What technology area does this patent fall under?

Primary CPC classification H04L63/1441. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Jan 20 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Methods, systems, and computer readable media for detecting and mitigating security attacks on producer network functions (NFs) using access token to non-access-token parameter correlation at proxy nf

US12531894B2 · US · B2

Patent metadata
Field	Value
Publication number	US-12531894-B2
Application number	US-202318523425-A
Country	US
Kind code	B2
Filing date	Nov 29, 2023
Priority date	Nov 29, 2023
Publication date	Jan 20, 2026
Grant date	Jan 20, 2026

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A method for detecting and mitigating security attacks on producer network NFs using access token to non-access-token parameter correlation at a proxy NF includes receiving an inter-PLMN SBI request message. The method further includes obtaining, from an access token transmitted with the inter-PLMN SBI request message, at least one network- or service-identifying parameter and obtaining, externally from the access token, at least one network- or service-identifying parameter. The method further includes comparing the at least one network- or service-identifying parameter obtained from the access token and the at least one network- or service-identifying parameter obtained externally from the access token and performing a network security action when the at least one network- or service-identifying parameter obtained from the access token does not match the at least one network- or service-identifying parameter obtained externally from the access token.

First claim

Opening claim text (preview).

What is claimed is: 1 . A method for detecting and mitigating security attacks on producer network functions (NFs) using access token to non-access-token parameter correlation at a proxy NF, the method comprising: receiving, by the proxy NF, an inter-public land mobile network (PLMN) service-based interface (SBI) request message; obtaining, by the proxy NF and from an OAuth 2.0 access token transmitted with the inter-PLMN SBI request message, at least one network-identifying or service-identifying parameter, wherein the at least one network identifying or service-identifying parameter comprises a consumer PLMN ID obtained from a subject claim of the OAuth 2.0 access token; obtaining, by the proxy NF and externally from the OAuth 2.0 access token, at least one network-identifying or service-identifying parameter, wherein the at least one-network or service-identifying parameter comprises a remote security edge protection proxy (SEPP) PLMN ID; comparing, by the proxy NF, the at least one network-identifying or service-identifying parameter obtained from the OAuth 2.0 access token and the at least one network-identifying or service-identifying parameter obtained externally from the OAuth 2.0 access token, wherein comparing the at least one network or service-identifying parameter obtained from the OAuth 2.0 access token and the at least one network-identifying or service-identifying parameter obtained externally from the OAuth 2.0 access token includes comparing the consumer PLMN ID obtained from the subject claim of the OAuth 2.0 access token with the remote SEPP PLMN ID obtained externally from the OAuth 2.0 access token; and performing, by the proxy NF, a network security action when the at least one network-identifying or service-identifying parameter obtained from the OAuth 2.0 access token does not match the at least one network-identifying or service-identifying parameter obtained externally from the OAuth 2.0 access token. 2 . The method of claim 1 wherein: obtaining the at least one network-identifying or service-identifying parameter from the OAuth 2.0 access token comprises obtaining a producer service name parameter from a scope field of the OAuth 2.0 access token; obtaining the at least one network-identifying or service-identifying parameter externally from the OAuth 2.0 access token includes obtaining a service name from a 3gpp-Sbi-Target-apiRoot header of the inter-PLMN SBI request message; comparing the at least one network-identifying or service-identifying parameter obtained from the OAuth 2.0 access token and the at least one network-identifying parameter or service-identifying parameter obtained externally from the OAuth 2.0 access token includes comparing the producer service name obtained from the scope field of the OAuth 2.0 access token with the service name obtained from the 3gpp-Sbi-Target-apiRoot header of the inter-PLMN SBI request message; and performing the network security action includes performing the network security action when the service name obtained from the scope field of the OAuth 2.0 access token and the service name obtained from the 3gpp-Sbi-Target-apiRoot header of the inter-PLMN SBI request message do not match. 