US20160182571A1 - Lawful Interception and Security for Proximity Service - Google Patents

Lawful Interception and Security for Proximity Service Download PDF

Info

Publication number
US20160182571A1
US20160182571A1 US14/907,594 US201314907594A US2016182571A1 US 20160182571 A1 US20160182571 A1 US 20160182571A1 US 201314907594 A US201314907594 A US 201314907594A US 2016182571 A1 US2016182571 A1 US 2016182571A1
Authority
US
United States
Prior art keywords
connection
lawful interception
proximity service
devices
security agent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/907,594
Inventor
Vinh Van Phan
Ling Yu
Kari Veikko Horneman
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Solutions and Networks Oy
Original Assignee
Nokia Solutions and Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Solutions and Networks Oy filed Critical Nokia Solutions and Networks Oy
Assigned to NOKIA SOLUTIONS AND NETWORKS OY reassignment NOKIA SOLUTIONS AND NETWORKS OY ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: YU, LING, HORNEMAN, KARI VEIKKO, VAN PHAN, VINH
Publication of US20160182571A1 publication Critical patent/US20160182571A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/155Ground-based stations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/046Network management architectures or arrangements comprising network management agents or mobile agents therefor
    • H04L41/048Network management architectures or arrangements comprising network management agents or mobile agents therefor mobile agents
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/304Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting circuit switched data communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/22Arrangements for supervision, monitoring or testing
    • H04M3/2281Call monitoring, e.g. for law enforcement purposes; Call tracing; Detection or prevention of malicious calls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • H04W4/023Services making use of location information using mutual or relative location information between multiple location based services [LBS] targets or of distance thresholds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W40/00Communication routing or communication path finding
    • H04W40/34Modification of an existing route
    • H04W76/023
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/20Manipulation of established connections
    • H04W76/23Manipulation of direct-mode connections
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/005Discovery of network devices, e.g. terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2207/00Type of exchange or network, i.e. telephonic medium, in which the telephonic communication takes place
    • H04M2207/18Type of exchange or network, i.e. telephonic medium, in which the telephonic communication takes place wireless networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Lawful interception and security for proximity service There are provided measures for lawful interception and security for proximity service. Such measures could include performing control in relation to a connection of a proximity service between at least two devices, determining at least one lawful interception and security agent located within the proximity service range of at least one device to be intercepted among the at least two devices, and controlling the determined at least one lawful interception and security agent to perform an operation relating to lawful interception and/or security in relation to the connection of the proximity service.

Description

    FIELD
  • The present invention relates to lawful interception and security for a proximity service. More specifically, the present invention relates to measures (including methods, apparatuses and computer program products) for facilitating lawful interception and security for a proximity service.
    • BACKGROUND
  • The present disclosure relates to lawful interception (LI) and security issues for proximity services (ProSe) such as D2D communications in the licensed spectrum, i.e. over the air interface of a wireless communication system.
  • Presently, the LI functionality is located in the core network. However, ProSe is promoting the (at least partly network-controlled) discovery and communication between UEs that are in proximity to each other to be able to use a “direct mode” or “locally-routed” path, which may not involve the core network. Namely, the direct mode path is a direct connection between the two UEs without involving further network elements such as an eNB. The locally-routed path is an indirect connection between the two UEs via an eNB without involving the core network.
  • Thus, the connection of UEs by proximity service does not involve the core network. Therefore, the LI functionality may not be applicable to ProSe connections and/or any intercepted information may not be available to the core network LI entities.
  • Accordingly, ProSe connections such as direct D2D communications in the licensed spectrum pose many challenges for the implementation of the required lawful interception (LI) and further desirable security features. Even in network-controlled direct D2D communications, as the user data is exchanged between the devices directly over the air interface and is not routed via any infrastructure network element, monitoring the content of communications is not readily possible with the present LI functionality in the core network. Further, even though the network may control the initial setup and resource allocation of direct D2D communications, it is not readily possible with the present LI functionality in the core network to take full control of the set up and allocated D2D connection, e.g. taking back allocated resources or releasing the D2D connection from misbehaving devices which hold on to the existing D2D connection and misuse it.
