TECHNICAL FIELD

The present application relates generally to the field of communication networks, and more specifically to techniques for secure access to customer-domain data that can be used in conjunction with various artificial intelligence (Al) applications, such as model training.

INTRODUCTION

Machine learning (ML) is a type of artificial intelligence (Al) that focuses on the use of data and algorithms to imitate the way that humans learn, gradually improving its accuracy. ML algorithms build models based on sample (or “training”) data, with the models being used subsequently to make predictions or decisions. ML algorithms can be used in a wide variety of applications (e.g., medicine, email filtering, speech recognition, etc.) in which it is difficult or unfeasible to develop conventional algorithms to perform the needed tasks.

Communication network operators are now turning to AI/ML to support and/or achieve essential business objectives. Previously, there were only two options for deploying and/or changing core systems or technologies such as AI/ML in networks: 1) buy the latest commercial off-the-shelf (COTS) software and modify it, or 2) upgrade and rebuild legacy systems in-house using traditional software coding techniques. Both methods are expensive, time-consuming, and require skilled people, and they are usually built-in technology silos, raising the risk of inconsistency with business needs.

A modern method used for core system change is known as low-code/no-code (LCNC), which refers to any activity that eliminates a need to manually write or rewrite a piece of code. LCNC is intended to reduce software development time, since it facilitates constructing business processes and logic in enterprise beans, generating reusable code, and/or designing user interfaces. Enterprises use LCNC platforms to upskill their workforce, beat traditional development times, and obtain measurable results more quickly. LCNC platforms allow enterprises to outsmart their competition by quickly modifying how they provide services to customers via their preferred channels, such as mobile applications and self-service portals. LCNC provide tools that employees need to do their jobs more efficiently and effectively.

Even so, many enterprises - including network operators - must comply with regulations regarding use of customer data. These regulations cover various data such as biometric data, geo-location data, call identification data, cell site data, and other data that can identify a user (or user equipment, UE). Due to these concerns, network operators are hesitant to share customer data with telecom equipment vendors and their internal teams. As a result, there is no assurance that any deployed AI/ML model will provide desired results due to the lack of data to train the model. As such, AI/ML models often lay dormant, become stale, or provide undesired and/or inaccurate results.

SUMMARY

Existing data access layers in AI/ML solutions have various problems, issues, and/or difficulties. For example, they typically require that the data owner grants full access to the data to the vendor (or vendor’s employees) who is implementing an AI/ML model. Moreover, once full data access has been granted, there is little or no visibility and traceability regarding parts of the data (e.g., columns, rows, or arbitrary section) were accessed and for what purpose(s). In many cases, the shared data is not encrypted, at least not in a way that restricts access to some small group of engineers. Furthermore, even if some traceability/visibility into access is available, it is often provided by the vendor who is implementing an AI/ML model, which reduces the trust in such information.

These and other reasons lead to a lack of trust from data owners in existing data access layers and consequently limit the deployment of AI/ML solutions, e.g., for communication networks. Embodiments of the present disclosure address these and other problems, issues, and/or difficulties, thereby facilitating the otherwise-advantageous deployment of AI/ML solutions in communication networks (e.g., 5G networks).

Some embodiments include exemplary methods e.g., procedures) for a customer-domain agent to manage access to data and/or resources in the customer domain of a communication network (e.g., 5G network).

These exemplary methods can include registering one or more of the following resources with a gateway in a vendor domain: one or more datasets available in the customer domain, and computing resources available in the customer domain. These exemplary methods can also include subsequently receiving, from the vendor-domain gateway, one or more of the following:

• a first request for the customer domain to perform a computing job based on registered resources, according to a default mode of operation; and

• a second request to provide at least a portion of a registered dataset to a user via the vendordomain gateway, according to an exception mode of operation.

In some embodiments, in the default mode of operation, the customer-domain agent does not provide any of the registered datasets to the vendor domain.

In some embodiments, these exemplary methods can also include, in response to the first request, causing computing infrastructure of the customer domain to perform the computing job and sending to the vendor-domain gateway an indication of results for the computing job. In some embodiments, the first request includes a parameterized AI/ML model and an indication of a registered dataset, and the computing job includes training the parameterized AI/ML model using the indicated registered dataset.

In some embodiments, registering the one or more datasets can include sending, to the vendor-domain gateway, metadata that is representative or descriptive of the one or more datasets to be registered.

In some embodiments, the second request includes a tuple comprising: an identifier of the requested data, an identifier of a user who will access the requested data, and a validity period during which the user will be allowed to access the requested data. In some of these embodiments, these exemplary methods can also include, in response to the second request, determining whether the tuple matches at least one configured exception and, when the tuple matches at least one configured exception, encrypting the requested data using a key associated with the user and sending the encrypted data to the vendor-domain gateway. In some variants, these exemplary methods can also include logging the match between the tuple and the at least one configured exception in a distributed trustworthy audit trail.

In some embodiments, the resources registered with the vendor-domain gateway also include software code that is available in the customer domain. In such case, these exemplary methods can also include modifying the software code after registering the resources with the vendor-domain gateway. In some variants, the customer-domain agent maintains ownership of the modified software code and these exemplary methods also include storing the modified software code in a vendor-domain repository. In some further variants, the software code is usable to create AI/ML models.

Other embodiments include methods (e.g., procedures) for a vendor-domain gateway to manage user access to data and/or resources in a customer domain of a communication network (e.g., 5G network).

These exemplary methods can include registering one or more of the following resources in a repository in the vendor domain:

• one or more datasets available in the customer domain,

• computing resources available in the customer domain, and

• software code available in the customer domain.

These exemplary methods can also include subsequently sending, to a customer-domain agent, one or more of the following:

• a first request for the customer domain to perform a computing job based on registered customer-domain resources, according to a default mode of operation; and • a second request to provide at least a portion of a registered dataset to a user via the vendordomain gateway, according to an exception mode of operation.

In some embodiments, in the default mode of operation, the customer-domain agent does not provide any of the registered datasets to the vendor domain. In some embodiments, these exemplary methods can also include, in response to the first request, receiving from the customerdomain agent an indication of results for the computing job.

In some embodiments, the (registered) software code is usable to create AI/ML models. In some embodiments, registering the one or more datasets can include receiving, from the customerdomain agent, metadata that is representative or descriptive of the one or more datasets to be registered and store the received metadata in the repository.

In some embodiments, these exemplary methods can also include receiving, from a secure client associated with the user, a request for information about available datasets, computing resources, and AI/ML models; retrieving information about the registered resources from the repository; and sending the retrieved information to the secure client in a form that can be rendered on a UI.

In some of these embodiments, the information sent to the secure client includes metadata that is representative or descriptive of one or more registered datasets. In some of these embodiments, these exemplary methods can also include receiving from the secure client a job request that identifies a registered dataset and an AI/ML model that were indicated in the retrieved information sent to the secure client. In some of these embodiments, the job request from the secure client also includes parameters associated with the identified AI/ML model, the first request includes the parameterized AI/ML model and an indication of the registered dataset, and the computing job includes training the parameterized AI/ML model using the indicated registered dataset.

In some embodiments, these exemplary methods can also include receiving, from the secure client, a request for user access to at least a portion of a registered dataset. The second request is sent in response to the request for user access. In some of these embodiments, the request for user access includes an identifier of the requested data and the second request includes a tuple comprising an identifier of the requested data, an identifier of the user (i.e., who will access the requested data), and a validity period during which the user will be allowed to access the requested data.

In some of these embodiments, these exemplary methods can also include the following: based on the tuple matching at least one configured exception, receiving from the customerdomain agent the requested data encrypted based on a key associated with the user; notifying the secure client about the availability of the requested data; and providing the encrypted data to the secure client upon request.

Other embodiments include methods (e.g., procedures) for a secure client to access to data and/or resources in a customer domain of a communication network (e.g., 5G network).

These exemplary methods can include sending one or more of the following to a vendordomain gateway:

• a first request for information about datasets, computing resources, and AI/ML models that are registered with the vendor-domain gateway, the first request being associated with a default mode of operation; and

• a second request for user access to at least a portion of a registered dataset, the second request being associated with an exception mode of operation.

These exemplary method can also include receiving one or more of the following from the vendordomain gateway:

• a first response indicating registered resources in accordance with the first request, the first response being in a form that can be rendered on a UI; and

• a second response notifying the secure client about the availability the data for which user access was requested in the second request.

In some embodiments, the registered datasets are associated with the customer domain and in the default mode of operation, and the customer domain does not provide any registered datasets to the secure client. In some of these embodiments, the first response includes metadata that is representative or descriptive of one or more registered datasets.

In some embodiments, these exemplary methods can also include selecting a dataset and an AI/ML model that are among the registered resources indicated by the first response and sending to the vendor-domain gateway a job request that identifies the selected dataset and AI/ML model. In some of these embodiments, the job request also includes parameters associated with the selected AI/ML model and the requested job includes training the parameterized AI/ML model using the selected dataset.

In some embodiments, these exemplary methods can also include, based on the second response, obtaining the data from the vendor-domain gateway and decrypting the obtained data based on a key associated with the user. In some embodiments, the second request for user access includes an identifier of the data for which user access is requested.

Other embodiments include customer-domain agents and vendor-domain gateways (or network nodes and/or computing infrastructure hosting the same) and secure clients (or UEs/computing devices hosting the same) that are configured to perform the operations corresponding to any of the exemplary methods described herein. Other embodiments also include non-transitory, computer-readable media storing computer-executable instructions that, when executed by processing circuitry associated with such customer-domain agents, vendordomain gateways, and secure clients, configure the same to perform operations corresponding to any of the exemplary methods described herein.

These and other disclosed embodiments can enable data scientists to train AI/ML models or perform other related activities without having full, unconditional access to raw data. Moreover, when raw data is conditionally shared with a data scientist, there is a trusted audit trail that records all these accesses along with their associated reasons. Embodiments also promote reuse and facilitate upskilling of data scientists or non-data scientists (so-called “data citizens”) across organizations. Humans are not required to write AI/ML models to test them on real data; ML can generate the models and apply them to data sets while setting a few difficult or tricky parameters.

These and other objects, features, and advantages of the present disclosure will become apparent upon reading the following Detailed Description in view of the Drawings briefly described below.

BRIEF DESCRIPTION OF THE DRAWINGS

Figures 1-2 illustrate various aspects of an exemplary 5G network architecture.

Figure 3 shows a block diagram of a system architecture according to some embodiments of the present disclosure.

Figure 4 shows a block diagram of a snapcode. ai trusted data layer architecture based on blockchain, according to various embodiments of the present disclosure.

Figure 5 shows an example of blockchain generation for the trusted data layer according to some embodiments of the present disclosure.

Figure 6 shows a signal flow diagram for an exemplary customer resources on-boarding procedure, according to some embodiments of the present disclosure.

Figure 7 shows an operational sequence under a default mode of operation, according to some embodiments of the present disclosure.

Figures 8-9 show signal flow diagrams of operational sequences for the default mode of operation, according to some embodiments of the present disclosure.

Figure 10 shows an operational sequence under an exception mode of operation, according to some embodiments of the present disclosure.

Figure 11 shows a signal flow diagram for an exemplary exception procedure, according to some embodiments of the present disclosure. Figure 12 shows an exemplary method (e.g., procedure) for a customer-domain agent, according to various embodiments of the present disclosure.

Figure 13 shows an exemplary method (e.g., procedure) for a vendor-domain gateway, according to various embodiments of the present disclosure.

Figure 14 shows an exemplary method (e.g., procedure) for a secure client, according to various embodiments of the present disclosure.

Figure 15 shows a communication system according to various embodiments of the present disclosure.

Figure 16 shows a UE according to various embodiments of the present disclosure.

Figure 17 shows a network node according to various embodiments of the present disclosure.

Figure 18 shows host computing system according to various embodiments of the present disclosure.

Figure 19 is a block diagram of a virtualization environment in which functions implemented by some embodiments of the present disclosure may be virtualized.

Figure 20 illustrates communication between a host computing system, a network node, and a UE via multiple connections, according to various embodiments of the present disclosure.

