NETWORK

TECHNICAL FIELD

The present application relates generally to a lawful interception device that implements a Lawful Interception Control Function in a communication network, to a method performed by such a lawful interception device, to a network device that implements an Access and Mobility Function in a communication network, to a method performed by such a network device, to a lawful interception device that implements a Lawful Interception Provisioning Function in a communication network, to a method performed by such a lawful interception device, and to corresponding computer programs and carriers containing those computer programs.

BACKGROUND

Lawful Interception (LI) allows law enforcement agencies (LEAs) to obtain data from a communication network pursuant to lawful authority, for the purpose of analysis or evidence. See, e.g., 3GPP Technical Specification (TS) 33.127 V17.4.0 for LI as specified by 3GPP. According to LI, a Lawful Intercept Control Function (LICF) receives a warrant from an LEA. The warrant is a lawful order (e.g., from a court of law) requiring the communication network to perform LI on a certain LI target. From this warrant, the LICF derives intercept information for targeting a communication device for LI, e.g., where the communication device is associated with a certain subscription identifier or equipment identifier. The LICF provides this intercept information to a LI Provisioning Function (LIPF). The LIPF in turn provisions points of interception (POIs) in the communication network with the intercept information for intercepting data associated with the targeted communication device. After intercepting data, the POI(s) transfer the intercepted data to a network mediation device that relays the data to the LEA.

Across all of the communication devices targeted for LI, the intercept information identifies the targeted communication devices and may be referred to as a target list. Provisioning every POI in the communication network with intercept information for all of the LI targets, so that every POI has the full target list, would advantageously safeguard the communication network against missing LI events that should have been intercepted. However, this approach proves vulnerable to compromising the confidentiality of the target list, since the compromise of any POI would leak the full target list. An alternative approach, then, would be to centralize the full target list in the LICF and have each POI query the LICF as needed to determine whether to intercept data for a communication device. Although this alternative approach better secures the full target list, it introduces a race condition between the POI’s query to the LICF and LI events, risking that some LI events may be missed.

Challenges therefore exist in securing intercept information for LI targets while also minimizing the risk of missing LI events. These challenges mount especially in a communication network that implements network slicing, whereby the communication network is sliced into multiple different logical networks (referred to as network slices) hosted on the same physical network infrastructure, with each network slice being tailored for a specific use case and having independent control and management. Such network slicing spreads intercept information for LI targets across the communication network even more than traditional deployments without network slicing, creating higher risk for security breaches.

SUMMARY

An object is to enable lawful interception in a communication network to be more secure and reliable.

Some embodiments herein provision intercept information for lawful interception (LI) in a communication network on the basis of communication device registration events. Some embodiments exploit this registration-based provisioning in order to limit the network function (NF) instances that are provisioned with intercept information for a target communication device, e.g., to only the NF instance(s) that serve the communication device. As applied to communication network slicing, for instance, some embodiments selectively provision NF instance(s) that belong to the network slice(s) with which the communication device registers, to the exclusion of other NF instance(s) that belong to other network slices with which the communication device is not registered, since those other NF instance(s) will not have any data to intercept for that communication device. This way, compromise of the NF instance(s) belonging to the other network slices will not leak the intercept information.

Some embodiments herein may thereby advantageously better safeguard intercept information for LI against security breaches, as compared to network-wide provisioning of the intercept information. Such selective provisioning also requires a smaller footprint in terms of consumed memory, processing, and/or network resources. Moreover, by actually provisioning NF instance(s) themselves with the intercept information, rather than requiring the NF instance(s) to query another NF instance for the intercept information on an as-needed basis, some embodiments safeguard the intercept information without introducing race conditions that would risk missing LI events.

More particularly, embodiments herein include a method performed by a lawful interception device that implements a Lawful Interception Control Function, LICF, in a communication network. The method comprises receiving, from a Lawful Interception Provisioning Function, LI PF, in the communication network, a message that indicates registration of a communication device with the communication network. The method also comprises selecting, based on the received message, which one or more network function instances in the communication network are to be provisioned with information for targeting the communication device for lawful interception. The method further comprises controlling the LI PF to provision the one or more selected network function instances with the information.

In one or more of these embodiments, said selecting comprises selecting one or more network function instances that are to serve the communication device.

In some embodiments, the message indicates registration of the communication device with one or more network slices of the communication network. In some embodiments, the message includes slice information that indicates the one or more network slices, and said selecting comprises selecting one or more network function instances that belong to the one or more network slices.

In some embodiments, the message indicates that the communication device has been registered with the communication network.

In some embodiments, the message indicates one or more identifiers associated with the communication device.

In some embodiments, the message is received during a procedure for registering the communication device with the communication network.

In some embodiments, the message indicates registration of the communication device with one or more network slices of the communication network, and the message includes slice information that indicates the one or more network slices.

Other embodiments herein include a method performed by a network device that implements an Access and Mobility Function, AMF, in a communication network. The method comprises receiving a request to register a communication device with the communication network. The method also comprises transmitting, to a lawful interception device that implements a Lawful Interception Provisioning Function, LIPF, in the communication network, a message that indicates registration of the communication device with the communication network as requested by the received request.

In some embodiments, the method further comprises performing a procedure for registering the communication device with the communication network as requested by the received request. In some embodiments, the message is transmitted responsive to the communication device being registered with the communication network as a result of the procedure, and the message indicates that the communication device has been registered with the communication network.

In other embodiments, the method further comprises performing a procedure for registering the communication device with the communication network as requested by the received request, wherein the message is transmitted to the lawful interception provisioning device during the procedure.

In some embodiments, the message indicates registration of the communication device with one or more network slices of the communication network. In some embodiments, the message includes slice information that indicates the one or more network slices.

In some embodiments, the message indicates one or more identifiers associated with the communication device.

