing method, medium and electronic device
CN109275145B (en) * 2018-09-21 2022-04-12 腾讯科技(深圳)有限公司 Device behavior detection and barrier processing method, medium and electronic device
US12225381B2 (en) 2018-09-21 2025-02-11 Tencent Technology (Shenzhen) Company Limited Device behavior detection method, blocking processing method, medium, and electronic device
WO2023099113A1 (en) * 2021-12-01 2023-06-08 Telefonaktiebolaget Lm Ericsson (Publ) Open radio access network blocking policy

Similar Documents

Publication Publication Date Title
JP6743283B2 (en) Network slice selection method, wireless access device, and terminal
US20190045571A1 (en) Method of Handling Radio Link Failure and Related Communication Device
US8498664B2 (en) Method and apparatus for handling barred cell in wireless communication system
CN109962756A (en) Communication method and device
US11218880B2 (en) Control signaling in a wireless communication system
US10143012B2 (en) Random access procedure in wireless device, radio base station and methods therein
EP3777424B1 (en) Methods and system for transmitting a temporary identifier
KR20220082816A (en) Protection of system information in the network function of the core network
US12063558B2 (en) Early data transmission for dual connectivity or carrier aggregation
KR20120046211A (en) Preventing misuse of random access procedure in wireless communication system
CN108696893B (en) Uplink data sending method, device, base station and user equipment
US20240015684A1 (en) Methods and apparatuses for zero trust cell broadcasts
EP3005806A1 (en) Telecommunications apparatus and method relating to a random access procedure
US11659598B2 (en) Method and devices of performing a random access procedure between a user equipment, UE, and a radio access network of a telecommunication network
EP3468283B1 (en) Wireless communication channel scan
US20220256608A1 (en) Contention based random access procedure for mobile communications
WO2017173892A1 (en) Random access channel congestion processing method, device, and storage medium
WO2016184505A1 (en) Identifying a misbehaving ue initiating a random access procedure
EP3120651B1 (en) Methods and apparatus for wireless network access
US10986663B2 (en) Uplink signal transmission based on timing advance value
KR101502140B1 (en) Method for processing random access, and digital signal processing apparatus
EP3282801B1 (en) Signal transmission method and network device
EP4297341B1 (en) Apparatus and method for detecting prach storm attacks
US20150334572A1 (en) Radio access network apparatus, mobile communication system, communication method, and non-transitory computer readable medium storing program
WO2018226129A1 (en) Handling access to a wireless communications network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15726559

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15726559

Country of ref document: EP

Kind code of ref document: A1

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载