TECHNICAL FIELD

[0001] This application relates to cybersecurity in system requiring real time communications.

BACKGROUND

[0002] Problems exist in defining security specifications in an environment where network parameters, such as type of connected devices, are not clearly defined. Trying to apply security to such a network is difficult because it is non-obvious to define security functions required to secure the network.

SUMMARY

[0003] According to method for applying cybersecurity to a network includes creating a modular implementation of CISA's Zero-Trust maturity model and extending a fifthgeneration (5G) core to include the modular implementation of the CISA Zero-Trust maturity model. Each module in the modular implementation corresponds to one of the five pillars in the CISA Zero-Trust maturity model. A first module verifies and enforces the access of a user based on the user's identity. The first module includes a user identity management system (UIMS) to keep track of users connected to the system as well as information about their existing and prior sessions. The UIMS may be connected with an external system containing relevant information about a user. The first module further includes a user authentication system (AUS) to providing functionality to authenticate a user at an application level. In response to a user request to access a resource, the request is transmitted through a user plane function (UPF) and at the UIMS, it is determined if the user is authenticated, if the user is not authenticated, the request is forwarded to the UAS to determine the user's authentication, and a reply is sent back to the UIMS. In the first module, an access authorization system (AAS) is included, which checks an authenticated user's permission to access a requested resource. A request from a user to access a resource is forwarded the request to the UPF, in the AAS, information from the UIMS about the user is requested and it is determined if the user is authorized to access the requested resource. The UPF is informed of the status of the user's authorization.

[0004] A second module maintains a complete inventory of every authorized device and prevents, detects and responds to incidents involving the authorized devices. In the second module, an endpoint detection and response system (EDRS) stores an inventory of all authorized devices and monitors activities on those authorized devices.

[0005] A third module protects the network by encrypting all DNS and HTTP traffic, isolating traffic flows and monitoring user activities. In the third module, a user behavior analysis function (UBAF) combines user metadata and traffic and event logs of the user to build a profile of the user's key behaviors and detect flows that deviate from the profile.

[0006] A fourth module directs to applications and workload of the network to test applications and generate vulnerability reports periodically. In the fourth module, a security assessment report generator (SARG) produces an assessment report containing information about vulnerability scanning and code analysis of software running on the network.

[0007] A fifth module for monitoring data on the network by classifying, encrypting all data and maintaining logs of every access to data. [0008] According to embodiments of this disclosure, a system for applying cybersecurity to a network includes a computer processo and a non-transitory computer memory in communication with the computer processor. The non-transitory computer memory stores machine readable instructions that when executed by the computer processor cause the computer processor to perform the steps of creating a modular implementation of CISA's Zero-Trust maturity model, and extending a fifth-generation (5G) core to include the modular implementation of the CISA Zero-Trust maturity model. The non-transitory computer memory may further store machine readable instructions that when executed by the computer processor cause the computer processor to perform the steps of defining five modules in the modular implementation of the CISA Zero-Trust maturity model, each module corresponding to one of the five pillars of the CISA Zero- Trust maturity model. The non-transitory computer memory further storing machine readable instructions that when executed by the computer processor cause the computer processor to perform the steps of in a first module, enforcing the authentication and authorization of users connected to the network at an application level, in a second module, enforcing integrity of each device connected to the network, in a third module, monitoring traffic on the network, and analyzing user behavior based on the monitored traffic, in a fourth module, ensuring the security of applications running on the network and generating reports from vulnerability scanning and code analysis, and in a fifth module, monitoring data transferred in the network and track all accesses to data to detect abnormal behavior. The non-transitory computer memory may further store machine readable instructions that when executed by the computer processor cause the computer processor to perform the steps of communicating with external sources to obtain information about users to assist the modular implementation of the CISA Zero Trust maturity model in verifying network operations involving the user.

BRIEF DESCRIPTION OF THE DRAWINGS

[0009] The foregoing and other aspects of the present invention are best understood from the following detailed description when read in connection with the accompanying drawings. For the purpose of illustrating the invention, there is shown in the drawings embodiments that are presently preferred, it being understood, however, that the invention is not limited to the specific instrumentalities disclosed. Included in the drawings are the following Figures:

[0010] FIG. 1 is a diagram of an extended 5G network for providing a Zero Trust model according to aspects of embodiments of this disclosure.

[0011] FIG. 2 is a flow diagram for authenticating a user according to aspects of embodiments of this disclosure.

[0012] FIG. 3 is a flow diagram for authorizing an authenticated user according to aspects of embodiments of this disclosure.