Other embodiments herein include a method performed by a lawful interception device that implements a Lawful Interception Provisioning Function, LI PF, in a communication network. The method comprises receiving, from a network device that implements an Access and Mobility Function, AMF, in the communication network, a first message that indicates registration of a communication device with the communication network. The method comprises, responsive to receiving the first message, transmitting, to a Lawful Interception Control Function, LICF, a second message that indicates registration of the communication device with the communication network.

In some embodiments, the first message and the second message each indicates that the communication device has been registered with the communication network.

In some embodiments, the first message and the second message each indicates one or more identifiers associated with the communication device.

In some embodiments, the first message is received during a procedure for registering the communication device with the communication network and/or the second message is transmitted during the procedure for registering the communication device with the communication network.

In some embodiments, the first message and the second message each indicates registration of the communication device with one or more network slices of the communication network, and the first message and the second message each includes slice information that indicates the one or more network slices.

Other embodiments herein include a lawful interception device configured to implement a Lawful Interception Control Function, LICF, in a communication network. The lawful interception device is configured to receive, from a Lawful Interception Provisioning Function, LIPF, in the communication network, a message that indicates registration of a communication device with the communication network. The lawful interception device is also configured to select, based on the received message, which one or more network function instances in the communication network are to be provisioned with information for targeting the communication device for lawful interception. The lawful interception device is further configured to control the LIPF to provision the one or more selected network function instances with the information.

In some embodiments, the lawful interception device is configured to perform the steps described above for a lawful interception device.

Other embodiments herein include a network device configured to implement an Access and Mobility Function, AMF, in a communication network. The network device is configured to receive a request to register a communication device with the communication network. The network device is also configured to transmit, to a lawful interception device that implements a Lawful Interception Provisioning Function, LIPF, in the communication network, a message that indicates registration of the communication device with the communication network as requested by the received request.

In some embodiments, the network device is configured to perform the steps described above for a network device.

Other embodiments herein include a lawful interception device configured to implement a Lawful Interception Provisioning Function, LIPF, in a communication network. The lawful interception device is configured to receive, from a network device that implements an Access and Mobility Function, AMF, in the communication network, a first message that indicates registration of a communication device with the communication network. The lawful interception device is also configured to, responsive to receiving the first message, transmit, to a Lawful Interception Control Function, LICF, a second message that indicates registration of the communication device with the communication network.

In some embodiments, the lawful interception device is configured to perform the steps described above for a lawful interception device.

Other embodiments herein include a computer program comprising instructions which, when executed by at least one processor of a lawful interception device configured to implement a Lawful Interception Control Function, LICF, in a communication network, causes the lawful interception device to perform the steps described above for a lawful interception device. Other embodiments herein include a computer program comprising instructions which, when executed by at least one processor of a network device configured to implement an Access and Mobility Function, AMF, in a communication network, causes the network device to perform the steps described above for a network device. Other embodiments herein include a computer program comprising instructions which, when executed by at least one processor of a lawful interception device configured to implement a Lawful Interception Provisioning Function, LIPF, in a communication network, causes the lawful interception device to perform the steps described above for a lawful interception device. In one or more of these embodiments, a carrier containing the computer program is one of an electronic signal, optical signal, radio signal, or computer readable storage medium.

Other embodiments herein include a lawful interception device configured to implement a Lawful Interception Control Function, LICF, in a communication network. The lawful interception device comprises processing circuitry configured to receive, from a Lawful Interception Provisioning Function, LIPF, in the communication network, a message that indicates registration of a communication device with the communication network. The processing circuitry is also configured to select, based on the received message, which one or more network function instances in the communication network are to be provisioned with information for targeting the communication device for lawful interception. The processing circuitry is further configured to control the LIPF to provision the one or more selected network function instances with the information.

In some embodiments, the processing circuitry is configured to perform the steps described above for a lawful interception device.

Other embodiments herein include a network device configured to implement an Access and Mobility Function, AMF, in a communication network. The network device comprises processing circuitry configured to receive a request to register a communication device with the communication network. The network device comprises processing circuitry also configured to transmit, to a lawful interception device that implements a Lawful Interception Provisioning Function, LIPF, in the communication network, a message that indicates registration of the communication device with the communication network as requested by the received request.

In some embodiments, the processing circuitry is configured to perform the steps described above for a network device.

Other embodiments herein include a lawful interception device configured to implement a Lawful Interception Provisioning Function, LIPF, in a communication network. The lawful interception device comprises processing circuitry configured to receive, from a network device that implements an Access and Mobility Function, AMF, in the communication network, a first message that indicates registration of a communication device with the communication network. The lawful interception device comprises processing circuitry also configured to, responsive to receiving the first message, transmit, to a Lawful Interception Control Function, LICF, a second message that indicates registration of the communication device with the communication network

In some embodiments, the processing circuitry is configured to perform the steps described above for a lawful interception device.

Other embodiments herein include a non-transitory computer-readable storage medium on which is stored instructions that, when executed by a processor of a lawful interception device configured to implement a Lawful Interception Control Function, LICF, in a communication network, causes the lawful interception device to receive, from a Lawful Interception Provisioning Function, LIPF, in the communication network, a message that indicates registration of a communication device with the communication network. The stored instructions also causes the lawful interception device to select, based on the received message, which one or more network function instances in the communication network are to be provisioned with information for targeting the communication device for lawful interception. The stored instructions further cause the lawful interception device to control the LIPF to provision the one or more selected network function instances with the information.

Other embodiments herein include a non-transitory computer-readable storage medium on which is stored instructions that, when executed by a processor of a network device configured to implement an Access and Mobility Function, AMF, in a communication network, causes the network device to receive a request to register a communication device with the communication network. The stored instructions also cause the network device to transmit, to a lawful interception device that implements a Lawful Interception Provisioning Function, LIPF, in the communication network, a message that indicates registration of the communication device with the communication network as requested by the received request.