  • One option was discussed in the document “LS on Proximity Services and Lawful Interception from SA3-LI to SA1,2,3” (SA3LI13_033r1, 3GPP TSG-SA3-LI Meeting #48, Dublin, Ireland, 5-7 Feb. 2013) and the document “Solution for direct discovery and communication using E-UTRAN” (S2-130308, SA WG2 Meeting #95, Prague, Czech Republic, 28 Jan.-1 Feb. 2013) to disable ProSe capabilities for UEs under surveillance or move the communication for the UE under surveillance from ProSe communication mode to infrastructure mode. That is, the ProSe communication is disabled for these UEs so that the communication is performed via the core network, so that the LI functionality in the core network is enabled. However, as indicated in the document “LS on Proximity Services and Lawful Interception from SA3-LI to SA1,2,3” mentioned above, detectability issues need to be considered for this option, as LI should be done in a non-detectable manner. In addition, moving ProSe communication to infrastructure mode may degrade the communication performance (e.g. delay and perhaps also throughput), which may not be favorable by the end user and this also means the benefits of ProSe communication may not be achieved as EPC, e.g. P-GW or S-GW is involved in the ProSe communication user plane data transportation.
  • Thus, there is a need to facilitate lawful interception and security in a case in which devices, including at least one device to be intercepted, use proximity service connections (such as e.g. direct D2D communications over the air interface without routing via any infrastructure network element).
    • SUMMARY
  • Various exemplifying embodiments of the present invention aim at addressing at least part of the above issues and/or problems and drawbacks.
  • Various aspects of exemplifying embodiments of the present invention are set out in the appended claims.
  • According to an example aspect of the present invention, there is provided a method comprising performing control in relation to a connection of a proximity service between at least two devices, determining at least one lawful interception and security agent located within the proximity service range of at least one device to be intercepted among the at least two devices, and controlling the determined at least one lawful interception and security agent to perform an operation relating to lawful interception and/or security in relation to the connection of the proximity service.
  • According to an example aspect of the present invention, there is provided a method comprising obtaining, from a network node in charge of control in relation to a connection of a proximity service between at least two devices, control information for performing an operation relating to lawful interception and/or security in relation to the connection of the proximity service, and performing the operation relating to lawful interception and/or security in relation to the connection of the proximity service with at least one device to be intercepted among the at least two devices.
  • According to an example aspect of the present invention, there is provided an apparatus comprising a processor, and a memory configured to store computer program code, wherein the processor is configured to cause the apparatus to perform: performing control in relation to a connection of a proximity service between at least two devices, determining at least one lawful interception and security agent located within the proximity service range of at least one device to be intercepted among the at least two devices, and controlling the determined at least one lawful interception and security agent to perform an operation relating to lawful interception and/or security in relation to the connection of the proximity service.
  • According to an example aspect of the present invention, there is provided an apparatus comprising a processor, and a memory configured to store computer program code, wherein the processor is configured to cause the apparatus to perform: obtaining, from a network node in charge of control in relation to a connection of a proximity service between at least two devices, control information for performing an operation relating to lawful interception and/or security in relation to the connection of the proximity service, and performing the operation relating to lawful interception and/or security in relation to the connection of the proximity service with at least one device to be intercepted among the at least two devices.
  • According to an example aspect of the present invention, there is provided an apparatus comprising means for performing control in relation to a connection of a proximity service between at least two devices, means for determining at least one lawful interception and security agent located within the proximity service range of at least one device to be intercepted among the at least two devices, and means for controlling the determined at least one lawful interception and security agent to perform an operation relating to lawful interception and/or security in relation to the connection of the proximity service.
  • According to an example aspect of the present invention, there is provided an apparatus comprising means for obtaining, from a network node in charge of control in relation to a connection of a proximity service between at least two devices, control information for performing an operation relating to lawful interception and/or security in relation to the connection of the proximity service, and means for performing the operation relating to lawful interception and/or security in relation to the connection of the proximity service with at least one device to be intercepted among the at least two devices.
  • According to an example aspect of the present invention, there is provided a computer program product comprising computer-executable computer program code which, when the program code is executed (or run) on a computer or the program is run on a computer (e.g. a computer of an apparatus according to any one of the aforementioned apparatus-related example aspects of the present invention), is configured to cause the computer to carry out the method according to any one of the aforementioned method-related example aspects of the present invention.