DETAILED DESCRIPTION

Embodiments briefly summarized above will now be described more fully with reference to the accompanying drawings. These descriptions are provided by way of example to explain the subject matter to those skilled in the art and should not be construed as limiting the scope of the subject matter to only the embodiments described herein. More specifically, examples are provided below that illustrate the operation of various embodiments according to the advantages discussed above.

Generally, all terms used herein are to be interpreted according to their ordinary meaning in the relevant technical field, unless a different meaning is clearly given and/or is implied from the context in which it is used. All references to a/an/the element, apparatus, component, means, step, etc. are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated otherwise. The steps of any methods and/or procedures disclosed herein do not have to be performed in the exact order disclosed, unless a step is explicitly described as following or preceding another step and/or where it is implicit that a step must follow or precede another step. Any feature of any of the embodiments disclosed herein can be applied to any other embodiment, wherever appropriate. Likewise, any advantage of any of the embodiments can apply to any other embodiments, and vice versa. Other objects, features and advantages of the disclosed embodiments will be apparent from the following description.

As briefly mentioned above, the present disclosure relates to deployment of AI/ML models in or with communication networks, particularly in relation to establishing and/or maintaining trust of data used with such AI/ML models. An example communication network in which embodiments of the present disclosure can be used is a fifth-generation (5G) wireless network, which is described in more detail below.

Currently the fifth generation (“5G”) of cellular systems, also referred to as New Radio (NR), is being standardized within the Third-Generation Partnership Project (3GPP). NR is developed for maximum flexibility to support multiple and substantially different use cases. These include enhanced mobile broadband (eMBB), machine type communications (MTC), ultra-reliable low latency communications (URLLC), side-link device-to-device (D2D), and several other use cases.

At a high level, the 5G System (5GS) consists of an Access Network (AN) and a Core Network (CN). The AN provides UEs connectivity to the CN, e.g., via base stations such as gNBs or ng-eNBs described below. The CN includes a variety of Network Functions (NF) that provide a wide range of different functionalities such as session management, connection management, charging, authentication, etc.

Figure 1 illustrates a high-level view of an exemplary 5G network architecture, consisting of a Next Generation Radio Access Network (NG-RAN) 199 and a 5G Core (5GC) 198. NG-RAN 199 can include one or more gNodeB’s (gNBs) connected to the 5GC via one or more NG interfaces, such as gNBs 100, 150 connected via interfaces 102, 152, respectively. More specifically, gNBs 100, 150 can be connected to one or more Access and Mobility Management Functions (AMFs) in the 5GC 198 via respective NG-C interfaces. Similarly, gNBs 100, 150 can be connected to one or more User Plane Functions (UPFs) in 5GC 198 via respective NG-U interfaces. Various other network functions (NFs) can be included in the 5GC 198, as described in more detail below.

In addition, the gNBs can be connected to each other via one or more Xn interfaces, such as Xn interface 140 between gNBs 100 and 150. The radio technology for the NG-RAN is often referred to as “New Radio” (NR). With respect the NR interface to UEs, each of the gNBs can support frequency division duplexing (FDD), time division duplexing (TDD), or a combination thereof. Each of the gNBs can serve a geographic coverage area including one or more cells and, in some cases, can also use various directional beams to provide coverage in the respective cells.

NG-RAN 199 is layered into a Radio Network Layer (RNL) and a Transport Network Layer (TNL). The NG-RAN architecture, /.< ., the NG-RAN logical nodes and interfaces between them, is defined as part of the RNL. For each NG-RAN interface (NG, Xn, Fl) the related TNL protocol and the functionality are specified. The TNL provides services for user plane transport and signaling transport. In some exemplary configurations, each gNB is connected to all 5GC nodes within an “AMF Region” with the term “AMF” referring to an access and mobility management function in the 5GC.

The NG RAN logical nodes shown in Figure 1 include a Central Unit (CU or gNB-CU) and one or more Distributed Units (DU or gNB-DU). For example, gNB 100 includes gNB-CU 110 and gNB-DUs 120 and 130. CUs (e.g., gNB-CU 110) are logical nodes that host higher-layer protocols and perform various gNB functions such controlling the operation of DUs. A DU (e.g., gNB-DUs 120, 130) is a decentralized logical node that hosts lower layer protocols and can include, depending on the functional split option, various subsets of the gNB functions. As such, each of the CUs and DUs can include various circuitry needed to perform their respective functions, including processing circuitry, transceiver circuitry (e.g., for communication), and power supply circuitry.

A gNB-CU connects to one or more gNB-DUs over respective Fl logical interfaces, such as interfaces 122 and 132 shown in Figure 1. However, a gNB-DU can be connected to only a single gNB-CU. The gNB-CU and connected gNB-DU(s) are only visible to other gNBs and the 5GC as a gNB. In other words, the Fl interface is not visible beyond gNB-CU.

Another change in 5G networks (e.g., in 5GC) is that traditional peer-to-peer interfaces and protocols found in earlier-generation networks are modified and/or replaced by a Service Based Architecture (SB A) in which Network Functions (NFs) provide one or more services to one or more service consumers. This can be done, for example, by Hyper Text Transfer Protocol/Representational State Transfer (HTTP/REST) application programming interfaces (APIs). In general, the various services are self-contained functionalities that can be changed and modified in an isolated manner without affecting other services.

Furthermore, the services are composed of various “service operations”, which are more granular divisions of the overall service functionality. The interactions between service consumers and producers can be of the type “request/response” or “subscribe/notify”. In the 5G SBA, network repository functions (NRF) allow every network function to discover the services offered by other network functions, and Data Storage Functions (DSF) allow every network function to store its context. This 5G SBA model is based on principles including modularity, reusability and self-containment of NFs, which can enable network deployments to take advantage of the latest virtualization and software technologies. Figure 2 shows an exemplary non-roaming 5G reference architecture with service-based interfaces and various 3GPP-defined NFs within the Control Plane (CP). These include the following NFs, with additional details provided for those most relevant to the present disclosure:

• Application Function (AF, with Naf interface) interacts with the 5GC to provision information to the network operator and to subscribe to certain events happening in operator's network. An AF offers applications for which service is delivered in a different layer (i.e., transport layer) than the one in which the service has been requested (i.e., signaling layer), the control of flow resources according to what has been negotiated with the network. An AF communicates dynamic session information to PCF (via N5 interface), including description of media to be delivered by transport layer.

• Policy Control Function (PCF, with Npcf interface) supports unified policy framework to govern the network behavior, via providing PCC rules (e.g., on the treatment of each service data flow that is under PCC control) to the SMF via the N7 reference point. PCF provides policy control decisions and flow based charging control, including service data flow detection, gating, QoS, and flow-based charging (except credit management) towards the SMF. The PCF receives session and media related information from the AF and informs the AF of traffic (or user) plane events.

• User Plane Function (UPF)- supports handling of user plane traffic based on the rules received from SMF, including packet inspection and different enforcement actions (e.g., event detection and reporting). UPFs communicate with the RAN (e.g., NG-RNA) via the N3 reference point, with SMFs (discussed below) via the N4 reference point, and with an external packet data network (PDN) via the N6 reference point. The N9 reference point is for communication between two UPFs.

• Session Management Function (SMF, with Nsmf interface) interacts with the decoupled traffic (or user) plane, including creating, updating, and removing Protocol Data Unit (PDU) sessions and managing session context with the User Plane Function (UPF), e.g., for event reporting. For example, SMF performs data flow detection (based on filter definitions included in PCC rules), online and offline charging interactions, and policy enforcement.

• Charging Function (CHF, with Nchf interface) is responsible for converged online charging and offline charging functionalities. It provides quota management (for online charging), re-authorization triggers, rating conditions, etc. and is notified about usage reports from the SMF. Quota management involves granting a specific number of units (e.g., bytes, seconds) for a service. CHF also interacts with billing systems. • Access and Mobility Management Function (AMF, with Namf interface) terminates the RAN CP interface and handles all mobility and connection management of UEs (similar to MME in EPC). AMFs communicate with UEs via the N1 reference point and with the RAN (e.g., NG-RAN) via the N2 reference point.

• Network Exposure Function (NEF) with Nnef interface - acts as the entry point into operator's network, by securely exposing to AFs the network capabilities and events provided by 3GPP NFs and by providing ways for the AF to securely provide information to 3GPP network. For example, NEF provides a service that allows an AF to provision specific subscription data (e.g., expected UE behavior) for various UEs.

• Network Repository Function (NRF) with Nnrf interface - provides service registration and discovery, enabling NFs to identify appropriate services available from other NFs.

• Network Slice Selection Function (NSSF) with Nnssf interface - a “network slice” is a logical partition of a 5G network that provides specific network capabilities and characteristics, e.g., in support of a particular service. A network slice instance is a set of NF instances and the required network resources (e.g., compute, storage, communication) that provide the capabilities and characteristics of the network slice. The NSSF enables other NFs (e.g., AMF) to identify a network slice instance that is appropriate for a UE’s desired service.

• Authentication Server Function (AUSF) with Nausf interface - based in a user’s home network (HPLMN), it performs user authentication and computes security key materials for various purposes.

• Network Data Analytics Function (NWDAF) with Nnwdaf interface, described in more detail above and below.

• Location Management Function (LMF) with Nlmf interface - supports various functions related to determination of UE locations, including location determination for a UE and obtaining any of the following: DL location measurements or a location estimate from the UE; UL location measurements from the NG RAN; and non-UE associated assistance data from the NG RAN.

The Unified Data Management (UDM) function supports generation of 3 GPP authentication credentials, user identification handling, access authorization based on subscription data, and other subscriber-related functions. To provide this functionality, the UDM uses subscription data (including authentication data) stored in the 5GC unified data repository (UDR). In addition to the UDM, the UDR supports storage and retrieval of policy data by the PCF, as well as storage and retrieval of application data by NEF. The NRF allows every NF to discover the services offered by other NF s, and Data Storage Functions (DSF) allow every NF to store its context. In addition, the NEF provides exposure of capabilities and events of the 5GC to AFs within and outside of the 5GC. For example, NEF provides a service that allows an AF to provision specific subscription data (e.g., expected UE behavior) for various UEs.

Communication links between the UE and a 5G network (AN and CN) can be grouped in two different strata. The UE communicates with the CN over the Non-Access Stratum (NAS), and with the AN over the Access Stratum (AS). All the NAS communication takes place between the UE and the AMF via the NAS protocol (N1 interface in Figure 2). Security for the communications over this these strata is provided by the NAS protocol (for NAS) and the PDCP protocol (for AS).

As briefly mentioned above, there is a need for network operators to trust the AI/ML model developers with their proprietary data, such as in federated and secure data repositories. One way to assure data integrity and/or compliance is to establish a trusted data layer, which can give data providers (e.g., network operators) a secure audit trail with transparency and adherence to privacy regulations. One solution is a blockchain.

A blockchain is a sequence of records (or “blocks”) that are linked together using cryptography. Each block contains a cryptographic hash (or hash value) of the previous block, a timestamp, and transaction data of some type. The timestamp proves that the transaction data existed when the block was published, as it will be included in the block’s hash for the next block. The blocks are said to form a blockchain since each block contains information (i.e., hash) about the previous block. A blockchain is resistant to modification of the transaction data in the blocks because once recorded, the data in any given block cannot be altered retroactively without altering all subsequent blocks.

A hash function is used to compress the relatively large amount of data comprising a block into a much smaller hash value. A hash value is a substantially unique representation of the data comprising the block, such that any changes to the data will result (with very high probability) of a corresponding change to the resulting hash value. Hash functions can be made with asymmetric cryptography, which means only certain private keys can break them. In other words, hashes can facilitate keeping transaction data on the blockchain private and secure from tampering.

Transactions are added to a blockchain by a large, distributed, and uninterested network of computers (nodes). This has two significant advantages. First, the blockchain functions as a private, permission-based “shared ledger” that provides trust through immutability. Any change to a record from the past will affect how all future data logs are logged in the blockchain (i.e., the hashes of the AI/ML model inference). This makes the change very noticeable. Due to the decentralized nature, it's also impossible to change all copies of the blockchain at once. Second, the blockchain is very durable and reliable because it doesn't rely on one computer, but on a network of computers that can be monitored and managed by an alliance.