Other embodiments herein include a non-transitory computer-readable storage medium on which is stored instructions that, when executed by a processor of a lawful interception device configured to implement a Lawful Interception Provisioning Function, LIPF, in a communication network, causes the lawful interception device to receive, from a network device that implements an Access and Mobility Function, AMF, in the communication network, a first message that indicates registration of a communication device with the communication network. The stored instructions also cause the lawful interception device to, responsive to receiving the first message, transmit, to a Lawful Interception Control Function, LICF, a second message that indicates registration of the communication device with the communication network.

Of course, the present invention is not limited to the above features and advantages. Indeed, those skilled in the art will recognize additional features and advantages upon reading the following detailed description, and upon viewing the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

Figure 1 is a block diagram of a communication network according to some embodiments.

Figure 2 is a call flow diagram for selective LI provisioning according to some embodiments.

Figures 3A-3B are a call flow diagram of a registration procedure according to some embodiments.

Figure 4 is a logic flow diagram of a method performed by a lawful interception device configured to implement an LICF according to some embodiments.

Figure 5 is a logic flow diagram of a method performed by a network device configured to implement an AMF according to some embodiments.

Figure 6 is a logic flow diagram of a method performed by a lawful interception device configured to implement an LIPF according to some embodiments.

Figure 7 is a block diagram of a lawful interception device configured to implement an LICF according to some embodiments. Figure 8 is a block diagram of a network device configured to implement an AMF according to some embodiments.

Figure 9 is a block diagram of a lawful interception device configured to implement an LI PF according to some embodiments.

DETAILED DESCRIPTION

Figure 1 shows a communication network 10 of a communication service provider (CSP) according to some embodiments. The communication network 10 provides communication service to communication devices, one of which is shown as communication device 12. In some embodiments, the communication network 10 is a wireless communication network, in which case the communication network 10 provides the communication service over a wireless communication interface with communication devices.

The communication network 10 as shown provides a lawful interception (LI) service to a law enforcement agency (LEA) 14. The communication network 10 in this regard intercepts data pursuant to lawful authority, e.g., a warrant, and provides the intercepted data to a law enforcement device associated with the LEA 14, for the purpose of analysis or evidence. The law enforcement device may be, or be comprised in, a law enforcement monitoring facility, where the law enforcement monitoring facility is designated as the transmission destination for the results of interception relating to a particular interception subject, e.g., as specified according to ETSI TS 101 671 V3.15.1 (2018-06).

In some embodiments, the data that the communication network 10 intercepts as part of LI includes copies of the content of communications transmitted to or from targeted communication devices. The content of communications may, for example, include any material or information concerning the substance, purport, or meaning of the communications. Alternatively or additionally, the intercepted data may include material or information related to the interception of communications transmitted to or from targeted communication devices. Such intercepted-related information (IRI) may for example include dialing, signaling, or addressing information that identifies the origin, direction, destination, or termination of each communication generated or received by a subscriber by means of any equipment, facility, or service of a service provider. This may include for instance parameters of the signaling information that can be used as a means to subscribe to or activate features of the service, or establish and control a communication attempt. Generally, then, in some embodiments, the data that the communication network 10 intercepts may include copies of network traffic that contain material related to IRI or material related to IRI and the content of communications.

Figure 1 shows that the communication network 10 includes instances of network functions (NFs) 16 that are interconnected according to a service-based architecture. Where the communication network 10 is a 5G network, for instance, the NF instances 16 may include one or more instances of an Access and Mobility Function (AMF), a Session Management Function (SMF), a User Data Management (UDM) function, and/or any other type of 5G NF. Regardless, at least some of the NF instances 16 may be configured to implement one or more points of interception (POI), e.g., as a sub-function of the NF instance. Each such POI is a physical, logical, or functional point at which data is intercepted according to LI. The POI may for instance be, or be hosted at, an access element, a network connectivity element, or a service element in the communication network 10, e.g., as defined in ETSI TR 101 944.

According to embodiments herein, a Lawful Interception Control Function (LICF) 18 in the communication network 10 controls which one or more of the NF instances 16 are to target any given communication device 12 for LI; that is, which of the NF instances 16 are to intercept data of the target communication device 12 pursuant to LI. The LICF 18 in this regard selects which one or more of the NF instances 16 are to target the communication device 12 for LI. The LICF 18 then sends a provisioning order 20 to a Lawful Interception Provisioning Function (LIPF) 22, ordering the LIPF 22 to provision the selected NF instance(s) as needed to target the communication device 12. So ordered, the LIPF 22 provisions the selected NF instance(s) with intercept information 24, e.g., via provisioning signaling 26, for targeting the communication device 12 for LI. This intercept information 24 may include one or more identifiers that are associated with the target communication device 12. An NF instance provisioned with such intercept information 24 may thereby monitor for and intercept any data that includes the one or more identifiers. Figure 1 shows the NF instance(s) that are selected and provisioned with the intercept information 24 for targeting the communication device 12 as the provisioned NF instance(s) 16A, whereas the NF instance(s) that are not selected or provisioned with the intercept information 24 for targeting the communication device 12 are shown as the non-provisioned NF instance(s) 16B. Embodiments herein thereby selectively provision only some of the NF instances 16 with the intercept information 24 for targeting the communication device 12, as opposed to broadcasting the intercept information 24 to all of the NF instances 16. It is the provisioned NF instance(s) 16A, then, not the non-provisioned NF instance(s) 16B, that intercept data 17 of the target communication device 12 and provide the intercepted data 17 to the LEA 14.

Notably, some embodiments herein control which of the NF instances 16 are provisioned with the intercept information 24 for the target communication device 12 on the basis of registration events for the target communication device 12. The communication device 12 in this regard may need to register with the communication network 10 to get authorized to receive services, to enable mobility tracking, and/or to enable reachability. Registration with the communication network 10 in these and other embodiments thereby enables the communication device 12 to access the communication network 10. When the communication device 12 no longer wants to access the communication network 10, or when the communication device 12 no longer has access to the communication network 10, the communication device 12 is deregistered from the communication network 10. Registration events as used herein, then, refers to events that are associated with the registration of the communication device 12 with the communication network 10 or the deregistration of the communication device 12 from the communication network 10. The LICF 18 in some embodiments exploits such registration events in order to select and/or limit the NF instance(s) 16A that are provisioned with the intercept information 24 for the target communication device 12.