[0013] FIG. 4 is a process flow diagram for implementing a zero trust model in a 5G networking core to provide real time security measures according to aspects of embodiments of this disclosure.

DETAILED DESCRIPTION

[0014] With ongoing advances in communications and networking technologies, current networks are required to support massive volumes of heterogeneous devices, while providing seamless connectivity and computational resources for autonomous and intelligent operations. In fifth generation (5G) networks, a new air interface is introduced along with a service-based network architecture and end-to-end network slicing work to fulfill these network requirements. As a result, 5G provides an attractive option for deployment of a private network for enterprises. While 5G is well suited for providing guaranteed throughput and latency levels required by next-generation applications, existing network security frameworks possess weaknesses that make them insufficient for providing security assurances required by enterprise operations occurring in complex and dynamic network environments.

[0015] An enterprise network may include several internal networks, remote offices with individual local infrastructure, remote individuals, and cloud services. This complexity has outstripped the existing traditional methods of perimeter-based network security as there is no single, easily identified perimeter for the enterprise. Parameter-based networks assume a network parameter as a trust zone and users operating in this trust zone, following authentication and authorization, are deemed as trusted. However, due to the agile radio environment and mobility of 5G network users, identification of this perimeter presents significant challenges. Moreover, as reliance on a network such as 5G in an enterprise becomes more fundamental to functions like automated manufacturing, autonomous vehicles and Internet of Things (loT) devices, the need for assurance in the communication system has risen, with a major interest in the development of methods to secure the telecommunications network.

[0016] The provisioning of a security infrastructure for modem networks has seen a significant impact due to the current trend of providing real-time operations. Conventionally, security architectures have been developed on a case-by-case basis. Examples include firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), or web application security protocols such as transport layer security (TLS), which are used to keep information technology (IT) and operational technology (OT) environments safe.

[0017] Perimeter-based security has served as a primary concept in traditional network security and is still used in some enterprises. However, as the threat landscape expands, this technique is becoming obsolete. With this development, attention has turned to deployments utilizing a zero-trust model. However, current solutions focus on the implementation of some, but not all zero trust principles. Some examples may include distributed IDS/IPS, solutions to detect security attacks implemented at different layers of the Open Systems Interconnection (OSI) model, or a trust evaluation strategy based on zero trust for establishing trust relationships in cloud services to name a few.

[0018] Embodiments of this disclosure present methods and systems that add abilities to a 5G network to allow and manage authentication and authorization at the application level. Additionally, embodiments herein enable device level authorization and continuous vulnerability checking as a network function of the 5G core.

[0019] FIG. 1 shows the architectural design of a 5G network 100, with integrated Zero Trust components 101. Functions 101 represent new zero trust components and functions 103 are existing functions in the 5G Core that need to be updated. Embodiments of this disclosure exploit real-time processing of requests at the User Plane Function (UPF) 105 and add interfaces to it to authenticate and authorize every access request.

[0020] The following paragraphs will describe how to implement the five pillars of

CISA's Zero Trust (ZT) maturity model using five different modules: [0021] Module #1 : Identity: The goal of this module is to ensure and enforce that the right users have the right access to the right resources at the right time. It consists of the following three components:

[0022] User-Identity Management System (UIMS)

[0023] UIMS is responsible to keep track of the users in the system and their existing/ previous sessions. Zero trust architecture requires metadata about the users to allow organizations to make risk-based decisions at the policy enforcement point. This metadata is maintained, updated and supplied by this system. It will also be integrated with external systems, such as those dedicated to human resources, contract management, or personnel security, to gain time-relevant information about the users.

[0024] Using this centrally managed system also allows the organizations to keep track of their users' activities at one point, thus helping them enforce their security policies uniformly across all the applications. Having this system within the 5G Core is crucial so that we can decide whether a user is allowed to access a particular resource before the request actually reaches the resource.

[0025] User Authentication System (UAS)

[0026] This system provides functionality to authenticate a user at the application level. Since the existing authentication function in the 5G Core, AMF (Authentication Management Function) only authenticates a user once and at the network level, there is a need of a system that can authenticate every access request at the application level.

[0027] FIG. 2 shows flow-diagram of how a user authentication system communicates with the user-identity management system to authenticate a user. Whenever UPF 105 receives a request to access a resource 201 , UPF 105 will ask UIMS 305 to check if the user is authenticated 203. As described earlier, UIMS 203 centrally manages the authentication status of a user and if the user is authenticated, it will inform the UPF 204. Otherwise, UIMS 203 will send a request 205 to UAS 206 to authenticate the user. UAS 206 will authenticate the user and will send the success/ fail response 207 back to UIMS 203 and UIMS will reply 204 back to UPF 105.