As 5G services mature and new infrastructure and platforms emerge, network operators and other enterprises need to rethink their AI/ML application architecture. It must be portable and secure, database or platform agnostic, and able to run on-premises or in the cloud. And to meet all security, privacy, and regulatory requirements, the enterprise AI/ML architecture must have a trusted data access layer.

Existing data access layers for AI/ML solutions have various problems, issues, and/or difficulties. For example, they typically require the data owner to grant full data access to the vendor (or vendor’s employees) who is implementing an AI/ML model. Moreover, once full data access has been granted, there is little or no visibility and traceability regarding parts of the data (e.g., columns, rows, or arbitrary section) were accessed and for what purpose(s). In many cases, the shared data is not encrypted, at least not in a way that restricts access to some small group of engineers. Furthermore, even if some traceability/visibility into access is available, it is often provided by the vendor who is implementing the AI/ML model, which reduces the trust in such information. These and other reasons lead to a general lack of trust from data owners in existing data access layers and consequently limit the deployment of AI/ML solutions, e.g., for communication networks.

Accordingly, embodiments of the present disclosure address these and other problems, issues, and/or difficulties by providing a new and/or improved architecture for a trusted data layer for AI/ML applications and other applications that utilize, consume, and/or produce sensitive user data. These techniques provide various benefits and/or advantages. The architecture supports a solution with two modes of operation: default and exception.

The default mode enables engineers and data scientists to train AI/ML models or perform other data-driven tasks without any access to the customer's raw data. In the default mode, the solution is split into administrator and customer domains. The administration domain is used by data scientists and other developers to interact with the solution. It includes three modules: 1) a gateway that handles interactions with other components and stores references to data available in the customer domain; 2) a code recipe repository which stores software artifacts that can readily apply transformations to datasets, e.g., to produce an AI/ML model from raw data; and 3) a low code user interface where references to datasets and/or code recipes can be associated and parameterized to form a job.

The customer domain runs on customer premises and is not accessible by data scientists or other developers. It includes a software agent that handles two types of tasks: 1) probing the customer infrastructure and keeping track of references to available datasets and compute resources that can be used to run jobs; and 2) probing the administration domain gateway for new jobs to be scheduled and run on the customer infrastructure. Each discovered job is pulled and executed, with results pushed back to the gateway.

In the exception mode of operation, encrypted raw data can be temporarily and contextually shared with engineers and data scientists. This mode involves a Snapcode alliance domain, which is a distributed trusted logging system implemented using blockchain. In the exception mode, exceptions can be defined by one or more of the following:

• a condition, e.g., a training task yields a result lower than a given accuracy threshold (e.g., < 90%);

• a duration after the condition is met during which the exception applies;

• selection criteria for data to be shared, e.g., 50 rows of misclassified data from the raw data; and

• one or more associated users (e.g., engineers or data scientists) who are allowed to decrypt and see the shared data.

When an exception is met or triggered, the Snapcode agent will select data as per the selection criteria, encrypt it using the users personal keys, and send the encrypted data to the Snapcode gateway on the administration domain where the encrypted data will be made available to users associated with the exception. The user(s) will then be notified and allowed to download the encrypted data to their clients from which the data can be decrypted and visualized. In some embodiments, all of these operations can be securely appended onto the distributed trusted logging system from the Snapcode Alliance domain.

Embodiments facilitate generation of AI/ML models by anyone regardless of their competence level in AI/ML programming. Embodiments include a model repository that can store the following:

• Software code for basic AI/ML functions such as anomaly detection, deep neural networks, reinforced learning, natural learning processing, cognitive OSS, KPI prediction, recommender solutions, machine reasoning, root cause detection and analysis, sleeping cell, predictive mobility, connected car, traffic identification, computer vision, virtual assistant, radio, etc.;

• Shared models which have been developed on the customer side; and

• AI/ML models which have been previously trained, plus the inference learned. Using Snapcode, data scientists and non-scientists alike can use the local interface to write AI/ML models and then try them out on real data. In some cases, ML can be used to write AI/ML models that can be applied to a data set by simply setting up a few high-level parameters, e.g., using a slider value that can be set up again. The interface facilitates matching a data set with an AI/ML model code having a few parameters, without even knowing how to write code.

Using blockchain technology to securely store this information provides certain advantages. For example, it facilitates data scientists to train AI/ML models or perform other data extraction activities without providing them full, unconditional access to the raw data. As another example, whenever raw data is conditionally shared with a data scientist, there is a trusted audit trail that records all of these accesses along with their associated reasons.

Embodiments can provide various benefits, advantages, and/or solutions to problems described herein. For example, embodiments promote reuse and facilitate upskilling of data scientists or non-data scientists (so-called “data citizens”) across organizations. Humans are not required to write AI/ML models to test them on real data; ML can generate the models and apply them to data sets while setting a few difficult or tricky parameters. The local interface facilitates matching a data set to an AI/ML model with a few parameters, without knowing how to code the AI/ML model itself.

Furthermore, having the AI/ML models on a blockchain managed and hosted by a nonparticipating third party circumvents the need for thousands of computers to host the distributed ledgers assuring the blockchain security. For example, this third party could be a university, a non-profit, a specialized non-governmental organization (NGO), etc. This blockchain can be made available to an alliance of organizations, such as equipment vendors and their network operator customers.

Figure 3 shows a block diagram of a system architecture according to some embodiments of the present disclosure. As mentioned above, the system architecture includes a vendor domain (which can be proprietary) and a customer domain (which can be an open implementation). The vendor domain includes a gateway (e.g., snapcode. ai gateway 320), a low-code interface, a model repository, and a secure client (i.e., per authorized user). The customer domain includes an agent (310, e.g., snapcode. ai agent) which interfaces to customer network infrastructure (350, e.g., 5G network). The customer and vendor domains interface with each other and with a domain managed by Snapcode alliance (also referred to as “snapcode. ai alliance”), which hosts a distributed trustworthy audit trail.

Figure 4 shows a block diagram of a snapcode. ai trusted data layer architecture based on blockchain, according to various embodiments of the present disclosure. The architecture includes various nodes that perform blockchain-related functions such as replication, hashing, digital signatures, node consensus protocol, smart contract execution, etc. The architecture also includes respective storage vaults (e.g., SQL databases) that contain instances of the distributed ledger holding the AI/ML models and related content. The architecture also includes a snapcode. ai gateway (420), snapcode. ai agent (or instance, 410), and secure client (430), which can correspond to respective entities shown in Figure 3.

Figure 5 shows an example of blockchain generation for the trusted data layer according to some embodiments of the present disclosure. A user (e.g., data scientist) can provide a model and related datafile to be included as transaction data in a block. This information can be encrypted with the user’s private key. A validator node validates this information based on the user’s public key, and then provides it to the block generator nodes, which combine the information along with other transaction data (e.g., other AI/ML models and datasets from other users) to form a new block. Each block generator combines the transaction data with a current timestamp and a hash of the previous block, then computes a hash of this combined information (“block hash”). Note that this block has will be added to the next subsequent block, i.e., as the hash of the previous block. The validator node will also perform a consensus protocol on the respective results from the block generator nodes for each block.

Figure 6 shows a signal flow diagram for an exemplary customer resources on-boarding procedure, according to some embodiments of the present disclosure. This procedure is between a customer administration function, a customer-domain agent (610, e.g., snapcode. ai agent), customer infrastructure (650), and a vendor-domain gateway (620, e.g., snapcode. ai gateway). Figures 3-4 show examples of the latter three of these entities. In particular, the customer admin provides the customer-domain agent (i.e., in the customer domain) with information about each customer dataset and compute resource to be registered in the trusted data layer. The customerdomain agent then interfaces with the vendor-domain gateway (i.e., in the vendor domain) to perform this registration using, e.g., metadata about the customer dataset(s) and compute resource(s).

Figure 7 shows an operational sequence under the default mode of operation, according to some embodiments of the present disclosure. Although the operations in Figure 7 are given numerical labels, this is intended to facilitate explanation rather than to imply or require any sequential ordering, unless expressly stated to the contrary.

In operation 1, a vendor data scientist registers model “recipes” in the model repository (e.g., in Figure 3) in the vendor domain using the blockchain techniques described above (e.g., Figure 5). Note that a “recipe” in this context refers to code, etc. needed to build a model, not the model itself. Alternately or additionally, customer data scientists can register model recipes in the in the model repository in the same manner. In operation 2, a low-code agent (e.g., a snapcode. ai agent such as in Figure 3) in the customer domain registers available datasets to the low-code gateway (metadata only), such as illustrated in Figure 6. In operation 3, a user selects a parameterized model and target data for training the model, via the low-code GUI in the vendor domain. This selection constitutes a “low- code job.” In operation 4, the low-code job is scheduled to be run on the low-code gateway in the vendor domain (e.g., snapcode. ai gateway such as in Figure 3).

In operation 5, the low-code agent in the customer domain polls the low-code gateway in the vendor domain for new jobs to be run on the customer infrastructure, and obtains the new low- code job scheduled in operation 4. In operation 6, the new low-code job is executed on the associated computing and data resources in the customer infrastructure. In operation 7, the low- code agent publishes the results of the job on the low-code gateway in the vendor domain. The user can obtain these results via the low-code GUI.

Figure 8 shows a signal flow diagram of an operational sequence for the default mode of operation, according to some embodiments of the present disclosure. Although the operations in Figure 8 are given numerical labels, this is intended to facilitate explanation rather than to imply or require any sequential ordering, unless expressly stated to the contrary.

In Figure 8, the user starts a session via the secure client (830), which communicates with the low-code interface and model repository in the vendor domain to fetch available models and datasets and render a UI that displays these available models and datasets to the user. The low- code interface communicates with the model repository to obtain the available models and with the vendor-domain gateway (820, e.g., snapcode. ai gateway) to obtain metadata representative of the available datasets.

Subsequently, by interacting with the secure client via the UI, the user selects a dataset, a model, and parameters for a job based on the dataset and model. The user then schedules the job via the low-code interface, which stores the new job in the job store in the vendor-domain gateway.

Figure 9 shows a signal flow diagram of another operational sequence for the default mode of operation, according to some embodiments of the present disclosure. Although the operations in Figure 9 are given numerical labels, this is intended to facilitate explanation rather than to imply or require any sequential ordering, unless expressly stated to the contrary.

In Figure 9, the customer-domain agent (910, e.g., snapcode. ai agent) probes the vendordomain gateway (920, e.g., snapcode. ai gateway) for new jobs associated with a customer ID. The vendor-domain gateway obtains the new jobs associated with the customer ID from the job store and returns those to the customer-domain agent, which launches the new jobs on the customer infrastructure (e.g., 5G network). Each new job is associated with a reference identifier. For example, one or more of the new jobs obtained from the job store can be job(s) added to the job store by the operations shown in Figure 8 and discussed above.

Subsequently, the customer-domain agent queries the customer infrastructure for completed jobs, and receives indication that the previously submitted new jobs have been completed. The customer-domain agent publishes the job results to the vendor-domain gateway, which stores these results in the job store for later retrieval by the user(s) who submitted them.

According to the default mode of operation illustrated in Figures 7-9, the raw data used to train AI/ML models never leaves customer premises. Communication between the customer domain (agent) and vendor domain (gateway) is always initiated by the customer side via polling. Users have direct access only to the vendor domain, and indirectly to the customer domain via the vendor domain. Moreover, users never have access to the raw data.

Even so, not all operations can be performed without (or even with limited) data access. For example, error analysis requires data scientists to look at data entries that are misclassified by a model. As another example, support ticket processing requires support personnel to have temporary access to personal and geographical data. As another example, data cleaning and preparation require engineers to have a full understanding of the data.

In exception mode of operation, exceptions to the default mode are managed based on encryption, audit trails, and contextual information. In particular, exception management can be based on tuples {data, user, validity period} defined as follows:

• Data: identifies specific data to be shared, e.g., as little as a row or a sample, up to full dataset if required. A unique data identifier can be used/assigned.