In some embodiments, for example, registration of the target communication device 12 with the communication network 10 reveals a limited subset of NF instance(s) 16A that are to serve the target communication device 12. In cases where the communication network 10 has multiple network slices, for instance, the target communication device 12 registers with one or more of those network slices, rather than with the communication network 10 as a whole, meaning that the limited subset of NF instance(s) 16A that are to serve the target communication device 12 includes the NF instance(s) that belong to the network slice(s) with which the target communication device 12 registers. In these and other embodiments, then, the LICF 18 selects the subset of NF instance(s) 16A that are to serve the target communication device 12 for provisioning with the intercept information 24, to the exclusion of the other NF instance(s) 16B that do not serve the target communication device 12. The LICF 18 thereby avoids needlessly provisioning other NF instance(s) 16B that will not serve the target communication device 12, since those other NF instance(s) 16B will not have any data to intercept for that communication device 12 anyway. This way, compromise of the other NF instance(s) 16B will not leak the intercept information 24 for the target communication device 12.

Some embodiments herein may thereby advantageously better safeguard intercept information for LI against security breaches, as compared to network-wide provisioning of the intercept information 24. Such selective provisioning also requires a smaller footprint in terms of consumed memory, processing, and/or network resources. Moreover, by actually provisioning NF instances themselves with the intercept information, rather than requiring the NF instances to query another NF instance for the intercept information on an as-needed basis, some embodiments safeguard the intercept information 24 without introducing race conditions that would risk missing LI events.

More particularly with regard to registration-based LI provisioning herein, Figure 1 shows that in some embodiments an Access and Mobility Function (AMF) 30 receives a registration request 32. The registration request 32 is a request to register the target communication device 12 with the communication network 10, e.g., with one or more network slices of the communication network 10. In one embodiment, as shown, the AMF 30 receives the registration request 32 from the target communication device 12, e.g., via an access node. In another embodiment not shown, though, the AMF 30 may receive the registration request

32 from another AMF (not shown) as part of the other AMF re-routing the registration request

32 to the AMF 30.

No matter from which entity the AMF 30 receives the registration request 32, the AMF 30 in some embodiments performs a procedure for registering the target communication device 12 with the communication network 10 as requested by the received request 32. Where for instance the registration request 32 requests registration with one or more network slices of the communication network 10, the AMF 30 may perform a procedure to register the target communication device 12 with those one or more network slices.

During, as part of, or after this registration procedure, the AMF 30 as shown transmits a registration information (info) message 34 to the LIPF 22. This registration information message 34 indicates registration of the communication device 12 with the communication network 10, e.g., as requested by the registration request 32. Where the communication network 10 has multiple network slices, for example, the registration information message 34 may indicate registration of the communication device 12 with one or more network slices of the communication network 10. In this case, the registration information message 34 may include slice information that indicates the network slice(s) with which the communication device 12 registers, e.g., in the form of Single - Network Slice Selection Assistance Information (S-NSSAI).

In some embodiments, such as where the AMF 30 transmits the registration information message 34 during or as part of the registration procedure, the registration information message 34 indicates that the communication device 12 is being registered with the communication network 10. In other embodiments, such as where the AMF 30 transmits the registration information message 34 responsive to the communication device 12 being registered with the communication network 10 as a result of the registration procedure, the registration information message 34 indicates that the communication device 12 has been registered with the communication network 10.

In some embodiments, the registration information message 34 includes or otherwise indicates one or more identifiers (IDs) 36 associated with the communication device 12. The ID(s) 36 may for instance be propagated from the registration request 32, as asserted by the communication device 12 and/or validated by the AMF 30 as being associated with the communication device 12. The ID(s) 36 may for example be associated with the communication device 12 in the sense that the ID(s) 36 identify the communication device 12 itself or identify a subscription to the communication network 10 based on which the communication device 12 registers with the communication network 10. For example, the ID(s) 36 may include a Subscription Permanent Identifier (SUPI) or a Generic Public Subscription Identifier (GPSI) identifying a subscription to the communication network 10, or may be a Permanent Equipment Identifier (PEI) identifying the communication device 12.

In any event, the LIPF 22 in some embodiments effectively propagates the registration information message 34 (or at least some of the content of the registration information message 34) to the LICF 18. As shown in Figure 1 , then, responsive to receiving registration information message 34 from the AMF 30, the LIPF 22 transmits registration information message 38 to the LICF 18. Registration information message 38 likewise indicates registration of the communication device 12 with the communication network 10, e.g., similarly to that as described above for registration information message 34.

In fact, in some embodiments, the registration information message 38 that the LIPF 22 transmits to the LICF 18 is the same message as the registration information message 34 that the LIPF 34 receives from the AMF 30. In this case, the LIPF 22 simply forwards the received registration information message 34 to the LICF 18 as registration information message 38. In other embodiments, the registration information message 38 that the LIPF 22 transmits to the LICF 18 conveys at least some of the same content (e.g., ID(s) 36 and/or network slice information) as that conveyed by the registration information message 34 that the LIPF 34 receives from the AMF 30. In this case, the registration information message 38 that the LIPF 22 transmits to the LICF 18 may convey that content using a format, protocol, and/or set of field(s) that differs from the format, protocol, and/or set of field(s) used by the received registration information message 34 to convey the content. The LIPF 22 in such a scenario may effectively translate at least some of the content from the received registration information message 34 into a form appropriate for transmission to the LICF 18 via the registration information message 38.

No matter the particular nature of the registration information message 38, though, the LICF 18 controls provisioning of the intercept information 24 based on that message 38. For example, in some embodiments, the LICF 18 selects, based on the registration information message 38, which NF instance(s) 16A are to be provisioned with the intercept information 24 for targeting the communication device 12 for LI. The selected NF instance(s) 16A may for instance be the NF instance(s) 16A that are to serve communication device 12, e.g., as indicated by or deduced from the registration information message 38. In embodiments where the registration information message 38 indicates one or more network slices with which the communication device 12 registers, for example, the LICF 18 may select NF instance(s) 16A that belong to those network slice(s), to the exclusion of other NF instance(s) 16B that belong to other network slice(s).