3 . The method of claim 1 wherein: obtaining at least one network-identifying or service-identifying parameter from the OAuth 2.0 access token comprises obtaining a target PLMN ID from the OAuth 2.0 access token; obtaining the at least one network-identifying or service-identifying parameter externally from the OAuth 2.0 access token includes obtaining a PLMN ID from a fully qualified domain name (FQDN) from a 3gpp-Sbi-Target-apiRoot header of the inter-PLMN SBI request message; comparing the at least one network-identifying or service-identifying parameter from the OAuth 2.0 access token and the at least one network-identifying or service-identifying parameter obtained externally from the OAuth 2.0 access token includes comparing the target PLMN ID obtained from the OAuth 2.0 access token with the PLMN ID obtained from the FQDN of the 3gpp-Sbi-Target-apiRoot header of the inter-PLMN SBI request message; and performing the network security action includes performing the network security action when the target PLMN ID obtained from the OAuth 2.0 access token and the PLMN ID obtained from the FQDN of the 3gpp-Sbi-Target-apiRoot header of the inter-PLMN SBI request message do not match. 4 . The method of claim 1 wherein: the remote SEPP PLMN ID includes obtaining the remote SEPP PLMN ID from the inter-PLMN SBI request message; and performing the network security action includes performing the network security action when the consumer PLMN ID obtained from the subject claim of the OAuth 2.0 access token and the remote SEPP PLMN ID obtained from the inter-PLMN SBI request message do not match. 5 . The method of claim 1 comprising, when the at least one network-identifying or service-identifying parameter obtained from the OAuth 2.0 access token matches the at least one network-identifying or service-identifying parameter obtained externally from the OAuth 2.0 access token: identifying, by the proxy NF and from the inter-PLMN SBI request message, a consumer NF and a producer NF; determining, by the proxy NF, whether a rate of SBI request messages from the consumer NF to the producer NF exceeds a configured threshold; and when the rate of inter-PLMN SBI request messages from consumer NF to the producer NF exceeds the threshold, performing, by the proxy NF, a network security action. 6 . The method of claim 1 wherein performing the network security action includes blocking the SBI request message. 7 . The method of claim 1 wherein performing the network security action includes transmitting a fake error response generated by the proxy NF in response to the inter-PLMN SBI request message. 8 . The method of claim 1 wherein the proxy NF comprises a SEPP. 9 . The method of claim 1 wherein the proxy NF comprises a service communication proxy (SCP). 10 . A system for detecting and mitigating security attacks on producer network functions (NFs) using access token to non-access-token parameter correlation at a proxy NF, the system comprising: a proxy NF including at least one processor and a memory; and an inter-PLMN SBI request security controller implemented by the at least one processor for: receiving an inter-public land mobile network (PLMN) service-based interface (SBI) request message, obtaining, from an OAuth 2.0 access token transmitted with the inter-PLMN SBI request message, at least one network-identifying or service-identifying parameter, wherein the at least one network identifying or service-identifying parameter comprises a consumer PLMN ID obtained from a subject claim of the OAuth 2.0 access token; obtaining, externally from the OAuth 2.0 access token, at least one network-identifying or service-identifying parameter, wherein the at least one network-identifying or service-identifying parameter includes a remote security edge protection proxy (SEPP) PLMN ID; comparing the at least one network-identifying or service-identifying parameter obtained from the OAuth 2.0 access token and the at least one network-identifying or service-identifying parameter obtained externally from the OAuth 2.0 access token, wherein comparing the at least one network or service-identifying parameter obtained from the OAuth 2.0 access token and the at least one network-identifying or service-identifying parameter obtained externally from the OAuth 2.0 access token includes comparing the consumer PLMN ID obtained from the subject claim of the OAuth 2.0 access token with the remote SEPP PLMN ID obtained externally from the OAuth 2.0 access token;

Assignees

Oracle Int Corp

Inventors

Classifications

H04W12/122
Counter-measures against attacks; Protection against rogue devices · CPC title
H04L63/1441Primary
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
H04L63/1458Primary
Denial of Service · CPC title

Patent family

Related publications grouped by family.

View patent family 93463569

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US12531894B2 cover?: A method for detecting and mitigating security attacks on producer network NFs using access token to non-access-token parameter correlation at a proxy NF includes receiving an inter-PLMN SBI request message. The method further includes obtaining, from an access token transmitted with the inter-PLMN SBI request message, at least one network- or service-identifying parameter and obtaining, extern…
Who is the assignee on this patent?: Oracle Int Corp
What technology area does this patent fall under?: Primary CPC classification H04L63/1441. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Jan 20 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).