• User: identifies specific user(s) whose personal key(s) will decrypt the data (i.e., in the user client). Data will remain encrypted until it is decrypted with the user personal key(s).

• Validity period: identifies time during which user can access the data, defined at the time when exception is created.

All operations performed on the data transmitted through exceptions are logged in an immutable audit trail. In various embodiments, exceptions can be set up automatically or manually. For example, when a service engineer has an assigned service ticket, an exemption for the contextual data required to work on the ticket is automatically created. As another example, at the start of a data science project, the customer-owner of the relevant data can manually set up an exemption for a set of users involved in the project.

Figure 10 shows an operational sequence under the exception mode of operation, according to some embodiments of the present disclosure. Although the operations in Figure 10 are given numerical labels, this is intended to facilitate explanation rather than to imply or require any sequential ordering, unless expressly stated to the contrary. In operation 1, a customer data owner sets up an exception for {data, user, validity period} or a rule that will automatically create exceptions when needed. In operation 2, the user identified in the exception requests the data subject to the exception via the low-code gateway in the vendor domain. Upon receiving this request via the gateway, in operation 3 the low-code agent in the customer domain encrypts the requested data and sends it to the vendor domain for delivery to the user. In operation 4, the data is decrypted in the user’s secure client (e.g., browser or dedicated application). In operation 5, an immutable audit trail is created in the vendor and customer domains based on logging all the operations associated with the request.

Figure 11 shows a signal flow diagram for an exemplary exception procedure, according to some embodiments of the present disclosure. This procedure involves a user (e.g., data scientist), the user’s secure client (1130), a vendor-domain gateway (1120), and the customer administration function. In this procedure, the user (via the secure client) requests data access under an exception by providing an identifier of the data, a user identifier, and a reason for the access. The vendor-domain gateway passes this request to the customer admin, which approves the exception request and provides the requested data in encrypted form to the vendor-domain gateway. The vendor-domain gateway then notifies the user via the secure client, and the user (via the secure client) fetches the encrypted data from the vendor-domain gateway.

In addition, the customer admin provides the information received in the user request to the distributed trustworthy audit trail logging function hosted by a third party, e.g., snapcode. ai alliance as illustrated in Figure 3. Also, the user (or the secure client) provides an indication to the distributed trustworthy audit trail logging function that the user decrypted and accessed the data. Both of these events are logged.

The embodiments described above can be further illustrated with reference to Figures 12- 14, which depict exemplary methods (e.g., procedures) for a customer-domain agent, a vendordomain gateway, and a secure client, respectively. Put differently, various features of the operations described below correspond to various embodiments described above. The exemplary methods shown in Figures 12-14 can be used cooperatively (e.g., with each other and with other procedures described herein) to provide benefits, advantages, and/or solutions to problems described herein. Although the exemplary methods are illustrated in Figures 12-14 by specific blocks in particular orders, the operations corresponding to the blocks can be performed in different orders than shown and can be combined and/or divided into blocks and/or operations having different functionality than shown. Optional blocks and/or operations are indicated by dashed lines.

In particular, Figure 12 illustrates an exemplary method (e.g., procedure) for a customerdomain agent to manage access to data and/or resources in the customer domain of a communication network (e.g., 5G network), according to various embodiments of the present disclosure. For example, the exemplary method shown in Figure 12 can be performed by a customer-domain agent (e.g., snapcode. ai agent or computing apparatus hosting the same) such as described elsewhere herein.

The exemplary method can include the operations of block 1210, where the customerdomain agent can register one or more of the following resources with a gateway in a vendor domain: one or more datasets available in the customer domain, and computing resources available in the customer domain. The exemplary method can also include the operations of block 1220, where the customer-domain agent can subsequently receive, from the vendor-domain gateway, one or more of the following:

• a first request for the customer domain to perform a computing job based on registered resources, according to a default mode of operation; and

• a second request to provide at least a portion of a registered dataset to a user via the vendordomain gateway, according to an exception mode of operation.

In some embodiments, in the default mode of operation, the customer-domain agent does not provide any of the registered datasets to the vendor domain.

In some embodiments, the exemplary method can also include the operations of blocks 1230-1240, where in response to the first request, the customer-domain agent can cause computing infrastructure of the customer domain to perform the computing job and send to the vendordomain gateway an indication of results for the computing job. In some embodiments, the first request includes a parameterized AI/ML model and an indication of a registered dataset, and the computing job includes training the parameterized AI/ML model using the indicated registered dataset.

In some embodiments, registering the one or more datasets in block 1210 can include the operations of sub-block 1211, where the customer-domain agent can send, to the vendor-domain gateway, metadata that is representative or descriptive of the one or more datasets to be registered.

In some embodiments, the second request includes a tuple comprising: an identifier of the requested data, an identifier of a user who will access the requested data, and a validity period during which the user will be allowed to access the requested data. In some of these embodiments, the exemplary method can also include the operations of blocks 1250-1260, where in response to the second request, the customer-domain agent can determine whether the tuple matches at least one configured exception and, when the tuple matches at least one configured exception, encrypt the requested data using a key associated with the user and send the encrypted data to the vendordomain gateway. In some variants, the exemplary method an also include the operations of block 1270, where the customer-domain agent can log the match between the tuple and the at least one configured exception in a distributed trustworthy audit trail (e.g., based on blockchain).

In some embodiments, the resources registered with the vendor-domain gateway also include software code that is available in the customer domain. In such case, the exemplary method also includes the operations of block 1280, where the customer-domain agent can modify the software code after registering the resources with the vendor-domain gateway. In some variants, the customer-domain agent maintains ownership of the modified software code and the exemplary method also includes the operations of block 1290, where the customer-domain agent stores the modified software code in a vendor-domain repository. In some further variants, the software code is usable to create AI/ML models.

In addition, Figure 13 illustrates an exemplary method e.g., procedure) for a vendordomain gateway to manage user access to data and/or resources in a customer domain of a communication network (e.g., 5G network), according to various embodiments of the present disclosure. For example, the exemplary method shown in Figure 13 can be performed by a vendordomain gateway (e.g., snapcode. ai gateway or computing apparatus hosting the same) such as described elsewhere herein.

The exemplary method can include the operations of block 1310, where the vendordomain gateway can register one or more of the following resources in a repository in the vendor domain:

• one or more datasets available in the customer domain,

• computing resources available in the customer domain, and

• software code available in the customer domain.

The exemplary method can also include the operations of block 1350, where the vendor-domain gateway can subsequently send, to a customer-domain agent, one or more of the following:

• a first request for the customer domain to perform a computing job based on registered customer-domain resources, according to a default mode of operation; and

• a second request to provide at least a portion of a registered dataset to a user via the vendordomain gateway, according to an exception mode of operation.

In some embodiments, in the default mode of operation, the customer-domain agent does not provide any of the registered datasets to the vendor domain. In some embodiments, the exemplary method can also include the operations of block 1360, where in response to the first request, the vendor-domain gateway can receive from the customer-domain agent an indication of results for the computing job.

In some embodiments, the software code (e.g., registered in block 1310) is usable to create AI/ML models. In some embodiments, registering the one or more datasets in block 1310 can include the operations of sub-blocks 1311-1312, where the vendor-domain gateway can receive, from the customer-domain agent, metadata that is representative or descriptive of the one or more datasets to be registered and store the received metadata in the repository.

In some embodiments, the exemplary method can also include the operations of blocks 1320-1330. In block 1320, the vendor-domain gateway can receive, from a secure client associated with the user, a request for information about available datasets, computing resources, and AI/ML models. In blocks 1325-1330, the vendor-domain gateway can retrieve information about the registered resources from the repository and send the retrieved information to the secure client in a form that can be rendered on a UI.

In some of these embodiments, the information sent to the secure client includes metadata that is representative or descriptive of one or more registered datasets. In some of these embodiments, the exemplary method can also include the operations of block 1335, where the vendor-domain gateway can receive from the secure client a job request that identifies a registered dataset and an AI/ML model, both of which were indicated in the retrieved information sent to the secure client. In some of these embodiments, the job request from the secure client also includes parameters associated with the identified AI/ML model, the first request includes the parameterized AI/ML model and an indication of the registered dataset, and the computing job includes training the parameterized AI/ML model using the indicated registered dataset.

In some embodiments, the exemplary method can also include the operations of block 1340, where the vendor-domain gateway can receive, from the secure client, a request for user access to at least a portion of a registered dataset. The second request is sent (e.g., in block 1350) in response to the request for user access. In some of these embodiments, the request for user access includes an identifier of the requested data and the second request includes a tuple comprising an identifier of the requested data, an identifier of the user (i.e., who will access the requested data), and a validity period during which the user will be allowed to access the requested data.

In some of these embodiments, the exemplary method can also include the operations of blocks 1370-1390. In block 1370, the vendor-domain gateway can, based on the tuple matching at least one configured exception, receive from the customer-domain agent the requested data encrypted based on a key associated with the user. In blocks 1380-1390, the vendor-domain gateway can notify the secure client about the availability of the requested data and provide the encrypted data to the secure client upon request.

In addition, Figure 14 illustrates an exemplary method e.g., procedure) for a secure client, associated with a user, to access to data and/or resources in a customer domain of a communication network (e.g., 5G network), according to various embodiments of the present disclosure. For example, the exemplary method shown in Figure 14 can be performed by a secure client (or a UE, computing device, etc. hosting the same) such as described elsewhere herein.

The exemplary method can include the operations of block 1410, where the secure client can send one or more of the following to a vendor-domain gateway:

• a first request for information about datasets, computing resources, and AI/ML models that are registered with the vendor-domain gateway, the first request being associated with a default mode of operation; and

• a second request for user access to at least a portion of a registered dataset, the second request being associated with an exception mode of operation.

The exemplary method can include the operations of block 1420, where the secure client can receive one or more of the following from the vendor-domain gateway:

• a first response indicating registered resources in accordance with the first request, the first response being in a form that can be rendered on a user interface (UI); and

• a second response notifying the secure client about the availability the data for which user access was requested in the second request.

In some embodiments, the registered datasets are associated with the customer domain and in the default mode of operation, and the customer domain does not provide any registered datasets to the secure client. In some of these embodiments, the first response includes metadata that is representative or descriptive of one or more registered datasets.

In some embodiments, the exemplary method can also include the operations of blocks 1430-1440, where the secure client can select a dataset and an AI/ML model that are among the registered resources indicated by the first response and send to the vendor-domain gateway a job request that identifies the selected dataset and AI/ML model. In some of these embodiments, the job request also includes parameters associated with the selected AI/ML model and the requested job includes training the parameterized AI/ML model using the selected dataset.

In some embodiments, the exemplary method can also include the operations of block 1450, where based on the second response, the secure client can obtain the data from the vendordomain gateway and decrypt the obtained data based on a key associated with the user. In some embodiments, the second request for user access includes an identifier of the data for which user access is requested.

Although various embodiments are described herein above in terms of methods, apparatus, devices, computer-readable medium and receivers, the person of ordinary skill will readily comprehend that such methods can be embodied by various combinations of hardware and software in various systems, communication devices, computing devices, control devices, apparatuses, non-transitory computer-readable media, etc. Figure 15 shows an example of a communication system 1500 in accordance with some embodiments. In this example, the communication system 1500 includes a telecommunication network 1502 that includes an access network 1504, such as a radio access network (RAN), and a core network 1506, which includes one or more core network nodes 1508. The access network 1504 includes one or more access network nodes, such as network nodes 1510a and 1510b (one or more of which may be generally referred to as network nodes 1510), or any other similar 3 GPP access node or non-3GPP access point. The network nodes 1510 facilitate direct or indirect connection of user equipment (UE), such as by connecting UEs 1512a, 1512b, 1512c, and 1512d (one or more of which may be generally referred to as UEs 1512) to the core network 1506 over one or more wireless connections.

Example wireless communications over a wireless connection include transmitting and/or receiving wireless signals using electromagnetic waves, radio waves, infrared waves, and/or other types of signals suitable for conveying information without the use of wires, cables, or other material conductors. Moreover, in different embodiments, the communication system 1500 may include any number of wired or wireless networks, network nodes, UEs, and/or any other components or systems that may facilitate or participate in the communication of data and/or signals whether via wired or wireless connections. The communication system 1500 may include and/or interface with any type of communication, telecommunication, data, cellular, radio network, and/or other similar type of system.