Regardless, the LICF 18 then controls the LIPF 22 to provision the selected NF instance(s) 16A with the intercept information 24. The LICF 18 for example transmits the provisioning order 20 to the LIPF 22. The provisioning order 20 may indicate one or more of the ID(s) 36 that are associated with the communication device 12 and that are to be used for targeting the communication device 12 for LI. The provisioning order 20 may also indicate the selected NF instance(s) 16A to be provisioned with the intercept information 24. The LIPF 22 correspondingly obtains the intercept information 24 and provisions the selected NF instance(s) 16A with the intercept information 24 in accordance with the provisioning order 20, e.g., by transmitting provisioning signaling 26 to the selected NF instance(s) 16A.

Even though embodiments herein have been described as provisioning select NF instance(s) 16A with intercept information 24 for targeting a communication device 12 for LI, the embodiments may also be described as provisioning select POI(s) with the intercept information 24, where those select POI(s) are implemented by one or more of the NF instances 16 in the communication network 10. Alternatively or additionally, while embodiments herein have been described as provisioning NF instance(s) or POI(s) with intercept information 24, the embodiments may also be described as provisioning the NF instance(s) or POI(s) with a target identifier(s) 36 or with a list of target identifier(s) 36.

Although illustrated in Figure 1 with respect to a single target communication device 12, embodiments herein may operate similarly for other target communication devices. That is, the embodiments described above may be implemented on a device by device basis, so that, for each of multiple target communication devices, a respective subset of NF instance(s) is selectively provisioned with intercept information for targeting that communication device for LI. Effectively, then, in some embodiments, any given NF instance is provisioned with intercept information for only a subset of target communication devices, rather than being provisioned with intercept information for all target communication devices. Where the intercept information stored at any given NF instance collectively for multiple target communication device is referred to as a list of LI targets, this means that the list of LI targets stored at any given NF instance is only a partial list, not a full list, because it lists as targets only a portion of the communication devices being targeted for LI. Distributing respective lists of LI targets amongst different NF instances, depending on which target communication devices those NF instances serve, silos the lists from a security perspective. A security breach of one NF instance, then, may leak the list stored at that breached NF instance, but the other lists stored at non-breached NF instances remain insulated from the impact of that security breach.

Some embodiments herein are applicable in the case where communication devices and the AMF 30 are implemented as specified by 3GPP. Communication devices in this case may be referred to as user equipment (UE). The AMF 30 in this case may receive connection and session related information from a User Equipment (UE) and is responsible for handling connection and mobility management tasks. In some embodiments, the AMF 30 supports one or more of the following functionalities: Registration management, Mobility Management, Lawful intercept (for AMF events and interface to LI System), Access Authentication, Access Authorization, Security Anchor Functionality (SEAF), Location Services management for regulatory services, and UE mobility event notification.

Alternatively or additionally, some embodiments herein are applicable in the case where the communication network 10 implements network slicing as specified by 3GPP. Within the scope of the 3GPP 5G system architecture, a network slice refers to the set of 3GPP defined features and functionalities that together form a complete Public Land Mobile Network (PLMN) for providing services to UEs. As opposed to a system architecture that has a single deployment of a PLMN to provide all features, capabilities and services required for all usage scenarios, network slicing enables the network operator to deploy multiple, independent PLMNs where each PLMN is customized by instantiating only the features, capabilities and services required to satisfy a subset of the usage scenarios.

Alternatively or additionally, some embodiments herein are applicable in the case where the communication network 10 implements LI according to the Network Function Virtualization (NFV) LI architecture specified by ETSI and/or 3GPP, e.g., according to 3GPP Technical Specification (TS) 33.127 V17.4.0, ETSI TS 103 221 parts, and/or ETSI GR NFV- SEC 011 V1 .1 .1 . In some embodiments, the LIPF 22 and the LICF 18 may be implemented as part of, or by, a Lawful Interception Administration Function (ADMF). In these and other embodiments, the LIPF 22 and the LICF 18 are both implemented by the same lawful interception device that implements the ADMF. Generally, though, the LIPF 22 and the LICF 18 may be implemented by the same or different lawful interception device.

In these and other embodiments, the LICF 18 may receive warrant(s) from the LEA 14, derive the intercept information 24 from the warrant(s), and provide the intercept information 24 to the LIPF 22. The NF instance(s) 16A may then be provisioned by the LIPF 22 with the intercept information 24, e.g., as needed to deliver the intercepted data 17 to the LEA 14.

In its simplest form, the LIPF 22 is a secure proxy used by the LICF 18 to communicate with POIs or other infrastructure required to operate LI within the communication network 19. In this scenario, the LIPF 22 does not store target information and simply routes messages from and to the LICF 18.

In some embodiments, the LICF 18 and LIPF 22 support selective management and provisioning of groups of POIs, based on the warrant parameters (e.g., service scope, target identities), the target UE type and profile (e.g. a smartphone, a cellular Internet of Things (CloT) device) and the network deployment architecture and services implementation (e.g. network slicing), with the purpose of optimizing the LI system operation and avoiding its overprovisioning. In these and other embodiments, the selective management and provisioning of NF(s) 16A may be supported by registration information received by the AMF 30 on monitored subscribers. In one or more such embodiments, the selective management and provisioning of NF(s) 16A may also be supported by an ADMF’s graphical user interface configuration capabilities and/or by the ADMF's ability to obtain and use the communication service provider network data to drive its provisioning decisions. In some embodiments, the LICF 18 enables selectively provisioning of POIs associated with NFs in a specific network slice.