  • The computer program product may comprise or may be embodied as a (tangible) computer-readable (storage) medium or the like, on which the computer-executable computer program code is stored, and/or the program is directly loadable into an internal memory of the computer or a processor thereof.
  • Further developments and/or modifications of the aforementioned exemplary aspects of the present invention are set out in the following.
  • By way of exemplifying embodiments of the present invention, lawful interception and security is facilitated in a case in which devices, including at least one device to be intercepted, use proximity service connections (such as e.g. direct D2D communications over the air interface without routing via any infrastructure network element).
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • In the following, the present invention will be described in greater detail by way of non-limiting examples with reference to the accompanying drawings, in which
  • FIG. 1 shows a schematic diagram illustrating a first example of a system configuration according to exemplifying embodiments of the present invention,
  • FIG. 2 shows a schematic diagram illustrating a second example of a system configuration according to exemplifying embodiments of the present invention,
  • FIG. 3 shows a diagram illustrating a first example of a procedure according to exemplifying embodiments of the present invention,
  • FIG. 4 shows a diagram illustrating a second example of a procedure according to exemplifying embodiments of the present invention,
  • FIG. 5 shows a diagram illustrating a third example of a procedure according to exemplifying embodiments of the present invention,
  • FIG. 6 shows a schematic diagram illustrating an example of a structure of apparatuses according to example embodiments of the present invention, and
  • FIG. 7 shows a schematic diagram illustrating another example of a structure of apparatuses according to exemplifying embodiments of the present invention.
    •  DETAILED DESCRIPTION OF DRAWINGS AND EMBODIMENTS OF THE PRESENT INVENTION
  • The present invention is described herein with reference to particular non-limiting examples and to what are presently considered to be conceivable embodiments of the present invention. A person skilled in the art will appreciate that the invention is by no means limited to these examples, and may be more broadly applied.
  • It is to be noted that the following description of the present invention and its embodiments mainly refers to specifications being used as non-limiting examples for certain exemplifying network configurations and system deployments. Namely, the present invention and its embodiments are mainly described in relation to 3GPP specifications being used as non-limiting examples for certain exemplifying network configurations and deployments. As such, the description of exemplifying embodiments given herein specifically refers to terminology which is directly related thereto. Such terminology is only used in the context of the presented non-limiting examples, and does naturally not limit the invention in any way. Rather, any other network configuration or system deployment, etc. may also be utilized as long as exemplifying embodiments described herein are applicable to it.
  • In particular, the present invention and its embodiments may be applicable in any wireless communication system and/or system deployment supporting ProSe connections between devices. For example, the present invention and its embodiments are applicable in wireless communication systems and/or system deployments of 3GPP Rel-12 and beyond, i.e. LTE/LTE-A. While hereinafter reference is made to device-to-device (D2D) connections/communications by way of example only, proximity services in the meaning of the present disclosure equally encompass machine-to-machine (M2M) connections/communications, terminal-to-terminal (T2T) connections/communications, peer-to-peer (P2P) connections/communications, or the like.
  • Hereinafter, various exemplifying embodiments and implementations of the present invention and its aspects are described using several variants and/or alternatives. It is generally noted that, according to certain needs and constraints, all of the described variants and/or alternatives may be provided alone or in any conceivable combination (also including combinations of individual features of the various variants and/or alternatives). In this description, the words “comprising” and “including” should be understood as not limiting the described exemplifying embodiments and implementations to consist of only those features that have been mentioned, and such exemplifying embodiments and implementations may also contain features, structures, units, modules etc. that have not been specifically mentioned. Further, in this description, the term “to perform” should be understood as being equivalent to corresponding terms such as “to carry out”, “to execute”, “to accomplish”, “to process”, “to conduct”, etc. so that the described exemplifying embodiments and implementations are not limited to a specific kind of realization of respective operations, procedures, and/or functions.
  • According to exemplifying embodiments of the present invention, in general terms, there are provided measures and mechanisms for facilitating lawful interception and security in a case in which devices, including at least one device to be intercepted, use proximity service connections.