The UEs 1512 may be any of a wide variety of communication devices, including wireless devices arranged, configured, and/or operable to communicate wirelessly with the network nodes 1510 and other communication devices. Similarly, the network nodes 1510 are arranged, capable, configured, and/or operable to communicate directly or indirectly with the UEs 1512 and/or with other network nodes or equipment in the telecommunication network 1502 to enable and/or provide network access, such as wireless network access, and/or to perform other functions, such as administration in the telecommunication network 1502.

In the depicted example, the core network 1506 connects the network nodes 1510 to one or more hosts, such as hosts 1516a-b (which are referred to collectively as host 1516). These connections may be direct or indirect via one or more intermediary networks or devices. In other examples, network nodes may be directly coupled to hosts. The core network 1506 includes one or more core network nodes (e.g., core network node 1508) that are structured with hardware and software components. Features of these components may be substantially similar to those described with respect to the UEs, network nodes, and/or hosts, such that the descriptions thereof are generally applicable to the corresponding components of the core network node 1508. Example core network nodes include functions of one or more of a Mobile Switching Center (MSC), Mobility Management Entity (MME), Home Subscriber Server (HSS), Access and Mobility Management Function (AMF), Session Management Function (SMF), Authentication Server Function (AUSF), Subscription Identifier De-concealing function (SIDF), Unified Data Management (UDM), Security Edge Protection Proxy (SEPP), Network Exposure Function (NEF), and/or a User Plane Function (UPF).

As shown in Figure 15, host 1516 may be internal (e.g., a part of) or external (e.g., not part of) telecommunication network 1502. In some cases, such as when host 1516 is external, host 1516 may be under the ownership or control of a service provider other than an operator or provider of the access network 1504 and/or the telecommunication network 1502 and may be operated by the service provider or on behalf of the service provider. The host 1516 may host a variety of applications to provide one or more service. Examples of such applications include live and pre-recorded audio/video content, data collection services such as retrieving and compiling data on various ambient conditions detected by a plurality of UEs, analytics functionality, social media, functions for controlling or otherwise interacting with remote devices, functions for an alarm and surveillance center, or other functions performed by a server, agent, gateway, etc.

As a whole, the communication system 1500 of Figure 15 enables connectivity between the UEs, network nodes, and hosts. In that sense, the communication system may be configured to operate according to predefined rules or procedures, such as specific standards that include, but are not limited to: Global System for Mobile Communications (GSM); Universal Mobile Telecommunications System (UMTS); Long Term Evolution (LTE), and/or other suitable 2G, 3G, 4G, 5G standards, or any applicable future generation standard (e.g., 6G); wireless local area network (WLAN) standards, such as the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standards (WiFi); and/or any other appropriate wireless communication standard, such as the Worldwide Interoperability for Microwave Access (WiMax), Bluetooth, Z-Wave, Near Field Communication (NFC) ZigBee, LiFi, and/or any low-power wide-area network (LPWAN) standards such as LoRa and Sigfox.

In some examples, the telecommunication network 1502 implements 3GPP standardized features. Accordingly, the telecommunications network 1502 may support network slicing to provide different logical networks to different devices that are connected to the telecommunication network 1502. For example, the telecommunications network 1502 may provide Ultra Reliable Low Latency Communication (URLLC) services to some UEs, while providing Enhanced Mobile Broadband (eMBB) services to other UEs, and/or Massive Machine Type Communication (mMTC)/Massive loT services to yet further UEs.

In some examples, the UEs 1512 are configured to transmit and/or receive information without direct human interaction. For instance, a UE may be designed to transmit information to the access network 1504 on a predetermined schedule, when triggered by an internal or external event, or in response to requests from the access network 1504. Additionally, a UE may be configured for operating in single- or multi -RAT or multi-standard mode. For example, a UE may operate with any one or combination of Wi-Fi, NR (New Radio) and LTE, i.e., being configured for multi -radio dual connectivity (MR-DC), such as E-UTRAN (Evolved-UMTS Terrestrial Radio Access Network) New Radio - Dual Connectivity (EN-DC).

In the example, the hub 1514 communicates with the access network 1504 to facilitate indirect communication between one or more UEs (e.g., UE 1512c and/or 1512d) and network nodes (e.g., network node 1510b). In some examples, the hub 1514 may be a controller, router, content source and analytics, or any of the other communication devices described herein regarding UEs. For example, the hub 1514 may be a broadband router enabling access to the core network 1506 for the UEs. As another example, the hub 1514 may be a controller that sends commands or instructions to one or more actuators in the UEs. Commands or instructions may be received from the UEs, network nodes 1510, or by executable code, script, process, or other instructions in the hub 1514. As another example, the hub 1514 may be a data collector that acts as temporary storage for UE data and, in some embodiments, may perform analysis or other processing of the data. As another example, the hub 1514 may be a content source. For example, for a UE that is a VR headset, display, loudspeaker or other media delivery device, the hub 1514 may retrieve VR assets, video, audio, or other media or data related to sensory information via a network node, which the hub 1514 then provides to the UE either directly, after performing local processing, and/or after adding additional local content. In still another example, the hub 1514 acts as a proxy server or orchestrator for the UEs, in particular in if one or more of the UEs are low energy loT devices.

The hub 1514 may have a constant/persistent or intermittent connection to the network node 1510b. The hub 1514 may also allow for a different communication scheme and/or schedule between the hub 1514 and UEs (e.g., UE 1512c and/or 1512d), and between the hub 1514 and the core network 1506. In other examples, the hub 1514 is connected to the core network 1506 and/or one or more UEs via a wired connection. Moreover, the hub 1514 may be configured to connect to an M2M service provider over the access network 1504 and/or to another UE over a direct connection. In some scenarios, UEs may establish a wireless connection with the network nodes 1510 while still connected via the hub 1514 via a wired or wireless connection. In some embodiments, the hub 1514 may be a dedicated hub - that is, a hub whose primary function is to route communications to/from the UEs from/to the network node 1510b. In other embodiments, the hub 1514 may be a non-dedicated hub - that is, a device which is capable of operating to route communications between the UEs and network node 1510b, but which is additionally capable of operating as a communication start and/or end point for certain data channels.

Figure 16 shows a UE 1600 in accordance with some embodiments. As used herein, a UE refers to a device capable, configured, arranged and/or operable to communicate wirelessly with network nodes and/or other UEs. Examples of a UE include, but are not limited to, a smart phone, mobile phone, cell phone, voice over IP (VoIP) phone, wireless local loop phone, desktop computer, personal digital assistant (PDA), wireless cameras, gaming console or device, music storage device, playback appliance, wearable terminal device, wireless endpoint, mobile station, tablet, laptop, laptop-embedded equipment (LEE), laptop-mounted equipment (LME), smart device, wireless customer-premise equipment (CPE), vehicle-mounted or vehicle embedded/integrated wireless device, etc. Other examples include any UE identified by the 3 GPP, including a narrow band internet of things (NB-IoT) UE, a machine type communication (MTC) UE, and/or an enhanced MTC (eMTC) UE.

A UE may support device-to-device (D2D) communication, for example by implementing a 3GPP standard for sidelink communication, Dedicated Short-Range Communication (DSRC), vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), or vehicle-to-everything (V2X). In other examples, a UE may not necessarily have a user in the sense of a human user who owns and/or operates the relevant device. Instead, a UE may represent a device that is intended for sale to, or operation by, a human user but which may not, or which may not initially, be associated with a specific human user (e.g., a smart sprinkler controller). Alternatively, a UE may represent a device that is not intended for sale to, or operation by, an end user but which may be associated with or operated for the benefit of a user (e.g., a smart power meter).

The UE 1600 includes processing circuitry 1602 that is operatively coupled via a bus 1604 to an input/output interface 1606, a power source 1608, a memory 1610, a communication interface 1612, and/or any other component, or any combination thereof. Certain UEs may utilize all or a subset of the components shown in Figure 16. The level of integration between the components may vary from one UE to another UE. Further, certain UEs may contain multiple instances of a component, such as multiple processors, memories, transceivers, transmitters, receivers, etc.

The processing circuitry 1602 is configured to process instructions and data and may be configured to implement any sequential state machine operative to execute instructions stored as machine-readable computer programs in the memory 1610. The processing circuitry 1602 may be implemented as one or more hardware-implemented state machines (e.g., in discrete logic, field- programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), etc.); programmable logic together with appropriate firmware; one or more stored computer programs, general -purpose processors, such as a microprocessor or digital signal processor (DSP), together with appropriate software; or any combination of the above. For example, the processing circuitry 1602 may include multiple central processing units (CPUs).

In the example, the input/output interface 1606 may be configured to provide an interface or interfaces to an input device, output device, or one or more input and/or output devices. Examples of an output device include a speaker, a sound card, a video card, a display, a monitor, a printer, an actuator, an emitter, a smartcard, another output device, or any combination thereof. An input device may allow a user to capture information into the UE 1600. Examples of an input device include a touch-sensitive or presence-sensitive display, a camera (e.g., a digital camera, a digital video camera, a web camera, etc.), a microphone, a sensor, a mouse, a trackball, a directional pad, a trackpad, a scroll wheel, a smartcard, and the like. The presence-sensitive display may include a capacitive or resistive touch sensor to sense input from a user. A sensor may be, for instance, an accelerometer, a gyroscope, a tilt sensor, a force sensor, a magnetometer, an optical sensor, a proximity sensor, a biometric sensor, etc., or any combination thereof. An output device may use the same type of interface port as an input device. For example, a Universal Serial Bus (USB) port may be used to provide an input device and an output device.

In some embodiments, the power source 1608 is structured as a battery or battery pack. Other types of power sources, such as an external power source (e.g., an electricity outlet), photovoltaic device, or power cell, may be used. The power source 1608 may further include power circuitry for delivering power from the power source 1608 itself, and/or an external power source, to the various parts of the UE 1600 via input circuitry or an interface such as an electrical power cable. Delivering power may be, for example, for charging of the power source 1608. Power circuitry may perform any formatting, converting, or other modification to the power from the power source 1608 to make the power suitable for the respective components of the UE 1600 to which power is supplied.

The memory 1610 may be or be configured to include memory such as random-access memory (RAM), read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), magnetic disks, optical disks, hard disks, removable cartridges, flash drives, and so forth. In one example, the memory 1610 includes one or more application programs 1614, such as an operating system, web browser application, a widget, gadget engine, or other application, and corresponding data 1616. The memory 1610 may store, for use by the UE 1600, any of a variety of various operating systems or combinations of operating systems.

The memory 1610 may be configured to include a number of physical drive units, such as redundant array of independent disks (RAID), flash memory, USB flash drive, external hard disk drive, thumb drive, pen drive, key drive, high-density digital versatile disc (HD-DVD) optical disc drive, internal hard disk drive, Blu-Ray optical disc drive, holographic digital data storage (HDDS) optical disc drive, external mini-dual in-line memory module (DIMM), synchronous dynamic random access memory (SDRAM), external micro-DIMM SDRAM, smartcard memory such as tamper resistant module in the form of a universal integrated circuit card (UICC) including one or more subscriber identity modules (SIMs), such as a USIM and/or ISIM, other memory, or any combination thereof. The UICC may for example be an embedded UICC (eUICC), integrated UICC (iUICC) or a removable UICC commonly known as ‘SIM card.’ The memory 1610 may allow the UE 1600 to access instructions, application programs and the like, stored on transitory or non-transitory memory media, to off-load data, or to upload data. An article of manufacture, such as one utilizing a communication system may be tangibly embodied as or in the memory 1610, which may be or comprise a device-readable storage medium.

The processing circuitry 1602 may be configured to communicate with an access network or other network using the communication interface 1612. The communication interface 1612 may comprise one or more communication subsystems and may include or be communicatively coupled to an antenna 1622. The communication interface 1612 may include one or more transceivers used to communicate, such as by communicating with one or more remote transceivers of another device capable of wireless communication (e.g., another UE or a network node in an access network). Each transceiver may include a transmitter 1618 and/or a receiver 1620 appropriate to provide network communications (e.g., optical, electrical, frequency allocations, and so forth). Moreover, the transmitter 1618 and receiver 1620 may be coupled to one or more antennas (e.g., antenna 1622) and may share circuit components, software or firmware, or alternatively be implemented separately.

