公开(公告)号：US20210044567A1

公开(公告)日：2021-02-11

申请号：US16963946

申请日：2018-02-06

Applicant: Nokia Technologies Oy

Inventor： Zhiyuan Hu ,  Jing Ping ,  Stephane Mahieu ,  Yueming Yin

IPC: H04L29/06

Abstract: Embodiments of the present disclosure relate to a method, apparatus, and computer readable medium for providing a security service for a data center. According to the method, a packet terminating at or originating from the data center is received. At least one label is determined for the packet, each label indicating a security requirement for the packet. Based on the at least one label, a security service chain is selected for the packet, the security service chain including an ordered set of security functions deployed in the data center and to be applied to the packet. The packet is transmitted to the selected security service chain in association with the at least one label, the packet being processed by the ordered set of security functions in the security service chain.

公开(公告)号：US11991186B2

公开(公告)日：2024-05-21

申请号：US17057571

申请日：2018-05-22

Applicant: Nokia Technologies Oy

Inventor： Zhiyuan Hu ,  Jing Ping ,  Stephane Mahieu ,  Yueming Yin ,  Zhigang Luo

IPC: G06F21/00 ,  H04L9/40 ,  H04L45/302

CPC classification number: H04L63/1416 ,  H04L45/306 ,  H04L63/1425 ,  H04L63/1441 ,  H04L2463/146

Abstract: Embodiments of the present disclosure relate to methods, devices and computer readable storage medium for tracing an attack source in a service function chain overlay network. In example embodiments, a request for tracing an attack source of an attacking data is sent at the attack tracer to a first service function chain domain of a plurality of service function chain domains through which the attacking data flow passes subsequently. The request includes flow characteristics of the attacking data flow. Then, the attack tracer receives a first set of results of flow matching based on the flow characteristics from the first service function chain domain. The attack tracer identifies the attack source in the plurality of service function chain domains at least in part based on the first set of results. In this way, the attack source may be traced efficiently in the service function chain overlay network.

公开(公告)号：US11617125B2

公开(公告)日：2023-03-28

申请号：US16832692

申请日：2020-03-27

Applicant: NOKIA TECHNOLOGIES OY

Inventor： Martin Kollar ,  Jing Ping

IPC: H04W48/06 ,  H04W28/02 ,  H04W24/10 ,  H04L5/00

Abstract: A device, method, apparatus and computer readable storage medium are provided for access control barring (ACB) based on cell quality. In one example, a network device determines a set of metrics related to quality of service (QoS) performance for a plurality of services in a cell in a measurement period. The network device determines ACB configuration in the cell based on comparison of the set of metrics with a set of thresholds.

公开(公告)号：US11368489B2

公开(公告)日：2022-06-21

申请号：US16764871

申请日：2017-11-20

Applicant: Nokia Technologies Oy

Inventor： Iris Adam ,  Jing Ping ,  Stephane Mahieu

IPC: G06F21/57 ,  H04L9/40 ,  G06F21/62 ,  H04L67/10

Abstract: An apparatus for security management based on event correlation in a distributed multi-layered cloud environment is disclosed, wherein the distributed multi-layered cloud environment comprises at least one first layer cloud service provider, and at least one second layer cloud service provider as a tenant of the first layer cloud service provider, and the apparatus is installed at least on one cloud service provider of the first layer cloud service provider and the second layer cloud service provider, the apparatus comprising: a central processing module configured to: provide correlation as a Service (CORRaaS) to a plurality of tenants as virtualized security appliances or virtualized security functions for the plurality of tenants's lices, generate a second interface for allowing the plurality of tenants to configure the correlation as a Service (CORRaaS), and correlate and process security events from security functions in the plurality of tenants' slices to form processed security event data, and to detect or predict attacks or anomalies or incompliance with security requirements; and a third interface for transferring the processed security event data and/or log data and/or raw data to the plurality of tenants' security management systems and/or to a plurality of cloud service providers' security management systems; and a fourth interface towards a cloud manager of the cloud service provider for causing the cloud manager to mitigate the detected or predicted attacks or anomalies or incompliance with security requirements. A corresponding system and method for security management based on event correlation in a distributed multi-layered cloud environment, as well as a computer readable medium, are also provided.

公开(公告)号：US12212604B2

公开(公告)日：2025-01-28

申请号：US17607082

申请日：2019-04-29

Applicant: Nokia Technologies Oy

Inventor： Jing Ping ,  Xiaoming She ,  Shuqiang Sun ,  Wei Lu ,  Stéphane Mahieu

IPC: H04L9/40 ,  H04L41/40 ,  H04L43/50

Abstract: Embodiments of the present disclosure provide a method and apparatus for security assurance of a network function or service. The method comprises: generating security requirements for a network function based on a security profile and a deployment and runtime environment of the network function; generating a security policy and a security test specification for the network function based on the security requirements; deploying the network function based on the security policy; validating security compliance of the network function with the security test specification; and activating the network function or service, in response to the network function being in compliance with the security policy.