  • In the drawings, it is noted that lines/arrows interconnecting individual blocks or entities are generally meant to illustrate an operational coupling there-between, which may be a physical and/or logical coupling, which on the one hand is implementation-independent (e.g. wired or wireless) and on the other hand may also comprise an arbitrary number of intermediary functional blocks or entities not shown.
  • FIG. 1 shows a schematic diagram illustrating a first example of a system configuration according to exemplifying embodiments of the present invention.
  • As shown in FIG. 1, it is assumed that a first device denoted by UE#1 and a second device denoted by UE#2 are involved in a D2D connection (as an example of a ProSe connection), e.g. in the setup or communication phase of such D2D connection. That is to say, UE#1 and UE#2 are attempting to communicate or are communicating with each other using a direct mode D2D connection (as indicated by a two-headed double-line arrow). Both UE#1 and UE#2 are served by a serving/controlling network which is indicated by a controlling network entity which may for example comprise (the functionality of) an eNB, a MME, a S-GW, a P-GW, or the like.
  • It is to be noted that a ProSe (e.g. D2D) connection may comprise more than two devices, while the present description assumes a ProSe (e.g. D2D) connection between two devices for illustrative purposes only.
  • As shown in FIG. 1, it is assumed that a lawful interception and security agent (LISA) is located within the proximity service range of at least one device to be intercepted among the two devices in the targeted D2D connection, i.e. UE#1 and UE#2. Namely, the dashed line indicates the edge of the ProSe service range of UE#1, and the dot-dashed line indicates the edge of the ProSe service range of UE#2. The LISA is configured to perform a lawful interception and/or security operation in relation to the D2D connection, i.e. at least one device to be intercepted among the two devices in D2D connection, i.e. UE#1 and UE#2. Such operation may for example comprise one or more of intercepting intercept-related information (IRI) and/or content of communication (CC), reporting the intercepted information to the controlling network entity, forwarding requested information about D2D communications between UE#1 and UE#2, as well as functions in relation to authentication, admission control, and connection and mobility management of UE#1 and/or UE#2. As indicated by two-headed arrows, the LISA of FIG. 1 is assumed to be capable of performing such operation in relation to both UE#1 and UE#2. To this end, the LISA is controlled by the controlling network entity, i.e. from the serving/controlling network of UE#1 and UE#2. Such controlling network entity may thus comprise (the functionality of) a DRSF, ADMF, or the like.
  • It is noted that more than one LISA may be present and configured to perform a lawful interception and/or security operation in relation to a targeted D2D connection. Namely, a group of LISAs may be located within the proximity service range of at least one device to be intercepted among the two or more devices in the targeted D2D connection and be configured to perform a lawful interception and/or security operation in relation to the D2D connection. That is, the block denoted by LISA in FIG. 1 may represent a group of LISAs, all of which exhibit the same functionality as the LISA, as described above. Thereby, the reliability of the required/desired operation in relation to the targeted D2D connection may be improved.
  • FIG. 2 shows a schematic diagram illustrating a second example of a system configuration according to exemplifying embodiments of the present invention.
  • As shown in FIG. 2, similar to the exemplifying configuration of FIG. 1, a ProSe (e.g. D2D) connection between two devices UE#1 and UE#2 is exemplified, and both#1 and UE#2 are served by a serving/controlling network which is indicated by a controlling network entity. In this regard, reference is made to the above description of FIG. 1 for further details.
  • As shown in FIG. 2, in contrast to the exemplifying configuration of FIG. 1, it is assumed that two LISAs are located within the proximity service range of the two devices in the targeted D2D connection and are configured to perform a lawful interception and/or security operation in relation to the D2D connection. Namely, a first LISA#1 is located within the ProSe service range of UE#1 and is configured to perform a lawful interception and/or security operation in relation to UE#1 to be intercepted of the targeted D2D connection, and a second LISA#2 is located within the ProSe service range of UE#2 and is configured to perform a lawful interception and/or security operation in relation to UE#2 to be intercepted of the targeted D2D connection. The two LISAs may be connected with each other so as to enable exchange of information relating to their individual operations, as indicated by a two-headed dotted arrow. To this end, the two LISAs are controlled by the controlling network entity, i.e. from the serving/controlling network of UE#1 and UE#2. In this regard, reference is made to the above description of FIG. 1 for further details.