In the illustrated embodiment, communication functions of the communication interface 1612 may include cellular communication, Wi-Fi communication, LPWAN communication, data communication, voice communication, multimedia communication, short-range communications such as Bluetooth, near-field communication, location-based communication such as the use of the global positioning system (GPS) to determine a location, another like communication function, or any combination thereof. Communications may be implemented in according to one or more communication protocols and/or standards, such as IEEE 802.11, Code Division Multiplexing Access (CDMA), Wideband Code Division Multiple Access (WCDMA), GSM, LTE, New Radio (NR), UMTS, WiMax, Ethernet, transmission control protocol/internet protocol (TCP/IP), synchronous optical networking (SONET), Asynchronous Transfer Mode (ATM), QUIC, Hypertext Transfer Protocol (HTTP), and so forth. Regardless of the type of sensor, a UE may provide an output of data captured by its sensors, through its communication interface 1612, via a wireless connection to a network node. Data captured by sensors of a UE can be communicated through a wireless connection to a network node via another UE. The output may be periodic (e.g., once every 15 minutes if it reports the sensed temperature), random (e.g., to even out the load from reporting from several sensors), in response to a triggering event (e.g., an alert is sent when moisture is detected), in response to a request (e.g., a user initiated request), or a continuous stream (e.g., a live video feed of a patient).

As another example, a UE comprises an actuator, a motor, or a switch, related to a communication interface configured to receive wireless input from a network node via a wireless connection. In response to the received wireless input the states of the actuator, the motor, or the switch may change. For example, the UE may comprise a motor that adjusts the control surfaces or rotors of a drone in flight according to the received input or to a robotic arm performing a medical procedure according to the received input.

A UE, when in the form of an Internet of Things (loT) device, may be a device for use in one or more application domains, these domains comprising, but not limited to, city wearable technology, extended industrial application and healthcare. Non-limiting examples of such an loT device are a device which is or which is embedded in: a connected refrigerator or freezer, a TV, a connected lighting device, an electricity meter, a robot vacuum cleaner, a voice controlled smart speaker, a home security camera, a motion detector, a thermostat, a smoke detector, a door/window sensor, a flood/moisture sensor, an electrical door lock, a connected doorbell, an air conditioning system like a heat pump, an autonomous vehicle, a surveillance system, a weather monitoring device, a vehicle parking monitoring device, an electric vehicle charging station, a smart watch, a fitness tracker, a head-mounted display for Augmented Reality (AR) or Virtual Reality (VR), a wearable for tactile augmentation or sensory enhancement, a water sprinkler, an animal- or item-tracking device, a sensor for monitoring a plant or animal, an industrial robot, an Unmanned Aerial Vehicle (UAV), and any kind of medical device, like a heart rate monitor or a remote controlled surgical robot. A UE in the form of an loT device comprises circuitry and/or software in dependence of the intended application of the loT device in addition to other components as described in relation to the UE 1600 shown in Figure 16.

As yet another specific example, in an loT scenario, a UE may represent a machine or other device that performs monitoring and/or measurements and transmits the results of such monitoring and/or measurements to another UE and/or a network node. The UE may in this case be an M2M device, which may in a 3 GPP context be referred to as an MTC device. As one particular example, the UE may implement the 3 GPP NB-IoT standard. In other scenarios, a UE may represent a vehicle, such as a car, a bus, a truck, a ship and an airplane, or other equipment that is capable of monitoring and/or reporting on its operational status or other functions associated with its operation.

In practice, any number of UEs may be used together with respect to a single use case. For example, a first UE might be or be integrated in a drone and provide the drone’s speed information (obtained through a speed sensor) to a second UE that is a remote controller operating the drone. When the user makes changes from the remote controller, the first UE may adjust the throttle on the drone (e.g., by controlling an actuator) to increase or decrease the drone’s speed. The first and/or the second UE can also include more than one of the functionalities described above. For example, a UE might comprise the sensor and the actuator, and handle communication of data for both the speed sensor and the actuators.

In some embodiments, UE 1600 can be configured to perform various operations described above as being performed by a secure client. Put different, various embodiments of UE 1600 can provide functionality of the secure client described above in relation to other figures.

Figure 17 shows a network node 1700 in accordance with some embodiments. As used herein, network node refers to equipment capable, configured, arranged and/or operable to communicate directly or indirectly with a UE and/or with other network nodes or equipment, in a telecommunication network. Examples of network nodes include, but are not limited to, access points (APs) (e.g., radio access points), base stations (BSs) (e.g., radio base stations, Node Bs, evolved Node Bs (eNBs) and NRNodeBs (gNBs)).

Base stations may be categorized based on the amount of coverage they provide (or, stated differently, their transmit power level) and so, depending on the provided amount of coverage, may be referred to as femto base stations, pico base stations, micro base stations, or macro base stations. A base station may be a relay node or a relay donor node controlling a relay. A network node may also include one or more (or all) parts of a distributed radio base station such as centralized digital units and/or remote radio units (RRUs), sometimes referred to as Remote Radio Heads (RRHs). Such remote radio units may or may not be integrated with an antenna as an antenna integrated radio. Parts of a distributed radio base station may also be referred to as nodes in a distributed antenna system (DAS).

Other examples of network nodes include multiple transmission point (multi-TRP) 5G access nodes, multi-standard radio (MSR) equipment such as MSR BSs, network controllers such as radio network controllers (RNCs) or base station controllers (BSCs), base transceiver stations (BTSs), transmission points, transmission nodes, multi-cell/multicast coordination entities (MCEs), Operation and Maintenance (O&M) nodes, Operations Support System (OSS) nodes, Self-Organizing Network (SON) nodes, positioning nodes (e.g., Evolved Serving Mobile Location Centers (E-SMLCs)), and/or Minimization of Drive Tests (MDTs). The network node 1700 includes a processing circuitry 1702, a memory 1704, a communication interface 1706, and a power source 1708. The network node 1700 may be composed of multiple physically separate components (e.g., a NodeB component and a RNC component, or a BTS component and a BSC component, etc.), which may each have their own respective components. In certain scenarios in which the network node 1700 comprises multiple separate components (e.g., BTS and BSC components), one or more of the separate components may be shared among several network nodes. For example, a single RNC may control multiple NodeBs. In such a scenario, each unique NodeB and RNC pair, may in some instances be considered a single separate network node. In some embodiments, the network node 1700 may be configured to support multiple radio access technologies (RATs). In such embodiments, some components may be duplicated (e.g., separate memory 1704 for different RATs) and some components may be reused (e.g., a same antenna 1710 may be shared by different RATs). The network node 1700 may also include multiple sets of the various illustrated components for different wireless technologies integrated into network node 1700, for example GSM, WCDMA, LTE, NR, WiFi, Zigbee, Z-wave, LoRaWAN, Radio Frequency Identification (RFID) or Bluetooth wireless technologies. These wireless technologies may be integrated into the same or different chip or set of chips and other components within network node 1700.

The processing circuitry 1702 may comprise a combination of one or more of a microprocessor, controller, microcontroller, central processing unit, digital signal processor, application-specific integrated circuit, field programmable gate array, or any other suitable computing device, resource, or combination of hardware, software and/or encoded logic operable to provide, either alone or in conjunction with other network node 1700 components, such as the memory 1704, to provide network node 1700 functionality.

In some embodiments, the processing circuitry 1702 includes a system on a chip (SOC). In some embodiments, the processing circuitry 1702 includes one or more of radio frequency (RF) transceiver circuitry 1712 and baseband processing circuitry 1714. In some embodiments, the radio frequency (RF) transceiver circuitry 1712 and the baseband processing circuitry 1714 may be on separate chips (or sets of chips), boards, or units, such as radio units and digital units. In alternative embodiments, part or all of RF transceiver circuitry 1712 and baseband processing circuitry 1714 may be on the same chip or set of chips, boards, or units.

The memory 1704 may comprise any form of volatile or non-volatile computer-readable memory including, without limitation, persistent storage, solid-state memory, remotely mounted memory, magnetic media, optical media, random access memory (RAM), read-only memory (ROM), mass storage media (for example, a hard disk), removable storage media (for example, a flash drive, a Compact Disk (CD) or a Digital Video Disk (DVD)), and/or any other volatile or non-volatile, non-transitory device-readable and/or computer-executable memory devices that store information, data, and/or instructions that may be used by the processing circuitry 1702. The memory 1704 may store any suitable instructions, data, or information, including a computer program, software, an application including one or more of logic, rules, code, tables, and/or other instructions capable of being executed by the processing circuitry 1702 and utilized by the network node 1700. The memory 1704 may be used to store any calculations made by the processing circuitry 1702 and/or any data received via the communication interface 1706. In some embodiments, the processing circuitry 1702 and memory 1704 is integrated.

The communication interface 1706 is used in wired or wireless communication of signaling and/or data between a network node, access network, and/or UE. As illustrated, the communication interface 1706 comprises port(s)/terminal(s) 1716 to send and receive data, for example to and from a network over a wired connection. The communication interface 1706 also includes radio front-end circuitry 1718 that may be coupled to, or in certain embodiments a part of, the antenna 1710. Radio front-end circuitry 1718 comprises filters 1720 and amplifiers 1722. The radio front-end circuitry 1718 may be connected to an antenna 1710 and processing circuitry 1702. The radio front-end circuitry may be configured to condition signals communicated between antenna 1710 and processing circuitry 1702. The radio front-end circuitry 1718 may receive digital data that is to be sent out to other network nodes or UEs via a wireless connection. The radio frontend circuitry 1718 may convert the digital data into a radio signal having the appropriate channel and bandwidth parameters using a combination of filters 1720 and/or amplifiers 1722. The radio signal may then be transmitted via the antenna 1710. Similarly, when receiving data, the antenna 1710 may collect radio signals which are then converted into digital data by the radio front-end circuitry 1718. The digital data may be passed to the processing circuitry 1702. In other embodiments, the communication interface may comprise different components and/or different combinations of components.

In certain alternative embodiments, the network node 1700 does not include separate radio front-end circuitry 1718, instead, the processing circuitry 1702 includes radio front-end circuitry and is connected to the antenna 1710. Similarly, in some embodiments, all or some of the RF transceiver circuitry 1712 is part of the communication interface 1706. In still other embodiments, the communication interface 1706 includes one or more ports or terminals 1716, the radio frontend circuitry 1718, and the RF transceiver circuitry 1712, as part of a radio unit (not shown), and the communication interface 1706 communicates with the baseband processing circuitry 1714, which is part of a digital unit (not shown).

The antenna 1710 may include one or more antennas, or antenna arrays, configured to send and/or receive wireless signals. The antenna 1710 may be coupled to the radio front-end circuitry 1718 and may be any type of antenna capable of transmitting and receiving data and/or signals wirelessly. In certain embodiments, the antenna 1710 is separate from the network node 1700 and connectable to the network node 1700 through an interface or port.

The antenna 1710, communication interface 1706, and/or the processing circuitry 1702 may be configured to perform any receiving operations and/or certain obtaining operations described herein as being performed by the network node. Any information, data and/or signals may be received from a UE, another network node and/or any other network equipment. Similarly, the antenna 1710, the communication interface 1706, and/or the processing circuitry 1702 may be configured to perform any transmitting operations described herein as being performed by the network node. Any information, data and/or signals may be transmitted to a UE, another network node and/or any other network equipment.

The power source 1708 provides power to the various components of network node 1700 in a form suitable for the respective components (e.g., at a voltage and current level needed for each respective component). The power source 1708 may further comprise, or be coupled to, power management circuitry to supply the components of the network node 1700 with power for performing the functionality described herein. For example, the network node 1700 may be connectable to an external power source (e.g., the power grid, an electricity outlet) via an input circuitry or interface such as an electrical cable, whereby the external power source supplies power to power circuitry of the power source 1708. As a further example, the power source 1708 may comprise a source of power in the form of a battery or battery pack which is connected to, or integrated in, power circuitry. The battery may provide backup power should the external power source fail.