[0028] UAS 206 uses multi-factor authentication to authenticate a user by opening a pop-up on a user-device. It also provides procedures for emergency situations and account recovery processes and supports authentication through non-graphical user interfaces, such as scripts and command-line for consistency.

[0029] Access Authorization System (AAS)

[0030] Access authorization comes after the authentication. Even if a user is authenticated, zero trust architecture requires to check if the user has required authorization to access the resource. Access Authorization System helps in this regard, by providing an interface to UPF.

[0031] FIG. 3 shows how UPF 105 communicates to when a user requests access to a resource 301 . After authentication, UPF 105 will send a request to UAS 303 to check if the user is authorized to access the resource, UAS 303 will request user metadata 304 from UIMS 203 and based on the information, will decide whether to allow or deny the access and will inform 306 the UPF 105.

[0032] AAS uses attribute-based access control policies (ABAC) to allow or deny access by running a trust algorithm based on the user’s identity, the attributes of the resource being accessed, and the environment at access-time. For example, information about the device the user is using (is the device authorized? are its patches up-to-date?) is a common environment based check.

[0033] Module #2: Devices: The goal of this module is to maintain a complete inventory of every authorized device and prevent, detect, and respond to incidents on those devices. It consists of the following component:

[0034] Endpoint Detection and Response System (EDRS)

[0035] Along with the user-identity management systems, our envisioned zero-trust 5G architecture also contains a device inventory to keep track of all the registered devices in one place and the EDRS continually monitors activities on these authorized devices and raises threat alerts if potentially malicious behaviors are observed.

[0036] It is important for a zero-trust based architecture to detect malicious devices in real-time and automatically block their access. To accomplish that, EDRS system will hunt for threats by matching real-time logs and events against a knowledge base of adversarial tactics, techniques, and procedures, which are manually crafted expert rules that describe low-level attack patterns.

[0037] Module #3: Network: This module is responsible to encrypt all DNS requests and HTTP traffic and isolate traffic flows. It is also responsible to monitor the users' activities. It includes the following two components:

[0038] User-Behavior Analysis Function (UBAF)

[0039] The supervision of user behavior in a private network is an important means to ensure the security of an organization. Accordingly, UBAF is an important part of a zero- trust 5G architecture according to this disclosure. UBAF will use the available metadata about users and the traffic and event logs for user behavior analysis. The core function of this component is to monitor the flows, build a profile of users' key behaviors, and detect abnormal flows that does not match that user's behavior profile. This can effectively monitor the key user behavior in the private networks and detect anomalous flows with high accuracy.

[0040] Network Slicing

[0041] Network slicing refers to the partitioning of a physical network into several virtual networks; each network may be customized and optimized for a specific type of application or users. By virtualization technologies, the shared physical network resources can be dynamically and efficiently shared among logical network slices based on different demands. A 5G network slice is composed of a collection of network functions and settings that are combined together for a specific use case or business model. From a security perspective, network slices isolate traffic within a slice from all other slices in use.

[0042] According to the 3GPP specifications, the 5G architecture adopts a software based architecture (SBA) based design: network virtualization, software-defined networking (SDN), and service-based architectures (SBA) are key enablers of a 5G network. According to embodiments of this disclosure this architecture is leveraged to further secure the network traffic flows. For instance, different slices of UPF may be used and apply different network inspection and authorization rules at different UPFs. This way critical traffic flows may be isolated from the non-critical flows and trusted users may be separated from other users. [0043] Along with the above-mentioned components, this module will add DNS resolvers in the 5G core that support DNS over HTTPS and all DNS requests will be forwarded to these resolvers.

[0044] Module #4: Applications and Workload: This module is responsible for rigorously testing the applications and periodically generate vulnerability reports. It includes the following component:

[0045] Security Assessment Report Generator (SARG)

[0046] To gain confidence in the security of any system, it is important to analyze its software and its deployed functionality with a comprehensive and rigorous approach. SARG is a part of an exemplary 5G architecture according to embodiments of this disclosure that generates an assessment report utilizing automated tools for vulnerability scanning and code analysis of the software running behind the private 5G, and further using analysis prepared by more time-intensive, specialized, and application-specific methods. This will ensure continuous monitoring of the applications as the applications evolve and applications developers may use these reports to address the identified vulnerabilities.

[0047] Module #5: Data: This module is responsible for classifying and encrypting all the data and maintaining logs of every access. Module 5 requires all the applications to encrypt their data and log every encryption/ decryption request, so that User-Behavior Analysis Function (UBAF) may use these logs to detect any malicious accesses.