  • It is noted that more than one LISA may be present and configured to perform a lawful interception and/or security operation in relation to any one of multiple devices of a targeted D2D connection. Namely, a group of LISAs may be located within the proximity service range of any one of the two or more devices in the targeted D2D connection and be configured to perform a lawful interception and/or security operation in relation to a respective device of the D2D connection. That is, the block denoted by LISA#1 in FIG. 2 and/or the block denoted by LISA#2 in FIG. 2 may represent a group of LISAs, all of which exhibit the same functionality as the LISA#1 and/or the LISA#2, as described above. Thereby, the reliability of the required/desired operation in relation to any one of the devices to be intercepted of the targeted D2D connection may be improved.
  • Generally, ProSe (e.g. D2D) connections/communications in the meaning of the present specification encompass any kind of ProSe (e.g. D2D) connections/communications, including network-controlled ProSe (e.g. D2D) connections/communications, semi-autonomous ProSe (e.g. D2D) connections/communications, and (fully) autonomous ProSe (e.g. D2D) connections/communications. In a network-controlled ProSe (e.g. D2D) connections/communication, network assistance is available at/for both UE#1 and UE#2 in the examples of FIGS. 1 and 2 (the corresponding connections to UE#1 and UE#2 in FIGS. 1 and 2 are present or operable), i.e. both UE#1 and UE#2 are in CONNECTED state and thus capable of receiving direct control from the serving/controlling network (i.e. network assistance) for/when conducting the ProSe (e.g. D2D) connection. In a semi-autonomous ProSe (e.g. D2D) connections/communication, network assistance is available at/for only one of UE#1 and UE#2 in the examples of FIGS. 1 and 2 (only one of the corresponding connections to UE#1 and UE#2 in FIGS. 1 and 2 is present or operable), i.e. only one of UE#1 and UE#2 is in CONNECTED state and thus capable of receiving direct control from the serving/controlling network (i.e. network assistance), while the other one of UE#1 and UE#2 is in IDLE state and/or outside the service/coverage area of the serving/controlling network (i.e. the controlling network entity) and thus incapable of receiving direct control from the serving/controlling network (i.e. network assistance), for/when conducting the ProSe (e.g. D2D) connection. In a (fully) autonomous ProSe (e.g. D2D) connections/communication, network assistance is available at/for neither one of UE#1 and UE#2 in the examples of FIGS. 1 and 2 (none of the corresponding connections to UE#1 and UE#2 in FIGS. 1 and 2 is present or operable), i.e. both UE#1 and UE#2 are in IDLE state and/or outside the service/coverage area of the serving/controlling network (i.e. the controlling network entity) and thus incapable of receiving direct control from the serving/controlling network (i.e. network assistance) for/when conducting the ProSe (e.g. D2D) connection.
  • The LISA according to exemplifying embodiments of the present invention may be realized/implemented by any local entity, i.e. any communication-enabled entity which is located within the proximity service range of at least one device to be intercepted among the two devices in the targeted D2D connection. On the one hand, the LISA may be realized/implemented by a device capable of conducting a connection of a proximity service with the at least one device to be intercepted, i.e. participating in a ProSe (e.g. D2D) connection with UE#1 and/or UE#2 of FIGS. 1 and 2. Such device may for example comprise any suitable UE, terminal, machine, peer, or the like. On the other hand, the LISA may be realized/implemented by a deployed network node which may by pre-configured to act as LISA. Such network node may for example comprise any suitable access point, small-cell eNB, dedicated LISA device, or the like. Utilizing a network node as a LISA may provide benefits in terms of controlling and data forwarding, especially when the network node already has a working connection/interface in place with the serving/controlling network (e.g. a S1 or X2 connection/interface vie the serving/controlling eNB), while utilizing a local device (e.g. a local UE) as a LISA may provide benefits in terms of flexibility (e.g. in tracking/following the devices in D2D connection).
  • According to exemplifying embodiments of the present invention, certain network nodes may be deployed and pre-configured (pre-coded) to act as LISA over certain service areas on a sufficiently fine location-resolution basis. In such scenarios, the serving/controlling network is aware of those local network nodes being pre-configured to act as LISA over a certain ProSe service area beforehand, and may thus select and active one or more LISA among these pre-configured (pre-coded) network nodes accordingly. That is a semi-/static LISA configuration may be utilized.