Embodiments of the network node 1700 may include additional components beyond those shown in Figure 17 for providing certain aspects of the network node’s functionality, including any of the functionality described herein and/or any functionality necessary to support the subject matter described herein. For example, the network node 1700 may include user interface equipment to allow input of information into the network node 1700 and to allow output of information from the network node 1700. This may allow a user to perform diagnostic, maintenance, repair, and other administrative functions for the network node 1700.

Figure 18 is a block diagram of a host 1800, which may be an embodiment of the host 1516 of Figure 15, in accordance with various aspects described herein. As used herein, the host 1800 may be or comprise various combinations hardware and/or software, including a standalone server, a blade server, a cloud-implemented server, a distributed server, a virtual machine, container, or processing resources in a server farm. The host 1800 may provide one or more services to one or more UEs. The host 1800 includes processing circuitry 1802 that is operatively coupled via a bus 1804 to an input/output interface 1806, a network interface 1808, a power source 1810, and a memory 1812. Other components may be included in other embodiments. Features of these components may be substantially similar to those described with respect to the devices of previous figures, such as Figures 16 and 17, such that the descriptions thereof are generally applicable to the corresponding components of host 1800.

The memory 1812 may include one or more computer programs including one or more host application programs 1814 and data 1816, which may include user data, e.g., data generated by a UE for the host 1800 or data generated by the host 1800 for a UE. Embodiments of the host 1800 may utilize only a subset or all of the components shown. The host application programs 1814 may be implemented in a container-based architecture and may provide support for video codecs (e.g., Versatile Video Coding (VVC), High Efficiency Video Coding (HEVC), Advanced Video Coding (AVC), MPEG, VP9) and audio codecs (e.g., FLAC, Advanced Audio Coding (AAC), MPEG, G.711), including transcoding for multiple different classes, types, or implementations of UEs (e.g., handsets, desktop computers, wearable display systems, heads-up display systems). The host application programs 1814 may also provide for user authentication and licensing checks and may periodically report health, routes, and content availability to a central node, such as a device in or on the edge of a core network. Accordingly, the host 1800 may select and/or indicate a different host for over-the-top services for a UE. The host application programs 1814 may support various protocols, such as the HTTP Live Streaming (HLS) protocol, Real-Time Messaging Protocol (RTMP), Real-Time Streaming Protocol (RTSP), Dynamic Adaptive Streaming over HTTP (MPEG-DASH), etc.

In some embodiments, host 1800 can be configured to perform various operations described above as being performed by a customer-domain agent or by a vendor-domain gateway. Put different, various embodiments of host 1800 can provide functionality of the customer-domain agent or the vendor-domain gateway described above in relation to other figures.

Figure 19 is a block diagram illustrating a virtualization environment 1900 in which functions implemented by some embodiments may be virtualized. In the present context, virtualizing means creating virtual versions of apparatuses or devices which may include virtualizing hardware platforms, storage devices and networking resources. As used herein, virtualization can be applied to any device described herein, or components thereof, and relates to an implementation in which at least a portion of the functionality is implemented as one or more virtual components. Some or all of the functions described herein may be implemented as virtual components executed by one or more virtual machines (VMs) implemented in one or more virtual environments 1900 hosted by one or more of hardware nodes, such as a hardware computing device that operates as a network node, UE, core network node, or host. Further, in embodiments in which the virtual node does not require radio connectivity (e.g., a core network node or host), then the node may be entirely virtualized.

Applications 1902 (which may alternatively be called software instances, virtual appliances, network functions, virtual nodes, virtual network functions, etc.) are run in the virtualization environment 1900 to implement some of the features, functions, and/or benefits of some of the embodiments disclosed herein. For example, functionality of the customer-domain agent and the vendor-domain gateway, described above in relation to other figures, can be implement as software instances, virtual appliances, etc. in virtualization environment 1900.

Hardware 1904 includes processing circuitry, memory that stores software and/or instructions executable by hardware processing circuitry, and/or other hardware devices as described herein, such as a network interface, input/output interface, and so forth. Software may be executed by the processing circuitry to instantiate one or more virtualization layers 1906 (also referred to as hypervisors or virtual machine monitors (VMMs)), provide VMs 1908a and 1908b (one or more of which may be generally referred to as VMs 1908), and/or perform any of the functions, features and/or benefits described in relation with some embodiments described herein. The virtualization layer 1906 may present a virtual operating platform that appears like networking hardware to the VMs 1908.

The VMs 1908 comprise virtual processing, virtual memory, virtual networking or interface and virtual storage, and may be run by a corresponding virtualization layer 1906. Different embodiments of the instance of a virtual appliance 1902 may be implemented on one or more of VMs 1908, and the implementations may be made in different ways. Virtualization of the hardware is in some contexts referred to as network function virtualization (NFV). NFV may be used to consolidate many network equipment types onto industry standard high volume server hardware, physical switches, and physical storage, which can be located in data centers, and customer premise equipment.

In the context of NFV, a VM 1908 may be a software implementation of a physical machine that runs programs as if they were executing on a physical, non-virtualized machine. Each of the VMs 1908, and that part of hardware 1904 that executes that VM, be it hardware dedicated to that VM and/or hardware shared by that VM with others of the VMs, forms separate virtual network elements. Still in the context of NFV, a virtual network function is responsible for handling specific network functions that run in one or more VMs 1908 on top of the hardware 1904 and corresponds to the application 1902.

Hardware 1904 may be implemented in a standalone network node with generic or specific components. Hardware 1904 may implement some functions via virtualization. Alternatively, hardware 1904 may be part of a larger cluster of hardware (e.g., such as in a data center or CPE) where many hardware nodes work together and are managed via management and orchestration 1910, which, among others, oversees lifecycle management of applications 1902. In some embodiments, hardware 1904 is coupled to one or more radio units that each include one or more transmitters and one or more receivers that may be coupled to one or more antennas. Radio units may communicate directly with other hardware nodes via one or more appropriate network interfaces and may be used in combination with the virtual components to provide a virtual node with radio capabilities, such as a radio access node or a base station. In some embodiments, some signaling can be provided with the use of a control system 1912 which may alternatively be used for communication between hardware nodes and radio units.

Figure 20 shows a communication diagram of a host 2002 communicating via a network node 2004 with a UE 2006 over a partially wireless connection in accordance with some embodiments. Example implementations, in accordance with various embodiments, of the UE (such as a UE 1512a of Figure 15 and/or UE 1600 of Figure 16), network node (such as network node 1510a of Figure 15 and/or network node 1700 of Figure 17), and host (such as host 1516 of Figure 15 and/or host 1800 of Figure 18) discussed in the preceding paragraphs will now be described with reference to Figure 20.

Like host 1800, embodiments of host 2002 include hardware, such as a communication interface, processing circuitry, and memory. The host 2002 also includes software, which is stored in or accessible by the host 2002 and executable by the processing circuitry. The software includes a host application that may be operable to provide a service to a remote user, such as the UE 2006 connecting via an over-the-top (OTT) connection 2050 extending between the UE 2006 and host 2002. In providing the service to the remote user, a host application may provide user data which is transmitted using the OTT connection 2050.

The network node 2004 includes hardware enabling it to communicate with the host 2002 and UE 2006. The connection 2060 may be direct or pass through a core network (like core network 1506 of Figure 15) and/or one or more other intermediate networks, such as one or more public, private, or hosted networks. For example, an intermediate network may be a backbone network or the Internet.

The UE 2006 includes hardware and software, which is stored in or accessible by UE 2006 and executable by the UE’s processing circuitry. The software includes a client application, such as a web browser or operator-specific “app” that may be operable to provide a service to a human or non-human user via UE 2006 with the support of the host 2002. In the host 2002, an executing host application may communicate with the executing client application via the OTT connection 2050 terminating at the UE 2006 and host 2002. In providing the service to the user, the UE's client application may receive request data from the host's host application and provide user data in response to the request data. The OTT connection 2050 may transfer both the request data and the user data. The UE's client application may interact with the user to generate the user data that it provides to the host application through the OTT connection 2050.

The OTT connection 2050 may extend via a connection 2060 between the host 2002 and the network node 2004 and via a wireless connection 2070 between the network node 2004 and the UE 2006 to provide the connection between the host 2002 and the UE 2006. The connection 2060 and wireless connection 2070, over which the OTT connection 2050 may be provided, have been drawn abstractly to illustrate the communication between the host 2002 and the UE 2006 via the network node 2004, without explicit reference to any intermediary devices and the precise routing of messages via these devices.

As an example of transmitting data via the OTT connection 2050, in step 2008, the host 2002 provides user data, which may be performed by executing a host application. In some embodiments, the user data is associated with a particular human user interacting with the UE 2006. In other embodiments, the user data is associated with a UE 2006 that shares data with the host 2002 without explicit human interaction. In step 2010, the host 2002 initiates a transmission carrying the user data towards the UE 2006. The host 2002 may initiate the transmission responsive to a request transmitted by the UE 2006. The request may be caused by human interaction with the UE 2006 or by operation of the client application executing on the UE 2006. The transmission may pass via the network node 2004, in accordance with the teachings of the embodiments described throughout this disclosure. Accordingly, in step 2012, the network node 2004 transmits to the UE 2006 the user data that was carried in the transmission that the host 2002 initiated, in accordance with the teachings of the embodiments described throughout this disclosure. In step 2014, the UE 2006 receives the user data carried in the transmission, which may be performed by a client application executed on the UE 2006 associated with the host application executed by the host 2002.

In some examples, the UE 2006 executes a client application which provides user data to the host 2002. The user data may be provided in reaction or response to the data received from the host 2002. Accordingly, in step 2016, the UE 2006 may provide user data, which may be performed by executing the client application. In providing the user data, the client application may further consider user input received from the user via an input/output interface of the UE 2006. Regardless of the specific manner in which the user data was provided, the UE 2006 initiates, in step 2018, transmission of the user data towards the host 2002 via the network node 2004. In step 2020, in accordance with the teachings of the embodiments described throughout this disclosure, the network node 2004 receives user data from the UE 2006 and initiates transmission of the received user data towards the host 2002. In step 2022, the host 2002 receives the user data carried in the transmission initiated by the UE 2006.

One or more of the various embodiments improve the performance of OTT services provided to the UE 2006 using the OTT connection 2050, in which the wireless connection 2070 forms the last segment, embodiments can enable data scientists to train AI/ML models or perform other related activities without having full, unconditional access to raw data associated with a communication network (e.g., 5G network). Moreover, when raw data is conditionally shared with a data scientist, there is a trusted audit trail that records all these accesses along with their associated reasons. Embodiments also promote reuse and facilitate upskilling of data scientists or non-data scientists across organizations. Humans are not required to write AI/ML models to test them on real data; ML can generate the models and apply them to data sets while setting a few difficult or tricky parameters. In this manner, embodiments facilitate deployment of AI/ML solutions in communication networks, which can improve network performance. Such improved network performance can increase the value of OTT services delivered via the network to both service providers and end users

In an example scenario, factory status information may be collected and analyzed by the host 2002. As another example, the host 2002 may process audio and video data which may have been retrieved from a UE for use in creating maps. As another example, the host 2002 may collect and analyze real-time data to assist in controlling vehicle congestion (e.g., controlling traffic lights). As another example, the host 2002 may store surveillance video uploaded by a UE. As another example, the host 2002 may store or control access to media content such as video, audio, VR or AR which it can broadcast, multicast or unicast to UEs. As other examples, the host 2002 may be used for energy pricing, remote control of non-time critical electrical load to balance power generation needs, location services, presentation services (such as compiling diagrams etc. from data collected from remote devices), or any other function of collecting, retrieving, storing, analyzing and/or transmitting data.