[0048] Data categorization is also important for this module to secure sensitive data.

Applications will use machine learning to categorize the data they gather and will offer early warning or detection of anomalous behavior in as close to real time as possible. For example, an example of such behavior is excessive access requests to certain data types, or when an account associated with a specific role is accessing a system or category of data it has not previously accessed and would ordinarily not be expected to.

[0049] FIG. 4 is a process flow diagram for implementing a zero trust model in a 5G network for providing security measures in real time communications. A feature of 5G networks is modularity that allows only the needed components of the network core to operate in order to provide real time communication rates. Embodiments of this disclosure provide a modular implementation of a zero trust model 401 to allow the modules to operate independently in order to preserve the real time communication of the network. The existing 5G core is extended to include the components of the modular implementation of the zero trust model 403. The modules may be selective invoked based on resource availability 405 to provide security measures according to the zero trust model in real time communications 407.

[0050] FIG. 5 illustrates an exemplary computing environment 500 within which embodiments of the invention may be implemented. Computers and computing environments, such as computer system 510 and computing environment 500, are known to those of skill in the art and thus are described briefly here.

[0051] As shown in FIG. 5, the computer system 510 may include a communication mechanism such as a system bus 521 or other communication mechanism for communicating information within the computer system 510. The computer system 510 further includes one or more processors 520 coupled with the system bus 521 for processing the information. [0052] The processors 520 may include one or more central processing units (CPUs), graphical processing units (GPUs), or any other processor known in the art. More generally, a processor as used herein is a device for executing machine-readable instructions stored on a computer readable medium, for performing tasks and may comprise any one or combination of, hardware and firmware. A processor may also comprise memory storing machine-readable instructions executable for performing tasks. A processor acts upon information by manipulating, analyzing, modifying, converting or transmitting information for use by an executable procedure or an information device, and/or by routing the information to an output device. A processor may use or comprise the capabilities of a computer, controller or microprocessor, for example, and be conditioned using executable instructions to perform special purpose functions not performed by a general purpose computer. A processor may be coupled (electrically and/or as comprising executable components) with any other processor enabling interaction and/or communication there-between. A user interface processor or generator is a known element comprising electronic circuitry or software or a combination of both for generating display images or portions thereof. A user interface comprises one or more display images enabling user interaction with a processor or other device.

[0053] Continuing with reference to FIG. 5, the computer system 510 also includes a system memory 530 coupled to the system bus 521 for storing information and instructions to be executed by processors 520. The system memory 530 may include computer readable storage media in the form of volatile and/or nonvolatile memory, such as read only memory (ROM) 531 and/or random access memory (RAM) 532. The RAM 532 may include other dynamic storage device(s) (e.g., dynamic RAM, static RAM, and synchronous DRAM). The ROM 531 may include other static storage device(s) (e.g., programmable ROM, erasable PROM, and electrically erasable PROM). In addition, the system memory 530 may be used for storing temporary variables or other intermediate information during the execution of instructions by the processors 520. A basic input/output system 533 (BIOS) containing the basic routines that help to transfer information between elements within computer system 510, such as during start-up, may be stored in the ROM 531 . RAM 532 may contain data and/or program modules that are immediately accessible to and/or presently being operated on by the processors 520. System memory 530 may additionally include, for example, operating system 534, application programs 535, other program modules 536 and program data 537.

[0054] The computer system 510 also includes a disk controller 540 coupled to the system bus 521 to control one or more storage devices for storing information and instructions, such as a magnetic hard disk 541 and a removable media drive 542 (e.g., floppy disk drive, compact disc drive, tape drive, and/or solid state drive). Storage devices may be added to the computer system 510 using an appropriate device interface (e.g., a small computer system interface (SCSI), integrated device electronics (IDE), Universal Serial Bus (USB), or FireWire).

[0055] The computer system 510 may also include a display controller 565 coupled to the system bus 521 to control a display or monitor 566, such as a cathode ray tube (CRT) or liquid crystal display (LCD), for displaying information to a computer user. The computer system includes an input interface 560 and one or more input devices, such as a keyboard 562 and a pointing device 561 , for interacting with a computer user and providing information to the processors 520. The pointing device 561 , for example, may be a mouse, a light pen, a trackball, or a pointing stick for communicating direction information and command selections to the processors 520 and for controlling cursor movement on the display 566. The display 566 may provide a touch screen interface which allows input to supplement or replace the communication of direction information and command selections by the pointing device 561. In some embodiments, an augmented reality device 567 that is wearable by a user, may provide input/output functionality allowing a user to interact with both a physical and virtual world. The augmented reality device 567 is in communication with the display controller 565 and the user input interface 560 allowing a user to interact with virtual items generated in the augmented reality device 567 by the display controller 565. The user may also provide gestures that are detected by the augmented reality device 567 and transmitted to the user input interface 560 as input signals.