In some embodiments, the LIPF 22 and/or the LICF 18 may interact with a Network Repository Function (NRF) to discover all NF instantiated in the communication network 10, to be aware of the network topology. This information may be used to provision POIs of the distributed NFs.

In some embodiments, the intercept information 24 (collectively across multiple communication devices) amounts to a target list. Such a target list may effectively be a list of all the targets in the communication network 19 under surveillance, whether active, suspended or in any other state. Some embodiments herein secure this target list while also ensuring that no events that are lawfully authorized for interception are missed (or collected in error).

Some embodiments do so without provisioning the full target list at every POI. Although provisioning the full target list at every POI would ensure that, when a UE arrives in the communication network 10 and commences registration, a POI would be fully armed and in a position to recognize if the target identifier is in the target list, the security implication is that compromise of any node would leak the complete target list.

Some embodiments herein do so also without only maintaining the full target list at the LICF 18. Although distributing specific target identifiers to specific POIs on an as-needed basis from the LICF 18 would avoid the drawbacks of provisioning the full target list at every POI, it would a race condition: when a UE appears, each POI would need to query the LICF 18 to find out if the user identifier is part of the target list. As the registration sequence progresses, the NF POI would be waiting for a response from the LICF 18. When the reply arrives, the POI's involvement ends if the reply is negative. If the reply is positive, depending on how long the POI-LICF-POI round trip for the query/reply took, it is possible that some reportable events would be missed.

Some embodiments thereby aim to avoid the full target list deployment at all POIs (with its related leakage risk) and to avoid the need for each POI to query the LICF 18 (with its related race conditions drawback). Some embodiments accordingly prove particularly advantageous for better securing the target list in a cloud Network Function Virtualization (NFV) environment in which LI functions may be scattered across multiple different physical and/or virtual infrastructure, under the control of diverse users and providers (e.g., the service provider and the cloud provider), and/or subject to different legal jurisdictions. Moreover, in such an environment, different NFs can be deployed on the same hardware and share networking infrastructure, creating increased risk for leakage across NFs.

Some embodiments avoid the full target list being deployed at all POIs, while also avoiding the need for each POI to query the LICF 18, by still deploying a target list at POIs but minimizing the number of targets in each POI’s list, e.g., to only targets that are served by the NF instance implementing that POI. In one or more embodiments, then, the LICF 18 controls the LI PF 22 to perform selective provisioning of intercept information 24 based on registration events in the communication network 10, so that intercept information 24 for a target is set only in the NFs effectively serving that target. This avoids broadcasting of intercept information 24 for a target to any active node in the communication network 10.

Some embodiments thereby improve data security by minimizing the amount of stored LI data to maintain and secure, i.e., the less POI containing sensitive LI data, the lower the risk of intrusion. This may also advantageously lessen memory consumption in POIs. Furthermore, some embodiments advantageously lessen information flows amongst functional elements across reference points between functional entities.

Figure 2 shows an example implementation of some embodiments herein, where the communication device 12 is exemplified as a user equipment (UE), and where the LIPF 22 and LICF 18 are exemplified as being implemented by an LI ADMF. In this example, during the UE registration phase, the AMF 30 informs the LIPF 22 that a UE has been registered on one or more network slices of the communication network 10. The AMF 30 does so by using a new message, referred to as a Registering Subscriber Information (RSI) message, e g., transmitted on the existing LI_X1 interface to the LIPF 22 (Step 1). The LIPF 22, in turn, transmits an RSI message to the LICF 18 (Step 2). The LICF 18 then determines if any intercept information provisioning is needed for the UE. If so, the LICF 18 transmits a provisioning order 20 to the LIPF 22, e.g., via the LI_X1 interface (Step 3). This provisioning order 20 orders the LIPF 22 to provision only NF instances belonging to the specific network slice on which the UE is registered. The LIPF 22 correspondingly transmits provisioning signaling (Step 4) to the selected NF instances, shown as VNFs 1-N.

In some embodiments, the RSI message from the A F 30 to the LIPF 22 and/or the RSI message from the LIPF 22 to the LICF 18 may be specified with the parameters shown below: Registering Subscriber Information (RSI) This message does not foresee any response message.

In some embodiments, the Target Identity Info parameter is formatted according to Table 1 below.

In some embodiments, the AMF 30 sends the LIPF 22 the RSI message just after having sent the Registration Accept message in the registration procedure, e.g., the registration procedure specified by 3GPP TS 23.502 v17.4.0. Figures 3A-3B show an example of such embodiments whereby the registration procedure specified by 3GPP TS 23.502 v17.4.0 is updated to include a new step 21a to transfer the RSI message from the AMF to the LI-ADMF about UE successful registration in the communication network 10. As shown, the AMF that transfers the RSI message to the LI-ADMF is the new AMF with which the UE registers, e.g., as opposed to any old AMF with which the UE may have previously been registered. In this example, new step 21a occurs after, or simultaneously with, step 21 in which the new AMF sends a Registration Accept to the UE, and before optional step 22 in which the UE sends a Registration Complete to the new AMF.

These and other embodiments herein may be applicable where the communication network 10 has network slices as implemented according to 3GPP. For example, the communication network 10 may have multiple network slices for smart phones, e.g., deployed with exactly the same system features, capabilities and services, but dedicated to different business segments. In this case, the different smart phone network slices may each provide different capacity for a different number of UEs and data traffic. The communication network 10 as an example may also include network slices that enable differentiation between the provided system features, capabilities and services. A Machine-to-Machine (M2M) network slice may, for example, offer UE battery power saving features unsuitable for smartphone slices, as those features imply latencies not acceptable for typical smart phone usages.

Note, too, that in some embodiments a UE may receive service from multiple network slices. In such deployments, there may be network functions in common for a set of slices, e.g., the AMF, a policy control function (PCF), and a network function services repository (NRF). This may be because there is a single access control and mobility management instance per UE that is responsible for services of a UE. By contrast, in some embodiments, the user plane services, specifically the data services, may be obtained via multiple, separate network slices. For example, one network slice may provide a UE with data services for Data Network #1 , and another network slice may provide a UE with data services for Data Network #2. Those slices and the data services may be independent of each other apart from interaction with the common access and mobility control that applies for all services of the user/UE. This makes it possible to tailor each slice for e.g., different quality of service (QoS) data services or different application functions, all determined by means of the policy control framework.