  • According to exemplifying embodiments of the present invention, irrespective of the presence or absence of any pre-configured (pre-coded) network nodes as mentioned above, devices such as UEs may be dynamically utilized as LISAs over certain service areas. In such scenarios, the serving/controlling network may select and configure one or more devices such as UE to act as LISA among the available devices (as well as de-select and release previously selected and configured devices when their LISA operation is no longer needed or suited for the targeted D2D user or users) on-the-fly. That is a dynamic LISA configuration may be utilized.
  • According to exemplifying embodiments of the present invention, a device or network node acting as cluster head of a D2D cluster may be determined/selected to act as LISA. Namely, multiple devices, such as devices being capable of a mutual D2D connection/communication, may be (virtually/logically) organized in a D2D cluster, and a device or network node (e.g. a device of the devices in the D2D cluster) may act as D2D cluster head. Such D2D cluster head may be preconfigured as a LISA or with LISA capabilities so as to be able to act as D2D cluster head and LISA for the same (subset of) devices in the D2D cluster at the same time. While not being restricted thereto, such linkage of D2D cluster head operation and LISA operation at a single device or network node may be specifically applicable for semi-autonomous ProSe (e.g. D2D) connections/communications and (fully) autonomous ProSe (e.g. D2D) connections/communications, as explained above.
  • FIG. 3 shows a diagram illustrating a first example of a procedure according to exemplifying embodiments of the present invention.
  • As shown in FIG. 3, a procedure according to an exemplifying embodiment of the present invention comprises, at the controlling network entity side, an operation of performing (or carrying out, executing, etc.) control in relation to a connection of a proximity service between at least two devices, e.g. UE#1 and/or UE#2 of FIGS. 1 and 2, an operation of determining at least one LISA located within the proximity service range of at least one device to be intercepted among the at least two devices, and an operation of controlling the determined at least one LISA to perform (or carry out, execute, etc.) an operation relating to lawful interception and/or security in relation to the connection of the proximity service. For such control operation, corresponding control information are transmitted to the at least one LISA, i.e. to the local device/s and/or the local network node/s determined to act as LISA for the targeted ProSe (e.g. D2D) connection.
  • As shown in FIG. 3, a procedure according to an exemplifying embodiment of the present invention comprises, at the LISA side (i.e. the local device/s and/or the local network node/s determined to act as LISA for the targeted ProSe (e.g. D2D) connection), an operation of obtaining, from the controlling network entity, i.e. the network node in charge of control in relation to a connection of a proximity service between at least two devices, control information for performing (or carrying out, executing, etc.) an operation relating to lawful interception and/or security in relation to the connection of the proximity service, and performing (or carrying out, executing, etc.) the operation relating to lawful interception and/or security in relation to the connection of the proximity service with at least one device to be intercepted among the at least two devices. In the LISA operation, the LISA may act on the device or devices to be intercepted and/or report/forward required/desired information to the controlling network entity.
  • Accordingly, in exemplifying embodiments of the present invention, the selected LISA or LISAs may be requested, configured/activated, reconfigured/reactivated and/or controlled with necessary information about the targeted D2D or targeted D2D user/s and also a coordination between selected LISAs to facilitate efficient LISA operations (such as e.g. listening, reporting and forwarding, jamming, warning issuing, etc.).
  • Accordingly, in exemplifying embodiments of the present invention, intercepted information such as content of D2D communications on the targeted D2D users/s may be forwarded under LI to the serving/controlling network. Also, feedback from the selected LISA or LISAs may be used to reassure the serving/controlling network about LISA operations, and/or to report or indicate necessary updated information about the targeted D2D or the targeted D2D user/s as well as related to the LISA operations, and/or to request changes related to LISA operations.
  • The above reference to “necessary information” could for example encompass one or more of the following UE-related information: relevant identity, resource allocation, protocol configuration, operation mode, physical transmission format, and so forth.