[0056] The computer system 510 may perform a portion or all of the processing steps of embodiments of the invention in response to the processors 520 executing one or more sequences of one or more instructions contained in a memory, such as the system memory 530. Such instructions may be read into the system memory 530 from another computer readable medium, such as a magnetic hard disk 541 or a removable media drive 542. The magnetic hard disk 541 may contain one or more datastores and data files used by embodiments of the present invention. Datastore contents and data files may be encrypted to improve security. The processors 520 may also be employed in a multiprocessing arrangement to execute the one or more sequences of instructions contained in system memory 530. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions. Thus, embodiments are not limited to any specific combination of hardware circuitry and software.

[0057] As stated above, the computer system 510 may include at least one computer readable medium or memory for holding instructions programmed according to embodiments of the invention and for containing data structures, tables, records, or other data described herein. The term “computer readable medium” as used herein refers to any medium that participates in providing instructions to the processors 520 for execution. A computer readable medium may take many forms including, but not limited to, non- transitory, non-volatile media, volatile media, and transmission media. Non-limiting examples of non-volatile media include optical disks, solid state drives, magnetic disks, and magneto-optical disks, such as magnetic hard disk 541 or removable media drive 542. Non-limiting examples of volatile media include dynamic memory, such as system memory 530. Non-limiting examples of transmission media include coaxial cables, copper wire, and fiber optics, including the wires that make up the system bus 521 . Transmission media may also take the form of acoustic or light waves, such as those generated during radio wave and infrared data communications.

[0058] The computing environment 500 may further include the computer system 510 operating in a networked environment using logical connections to one or more remote computers, such as remote computing device 580. Remote computing device 580 may be a personal computer (laptop or desktop), a mobile device, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to computer system 510. When used in a networking environment, computer system 510 may include modem 572 for establishing communications over a network 571 , such as the Internet. Modem 572 may be connected to system bus 521 via user network interface 570, or via another appropriate mechanism.

[0059] Network 571 may be any network or system generally known in the art, including the Internet, an intranet, a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), a direct connection or series of connections, a cellular telephone network, or any other network or medium capable of facilitating communication between computer system 510 and other computers (e.g., remote computing device 580). The network 571 may be wired, wireless or a combination thereof. Wired connections may be implemented using Ethernet, Universal Serial Bus (USB), RJ- 6, or any other wired connection generally known in the art. Wireless connections may be implemented using Wi-Fi, WiMAX, and Bluetooth, infrared, cellular networks, satellite or any other wireless connection methodology generally known in the art. Additionally, several networks may work alone or in communication with each other to facilitate communication in the network 571. An executable application, as used herein, comprises code or machine-readable instructions for conditioning the processor to implement predetermined functions, such as those of an operating system, a context data acquisition system or other information processing system, for example, in response to user command or input. An executable procedure is a segment of code or machine readable instruction, sub-routine, or other distinct section of code or portion of an executable application for performing one or more particular processes. These processes may include receiving input data and/or parameters, performing operations on received input data and/or performing functions in response to received input parameters, and providing resulting output data and/or parameters. [0060] A graphical user interface (GUI), as used herein, comprises one or more display images, generated by a display processor and enabling user interaction with a processor or other device and associated data acquisition and processing functions. The GUI also includes an executable procedure or executable application. The executable procedure or executable application conditions the display processor to generate signals representing the GUI display images. These signals are supplied to a display device which displays the image for viewing by the user. The processor, under control of an executable procedure or executable application, manipulates the GUI display images in response to signals received from the input devices. In this way, the user may interact with the display image using the input devices, enabling user interaction with the processor or other device.

[0061] The functions and process steps herein may be performed automatically or wholly or partially in response to user command. An activity (including a step) performed automatically is performed in response to one or more executable instructions or device operation without user direct initiation of the activity.

[0062] The system and processes of the figures are not exclusive. Other systems, processes and menus may be derived in accordance with the principles of the invention to accomplish the same objectives. Although this invention has been described with reference to particular embodiments, it is to be understood that the embodiments and variations shown and described herein are for illustration purposes only. Modifications to the current design may be implemented by those skilled in the art, without departing from the scope of the invention. As described herein, the various systems, subsystems, agents, managers and processes can be implemented using hardware components, software components, and/or combinations thereof.