In view of the modifications and variations herein, Figure 4 depicts a method in accordance with particular embodiments. The method is performed by a lawful interception device that implements an LICF 18 in a communication network 10. The method includes receiving, from an LI PF 22 in the communication network 10, a message 38 that indicates registration of a communication device 12 with the communication network 10 (Block 400). The method also includes, based on the received message 38, controlling provisioning of information 24 in the communication network 10 for targeting the communication device 12 for lawful interception (Block 410).

In some embodiments as shown, controlling provisioning of the information 24 comprises selecting, based on the received message 38, which one or more network function instances 16A in the communication network 10 are to be provisioned with information 24 for targeting the communication device 12 for lawful interception (Block 410A). In this case, controlling provisioning of the information 24 also comprises controlling the LI PF 22 to provision the selected network function instances 16A with the information 24 (Block 410B). In one or more of these embodiments, selecting which network function instances 16A in the communication network 10 are to be provisioned comprises selecting network function instances 16A that are to serve the communication device 12. Alternatively or additionally, in some embodiments, the message 38 indicates registration of the communication device 12 with one or more network slices of the communication network 10. The message may for example include slice information that indicates the one or more network slices, in which case selecting which network function instances 16A in the communication network 10 are to be provisioned comprises selecting network function instances 16A that belong to the one or more network slices.

In some embodiments, the message 38 indicates that the communication device 12 has been registered with the communication network 10.

In some embodiments, the message 38 indicates one or more identifiers 36 associated with the communication device 12.

In some embodiments, the message 38 is received during a procedure for registering the communication device 12 with the communication network 10.

In some embodiments, the message 38 indicates registration of the communication device 12 with one or more network slices of the communication network 10, and the message 38 includes slice information that indicates the one or more network slices.

Figure 5 depicts a method in accordance with other particular embodiments. The method performed by a network device that implements an AMF 30 in a communication network 10. The method includes receiving a request 32 to register a communication device 12 with the communication network 10 (Block 500). The method also includes transmitting, to a lawful interception device that implements an LI PF 22 in the communication network 10, a message 34 that indicates registration of the communication device 12 with the communication network 10 as requested by the received request 32 (Block 510).

In some embodiments, the method also includes performing a procedure for registering the communication device 12 with the communication network 10 as requested by the received request 32 (Block 505). In one or more such embodiments, the message 34 is transmitted responsive to the communication device 12 being registered with the communication network 10 as a result of the procedure, and the message 34 indicates that the communication device 12 has been registered with the communication network 10. Alternatively, in other embodiments, the message 34 is transmitted to the lawful interception provisioning device during the procedure.

In some embodiments, the message 34 indicates registration of the communication device 12 with one or more network slices of the communication network 10. In some embodiments, the message 34 includes slice information that indicates the one or more network slices.

In some embodiments, the message 34 indicates one or more identifiers 36 associated with the communication device 12.

Figure 6 depicts a method in accordance with other particular embodiments. The method performed by a lawful interception device that implements an LI PF 22 in a communication network 10. The method includes receiving, from a network device that implements an AMF 30 in the communication network 10, a first message 34 that indicates registration of a communication device 12 with the communication network 10 (Block 600). The method also includes, responsive to receiving the first message 34, transmitting, to an LICF 18, a second message 38 that indicates registration of the communication device 12 with the communication network 10 (Block 610).

In some embodiments, the first message 34 and the second message 36 each indicates that the communication device 12 has been registered with the communication network 10.

In some embodiments, the first message 34 and the second message 36 each indicates one or more identifiers 36 associated with the communication device 12.

In some embodiments, the first message 34 is received during a procedure for registering the communication device 12 with the communication network 10 and/or the second message 36 is transmitted during the procedure for registering the communication device 12 with the communication network 10.

In some embodiments, the first message 34 and the second message 36 each indicates registration of the communication device 12 with one or more network slices of the communication network 10, and the first message 34 and the second message 36 each includes slice information that indicates the one or more network slices.

Embodiments herein also include corresponding apparatuses. Embodiments herein for instance include a network node configured to perform any of the steps of any of the embodiments described above for the AMF 30.

Embodiments also include a network node comprising processing circuitry and power supply circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the AMF 30. The power supply circuitry is configured to supply power to the network node.

Embodiments further include a network node comprising processing circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the AMF 30. In some embodiments, the network node further comprises communication circuitry.

Embodiments further include a network node comprising processing circuitry and memory. The memory contains instructions executable by the processing circuitry whereby the network node is configured to perform any of the steps of any of the embodiments described above for the AMF 30.

Embodiments herein further include a lawful interception device configured to perform any of the steps of any of the embodiments described above for the LI PF 22.

Embodiments also include a lawful interception device comprising processing circuitry and power supply circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the LI PF 22. The power supply circuitry is configured to supply power to the lawful interception device.

Embodiments further include a lawful interception device comprising processing circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the LIPF 22. In some embodiments, the lawful interception device further comprises communication circuitry.

Embodiments further include a lawful interception device comprising processing circuitry and memory. The memory contains instructions executable by the processing circuitry whereby the lawful interception device is configured to perform any of the steps of any of the embodiments described above for the LIPF 22.

Embodiments herein also include a lawful interception device configured to perform any of the steps of any of the embodiments described above for the LICF 18.

Embodiments also include a lawful interception device comprising processing circuitry and power supply circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the LICF 18. The power supply circuitry is configured to supply power to the lawful interception device.

Embodiments further include a lawful interception device comprising processing circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the LICF 18. In some embodiments, the lawful interception device further comprises communication circuitry.