公开(公告)号：US11558353B2

公开(公告)日：2023-01-17

申请号：US16963946

申请日：2018-02-06

Applicant: Nokia Technologies Oy

Inventor： Zhiyuan Hu ,  Jing Ping ,  Stephane Mahieu ,  Yueming Yin

IPC: H04L29/06 ,  H04L9/40

Abstract: Embodiments of the present disclosure relate to a method, apparatus, and computer readable medium for providing a security service for a data center. According to the method, a packet terminating at or originating from the data center is received. At least one label is determined for the packet, each label indicating a security requirement for the packet. Based on the at least one label, a security service chain is selected for the packet, the security service chain including an ordered set of security functions deployed in the data center and to be applied to the packet. The packet is transmitted to the selected security service chain in association with the at least one label, the packet being processed by the ordered set of security functions in the security service chain.

公开(公告)号：US11290490B2

公开(公告)日：2022-03-29

申请号：US16340793

申请日：2016-10-12

Applicant: Nokia Technologies Oy

Inventor： Manfred Schaefer ,  Iris Adam ,  Stephane Mahieu ,  Jing Ping

IPC: H04L29/06 ,  G06F9/50

Abstract: Cloud service security management in cloud computer environment uses a first computer cloud entity with first security capabilities and under security management coordinated by a first security management service point in compliance with predefined first security requirements. Security management of a second computer cloud entity is coordinated by a second security management service point in compliance with predefined second security requirements. In the managing of the security of the cloud service in the cloud computer environment: a trusted relationship is established between the first and second security management service points, general security requirements for the cloud service are obtained; and a first security policy is defined for the first security management service point, based on the general security requirements for the cloud service, the first security capabilities and the first security requirements, for the running of the cloud service by the first computer cloud entity.

公开(公告)号：US20200344267A1

公开(公告)日：2020-10-29

申请号：US16764871

申请日：2017-11-20

Applicant: Nokia Technologies Oy

Inventor： Iris Adam ,  Jing Ping ,  Stephane Mahieu

IPC: H04L29/06 ,  H04L29/08 ,  G06F21/62 ,  G06F21/57

Abstract: An apparatus for security management based on event correlation in a distributed multi-layered cloud environment is disclosed, wherein the distributed multi-layered cloud environment comprises at least one first layer cloud service provider, and at least one second layer cloud service provider as a tenant of the first layer cloud service provider, and the apparatus is installed at least on one cloud service provider of the first layer cloud service provider and the second layer cloud service provider, the apparatus comprising: a central processing module configured to: provide correlation as a Service (CORRaaS) to a plurality of tenants as virtualized security appliances or virtualized security functions for the plurality of tenants's lices, generate a second interface for allowing the plurality of tenants to configure the correlation as a Service (CORRaaS), and correlate and process security events from security functions in the plurality of tenants'slices to form processed security event data, and to detect or predict attacks or anomalies or incompliance with security requirements; and a third interface for transferring the processed security event data and/or log data and/or raw data to the plurality of tenants'security management systems and/or to a plurality of cloud service providers'security management systems; and a fourth interface towards a cloud manager of the cloud service provider for causing the cloud manager to mitigate the detected or predicted attacks or anomalies or incompliance with security requirements. A corresponding system and method for security management based on event correlation in a distributed multi-layered cloud environment, as well as a computer readable medium, are also provided.

公开(公告)号：US12245042B2

公开(公告)日：2025-03-04

申请号：US17799545

申请日：2020-02-14

Applicant: Nokia Technologies Oy

Inventor： Jing Ping ,  Iris Adam ,  Anatoly Andrianov ,  Xiaoguang Zhao

IPC: H04W16/10 ,  H04W12/03

Abstract: A method for network isolation management is described. The method includes assigning or creating one or more isolation groups for at least one service, wherein resources of services assigned in an isolation group are shared with or without isolation; wherein an isolation group is defined for at least one resource in each layer and each domain to gather the at least one resource of the at least one service; linking an isolation profile for each of the one or more isolation groups, wherein the isolation profile comprises at least one policy to protect the at least one resource of the one or more isolation groups, and wherein the isolation profile comprises at least an isolation level to define a type of isolation; and allocating or reallocating the at least one resource to the at least one service based on the isolation profile linked to the one or more isolation groups.

公开(公告)号：US12132732B2

公开(公告)日：2024-10-29

申请号：US17621971

申请日：2019-06-24

Applicant: Nokia Technologies Oy

Inventor： Jing Ping ,  Iris Adam ,  Anatoly Andrianov

IPC: H04L9/40

CPC classification number: H04L63/0892 ,  H04L63/083 ,  H04L63/101 ,  H04L63/20

Abstract: A credential manager imports credentials for a network slice in response to deployment of the network slice. The credentials are not known to other network slices. A repository is configured to store the credentials and protect the credentials based on credential protection policies that are defined by a service profile of the network slice. The repository is implemented in the credential manager, an authentication, authorization, and accounting (AAA) server, or other location. Properties of the credentials are modified in response to a modification trigger and the credentials are withdrawn in response to a withdrawal trigger.