In some examples, a measurement procedure may be provided for the purpose of monitoring data rate, latency and other factors on which the one or more embodiments improve. There may further be an optional network functionality for reconfiguring the OTT connection 2050 between the host 2002 and UE 2006, in response to variations in the measurement results. The measurement procedure and/or the network functionality for reconfiguring the OTT connection may be implemented in software and hardware of the host 2002 and/or UE 2006. In some embodiments, sensors (not shown) may be deployed in or in association with other devices through which the OTT connection 2050 passes; the sensors may participate in the measurement procedure by supplying values of the monitored quantities exemplified above or by supplying values of other physical quantities from which software may compute or estimate the monitored quantities. The reconfiguring of the OTT connection 2050 may include message format, retransmission settings, preferred routing etc.; the reconfiguring need not directly alter the operation of the network node 2004. Such procedures and functionalities may be known and practiced in the art. In certain embodiments, measurements may involve proprietary UE signaling that facilitates measurements of throughput, propagation times, latency and the like, by the host 2002. The measurements may be implemented in that software causes messages to be transmitted, in particular empty or ‘dummy’ messages, using the OTT connection 2050 while monitoring propagation times, errors, etc.

As described herein, device and/or apparatus can be represented by a semiconductor chip, a chipset, or a (hardware) module comprising such chip or chipset; this, however, does not exclude the possibility that a functionality of a device or apparatus, instead of being hardware implemented, be implemented as a software module such as a computer program or a computer program product comprising executable software code portions for execution or being run on a processor. Furthermore, functionality of a device or apparatus can be implemented by any combination of hardware and software. A device or apparatus can also be regarded as an assembly of multiple devices and/or apparatuses, whether functionally in cooperation with or independently of each other. Moreover, devices and apparatuses can be implemented in a distributed fashion throughout a system, so long as the functionality of the device or apparatus is preserved. Such and similar principles are considered as known to a skilled person.

Furthermore, functions described herein as being performed by a wireless device or a network node may be distributed over a plurality of wireless devices and/or network nodes. In other words, it is contemplated that the functions of the network node and wireless device described herein are not limited to performance by a single physical device and, in fact, can be distributed among several physical devices.

Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs. It will be further understood that terms used herein should be interpreted as having a meaning that is consistent with their meaning in the context of this specification and the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.

In addition, certain terms used in the present disclosure, including the specification, drawings and exemplary embodiments thereof, can be used synonymously in certain instances, including, but not limited to, e.g., data and information. It should be understood that, while these words and/or other words that can be synonymous to one another, can be used synonymously herein, that there can be instances when such words can be intended to not be used synonymously. Further, to the extent that the prior art knowledge has not been explicitly incorporated by reference herein above, it is explicitly incorporated herein in its entirety. All publications referenced are incorporated herein by reference in their entireties.

The foregoing merely illustrates the principles of the disclosure. Various modifications and alterations to the described embodiments will be apparent to those skilled in the art in view of the teachings herein. It will thus be appreciated that those skilled in the art will be able to devise numerous systems, arrangements, and procedures that, although not explicitly shown or described herein, embody the principles of the disclosure and can be thus within the spirit and scope of the disclosure. Various exemplary embodiments can be used together with one another, as well as interchangeably therewith, as should be understood by those having ordinary skill in the art.

Example embodiments of the techniques and apparatus described herein include, but are not limited to, the following enumerated embodiments:

Al . A method for a customer-domain agent to manage access to resources in the customer domain of a communication network, the method comprising: registering one or more of the following resources with a gateway in a vendor domain: one or more datasets available in the customer domain, and computing resources available in the customer domain; and subsequently receiving, from the vendor-domain gateway, one or more of the following: a first request for the customer domain to perform a computing job based on registered resources, according to a default mode of operation; and a second request to provide at least a portion of a registered dataset to a user via the vendor-domain gateway, according to an exception mode of operation.

A2. The method of embodiment Al, wherein in the default mode of operation, the customerdomain agent does not provide any of the registered datasets to the vendor domain.

A3. The method of any of embodiments A1-A2, further comprising: in response to the first request, causing computing infrastructure of the customer domain to perform the computing job; and sending to the vendor-domain gateway an indication of results for the computing job.

A4. The method of any of embodiments A1-A3, wherein: the first request includes a parameterized artificial intelligence/machine learning (AI/ML) model and an indication of a registered dataset; and the computing job includes training the parameterized AI/ML model using the indicated registered dataset.

A5. The method of any of embodiments A1-A4, wherein registering the one or more datasets comprises sending, to the vendor-domain gateway, metadata that is representative or descriptive of the one or more datasets to be registered.

A6. The method of any of embodiments A1-A5, wherein the second request includes a tuple comprising: an identifier of the requested data, an identifier of a user who will access the requested data, and a validity period during which the user will be allowed to access the requested data.

A7. The method of embodiment A6, further comprising: in response to the second request, determining whether the tuple matches at least one configured exception; and when the tuple matches at least one configured exception, encrypting the requested data using a key associated with the user and sending the encrypted data to the vendor-domain gateway.

A8. The method of embodiment A7, further comprising logging the match between the tuple and the at least one configured exception in a distributed trustworthy audit trail.

A9. The method of any of embodiments A1-A8, wherein the resources registered with the vendor-domain gateway also include software code that is available in the customer domain and is usable to create artificial intelligence/machine learning (AI/ML) models.

BL A method for a vendor-domain gateway to manage user access to data and/or resources in a customer domain of a communication network, the method comprising: registering one or more of the following resources in a repository in the vendor domain: one or more datasets available in the customer domain, computing resources available in the customer domain, and software code usable to create artificial intelligence/machine learning (AI/ML) models; and subsequently sending, to a customer-domain agent, one or more of the following: a first request for the customer domain to perform a computing job based on registered customer-domain resources, according to a default mode of operation; and a second request to provide at least a portion of a registered dataset to a user via the vendor-domain gateway, according to an exception mode of operation.

B2. The method of embodiment Bl, wherein in the default mode of operation, the customerdomain agent does not provide any of the registered datasets to the vendor domain.

B3. The method of any of embodiments B1-B2, wherein registering the one or more datasets comprises: receiving, from the customer-domain agent, metadata that is representative or descriptive of the one or more datasets to be registered; and storing the received metadata in the repository.

B4. The method of any of embodiments B1-B3, further comprising: receiving, from a secure client associated with the user, a request for information about available datasets, computing resources, and AI/ML models; retrieving information about the registered resources from the repository; and sending the retrieved information to the secure client in a form that can be rendered on a user interface (UI).

B4a. The method of embodiment B4, the information sent to the secure client includes metadata that is representative or descriptive of one or more registered datasets.

B5. The method of any of embodiments B4-B4a, further comprising receiving from the secure client a job request that identifies a registered dataset and an AI/ML model that were indicated in the retrieved information sent to the secure client.

B6. The method of embodiment B5, wherein: the job request from the secure client also includes parameters associated with the identified AI/ML model; the first request includes the parameterized AI/ML model and an indication of the registered dataset; and the computing job includes training the parameterized AI/ML model using the indicated registered dataset.

B7. The method of any of embodiments B1-B6, further comprising in response to the first request, receiving from the customer-domain agent an indication of results for the computing job.

B8. The method of any of embodiments B1-B7, further comprising receiving, from a secure client associated with the user, a request for user access to at least a portion of a registered dataset, wherein the second request is sent in response to the request for user access.

B9. The method of embodiment B8, wherein: the request for user access includes an identifier of the requested data; and the second request includes a tuple comprising: an identifier of the requested data, an identifier of the, and a validity period during which the user will be allowed to access the requested data.

BIO. The method of embodiment B9, further comprising: based on the tuple matching at least one configured exception, receiving from the customer-domain agent the requested data encrypted based on a key associated with the user; notifying the secure client about the availability of the requested data; and providing the encrypted data to the secure client upon request.

Cl . A method for a secure client, associated with a user, to access to data and/or resources in a customer domain of a communication network, the method comprising: sending one or more of the following to a vendor-domain gateway: a first request for information about datasets, computing resources, and artificial intelligence/machine learning (AI/ML) models that are registered with the vendor-domain gateway, the first request being associated with a default mode of operation; and a second request for user access to at least a portion of a registered dataset, the second request being associated with an exception mode of operation; and. receiving one or more of the following from the vendor-domain gateway: a first response indicating registered resources in accordance with the first request, the first response being in a form that can be rendered on a user interface (UI); and a second response notifying the secure client about the availability the data for which user access was requested in the second request.

C2. The method of embodiment Cl, wherein: the registered datasets are associated with the customer domain; and in the default mode of operation, and the customer domain does not provide any registered datasets to the secure client.

C2a. The method of embodiment C2, wherein the first response includes metadata that is representative or descriptive of one or more registered datasets.

C3. The method of any of embodiments Cl-C2a, further comprising: selecting a registered dataset and an AI/ML model that are among the registered resources indicated by the first response; and sending to the vendor-domain gateway a job request that identifies the registered dataset and the AI/ML model.

C4. The method of embodiment C3, wherein: the job request also includes parameters associated with the identified AI/ML model; the requested job includes training the parameterized AI/ML model using the indicated registered dataset.

C5. The method of any of embodiments C1-C4, further comprising, based on the second response, obtaining the data from the vendor-domain gateway and decrypting the obtained data based on a key associated with the user.

C6. The method of any of embodiments C1-C5, wherein the second request for user access includes an identifier of the data for which user access is requested.

DI . A customer-domain agent configured to manage access to data and/or resources in the customer domain of a communication network, wherein: the customer-domain agent is implemented by communication interface circuitry and processing circuitry that are operably coupled; and the processing circuitry and interface circuitry are configured to perform operations corresponding to any of the methods of embodiments A1-A9.

D2. A customer-domain agent configured to manage access to data and/or resources in the customer domain of a communication network, the customer-domain agent being further configured to perform operations corresponding to any of the methods of embodiments A1-A9.

D3. A non-transitory, computer-readable medium storing computer-executable instructions that, when executed by processing circuitry associated with a customer-domain agent configured to manage access to data and/or resources in the customer domain of a communication network, configure the customer-domain agent to perform operations corresponding to any of the methods of embodiments A1-A9.

D4. A computer program product comprising computer-executable instructions that, when executed by processing circuitry associated with a customer-domain agent configured to manage access to data and/or resources in the customer domain of a communication network, configure the customer-domain agent to perform operations corresponding to any of the methods of embodiments A1-A9.

El . A vendor-domain gateway configured to manage user access to data and/or resources in a customer domain of a communication network, wherein: the vendor-domain gateway is implemented by communication interface circuitry and processing circuitry that are operably coupled; and the processing circuitry and interface circuitry are configured to perform operations corresponding to any of the methods of embodiments Bl -BIO.

E2. A vendor-domain gateway configured to manage user access to data and/or resources in a customer domain of a communication network, the vendor-domain gateway being further configured to perform operations corresponding to any of the methods of embodiments Bl -BIO.

E3. A non-transitory, computer-readable medium storing computer-executable instructions that, when executed by processing circuitry associated with a vendor-domain gateway configured to manage user access to data and/or resources in a customer domain of a communication network, configure the vendor-domain gateway to perform operations corresponding to any of the methods of embodiments Bl -BIO.

E4. A computer program product comprising computer-executable instructions that, when executed by processing circuitry associated with a vendor-domain gateway configured to manage user access to data and/or resources in a customer domain of a communication network, configure the vendor-domain gateway to perform operations corresponding to any of the methods of embodiments Bl -BIO.

Fl. A secure client configured to access to data and/or resources in a customer domain of a communication network, wherein: the secure client is implemented by communication interface circuitry and processing circuitry that are operably coupled; and the processing circuitry and interface circuitry are configured to perform operations corresponding to any of the methods of embodiments C1-C5.

F2. A secure client configured to access to data and/or resources in a customer domain of a communication network, the secure client being further configured to perform operations corresponding to any of the methods of embodiments C1-C5.

F3. A non-transitory, computer-readable medium storing computer-executable instructions that, when executed by processing circuitry associated with a secure client configured to access to data and/or resources in a customer domain of a communication network, configure the secure client to perform operations corresponding to any of the methods of embodiments C1-C5.

F4. A computer program product comprising computer-executable instructions that, when executed by processing circuitry associated with a secure client configured to access to data and/or resources in a customer domain of a communication network, configure the secure client to perform operations corresponding to any of the methods of embodiments C1-C5.