Embodiments further include a lawful interception device comprising processing circuitry and memory. The memory contains instructions executable by the processing circuitry whereby the lawful interception device is configured to perform any of the steps of any of the embodiments described above for the LICF 18. More particularly, the apparatuses described above may perform the methods herein and any other processing by implementing any functional means, modules, units, or circuitry. In one embodiment, for example, the apparatuses comprise respective circuits or circuitry configured to perform the steps shown in the method figures. The circuits or circuitry in this regard may comprise circuits dedicated to performing certain functional processing and/or one or more microprocessors in conjunction with memory. For instance, the circuitry may include one or more microprocessor or microcontrollers, as well as other digital hardware, which may include digital signal processors (DSPs), special-purpose digital logic, and the like. The processing circuitry may be configured to execute program code stored in memory, which may include one or several types of memory such as read-only memory (ROM), random-access memory, cache memory, flash memory devices, optical storage devices, etc. Program code stored in memory may include program instructions for executing one or more telecommunications and/or data communications protocols as well as instructions for carrying out one or more of the techniques described herein, in several embodiments. In embodiments that employ memory, the memory stores program code that, when executed by the one or more processors, carries out the techniques described herein.

Figure 7 for example illustrates a lawful interception device 700 as implemented in accordance with one or more embodiments. The lawful interception device 700 is configured to implement an LICF 18 as described herein. As shown, the lawful interception device 700 includes processing circuitry 710 and communication circuitry 720. The communication circuitry 720 is configured to transmit and/or receive information to and/or from one or more other nodes, e.g., via any communication technology. The processing circuitry 710 is configured to perform processing described above, e.g., in Figure 4, such as by executing instructions stored in a non- transitory computer-readable storage medium 730 in the form of a memory. The processing circuitry 710 in this regard may implement certain functional means, units, or modules.

Figure 8 illustrates a network node 800 as implemented in accordance with one or more embodiments. The network node 800 is configured to implement the AMF 30 described herein. As shown, the network node 800 includes processing circuitry 810 and communication circuitry 820. The communication circuitry 820 is configured to transmit and/or receive information to and/or from one or more other nodes, e.g., via any communication technology. The processing circuitry 810 is configured to perform processing described above, e.g., in Figure 5, such as by executing instructions stored in a non-transitory computer-readable storage medium 830 in the form of a memory. The processing circuitry 810 in this regard may implement certain functional means, units, or modules.

Figure 9 illustrates a lawful interception device 900 as implemented in accordance with one or more embodiments. The lawful interception device 900 is configured to implement an LIRF 22 as described herein. As shown, the lawful interception device 900 includes processing circuitry 910 and communication circuitry 920. The communication circuitry 920 is configured to transmit and/or receive information to and/or from one or more other nodes, e.g., via any communication technology. The processing circuitry 910 is configured to perform processing described above, e.g., in Figure 6, such as by executing instructions stored in a non-transitory computer-readable storage medium 930 in the form of a memory. The processing circuitry 910 in this regard may implement certain functional means, units, or modules.

Those skilled in the art will also appreciate that embodiments herein further include corresponding computer programs.

A computer program comprises instructions which, when executed on at least one processor of a lawful interception device, cause the lawful interception device to carry out any of the respective processing described above for the LIPF 22 and/or the LICF 18. A computer program in this regard may comprise one or more code modules corresponding to the means or units described above.

Embodiments further include a carrier containing such a computer program. This carrier may comprise one of an electronic signal, optical signal, radio signal, or computer readable storage medium.

In this regard, embodiments herein also include a computer program product stored on a non-transitory computer readable (storage or recording) medium and comprising instructions that, when executed by a processor of a lawful interception device, cause the lawful interception device to perform as described above.

Embodiments further include a computer program product comprising program code portions for performing the steps of any of the embodiments herein when the computer program product is executed by a lawful interception device. This computer program product may be stored on a computer readable recording medium.

In other embodiments, a computer program comprises instructions which, when executed on at least one processor of a network device, cause the network device to carry out any of the respective processing described above for the AMF 30 18. A computer program in this regard may comprise one or more code modules corresponding to the means or units described above.

Embodiments further include a carrier containing such a computer program. This carrier may comprise one of an electronic signal, optical signal, radio signal, or computer readable storage medium.

In this regard, embodiments herein also include a computer program product stored on a non-transitory computer readable (storage or recording) medium and comprising instructions that, when executed by a processor of a network device, cause the network device to perform as described above.

Embodiments further include a computer program product comprising program code portions for performing the steps of any of the embodiments herein when the computer program product is executed by a network device. This computer program product may be stored on a computer readable recording medium.

Although the computing devices described herein (e.g., network device and/or lawful interception device) may include the illustrated combination of hardware components, other embodiments may comprise computing devices with different combinations of components. It is to be understood that these computing devices may comprise any suitable combination of hardware and/or software needed to perform the tasks, features, functions and methods disclosed herein. Moreover, while components are depicted as single boxes located within a larger box, or nested within multiple boxes, in practice, computing devices may comprise multiple different physical components that make up a single illustrated component, and functionality may be partitioned between separate components. For example, a communication interface may be configured to include any of the components described herein, and/or the functionality of the components may be partitioned between the processing circuitry and the communication interface. In another example, non-computationally intensive functions of any of such components may be implemented in software or firmware and computationally intensive functions may be implemented in hardware.

In certain embodiments, some or all of the functionality described herein may be provided by processing circuitry executing instructions stored on in memory, which in certain embodiments may be a computer program product in the form of a non-transitory computer- readable storage medium. In alternative embodiments, some or all of the functionality may be provided by the processing circuitry without executing instructions stored on a separate or discrete device-readable storage medium, such as in a hard-wired manner. In any of those particular embodiments, whether executing instructions stored on a non-transitory computer- readable storage medium or not, the processing circuitry can be configured to perform the described functionality. The benefits provided by such functionality are not limited to the processing circuitry alone or to other components of the computing device, but are enjoyed by the computing device as a whole, and/or by end users and a wireless network generally.