  • FIG. 4 shows a diagram illustrating a second example of a procedure according to exemplifying embodiments of the present invention. In FIG. 4, various implementation examples on the basis of the procedure of FIG. 3 are illustrated, wherein these implementation examples are inherently independent from each other so that one or more of these may be implemented/realized in a procedure according to exemplifying embodiments of the present invention. Any one of the thus illustrated implementation examples may also be combined with any one of the implementation examples illustrated in FIG. 5 in an arbitrary manner.
  • As an implementation example according to FIG. 4, a procedure according to exemplifying embodiments of the present invention comprises an operation in which lawful interception and security agent (LISA) capabilities of a local device or network node (i.e. a potential LISA) is indicated to the controlling network entity. Upon obtaining such LISA capabilities, the controlling network entity may use the same for LISA determination purposes such that the at least one LISA is determined based thereon. Such capability of a respective local device or network node could for example relate to (a level or measure of) its suitability, capacity, authority, authorization, etc. with respect to a LISA operation.
  • Accordingly, in exemplifying embodiments of the present invention, LISA capabilities may be indicated/requested by/from relevant local devices to/by the serving/controlling network.
  • As another implementation example according to FIG. 4, a procedure according to exemplifying embodiments of the present invention comprises, in the context of LISA control, an operation of configuration or activation of the determined at least one LISA. In case of local device/s, the control comprises a configuration of the local device/s to act as LISA. In case of local network node/s, the control comprises activation of the local network node/s to act as LISA. Further, a procedure according to exemplifying embodiments of the present invention comprises, in the context of LISA control, an operation of setting a LISA mode (wherein such setting of a LISA mode may encompass activation/initiation, adjustment/adaptation/change and deactivation/termination thereof). Namely, the LISA operation may comprise various modes which are controllable by the controlling network entity.
  • As an example, the LISA operation may be controlled to (the setting of) a passive listening mode or an active monitoring mode. In the passive listening mode, the LISA may collect interception information of the at least one device to be intercepted, comprising at least one of intercept-related information (IRI) and content of communication (CC). In the active monitoring mode, the LISA may join in communication via the connection of the proximity service between the at least two devices. That is, the LISA may be configured to operate as a passive listening agent hidden from targeted D2D UE#1 and/or UE#2, or to operate as an active monitoring agent, e.g. relaying communications for the targeted D2D UE#1 and UE#2. The operation as an active monitoring agent typically makes the LISA operation somewhat visible to the targeted D2D UE#1 and/or UE#2, while the LISA operation is typically hidden from the targeted D2D UE#1 and/or UE#2 in the operation as a passive listening agent. The mode of LISA operation may be chosen case-specifically. When a LISA operates in the passive listening mode, D2D devices may discover it as just a D2D-capable device. However, it may ease LISA determination, if the LISA operation is made somewhat aware to D2D users. In this case, D2D users may detect presence of all possible LISA devices nearby but may not be aware of whether a particular LISA device is operating as LISA for their D2D session or not.
  • As another example, the LISA operation may be controlled to (the setting of) an intervention mode, in which the LISA intervenes in communication via the connection of the proximity service between the at least two devices, e.g. by issuing an interference signal on resources allocated to the connection of the proximity service between the at least two devices. Such interference signal may be any signal capable of interfering (or jamming) resources of the targeted D2D connection, which are used for control and/or data communication thereon. That is, the LISA may jam the corresponding local D2D connection in preventing unauthorized resource usage of the D2D users, and thus forcing the D2D users (i.e. UE#1 and/or UE#2) to get back to the serving/controlling network using the regular wireless communication access mode when needed. For instance, the LISA may be configured to jam certain control or data transmission signals of the targeted D2D connection by way of the interference signal.
  • According to exemplifying embodiments of the present invention, jamming may be done in a D2D-connection specific way, i.e. the LISA may e.g. transmit some interference signal on the same radio resources at the same time when the D2D communication is being carried out. As the D2D communication itself will handle the co-channel interference problem with other users, the interference signal may not cause service deterioration for other users, if jamming may be done specific to the targeted D2D connection. For example, jamming may be carried out only for the targeted D2D connection, while it may take into account the current circumstances so that services of other users should not be deteriorated due to the jamming of the targeted D2D connection. Further, jamming may be burst-like transmitted once or repeatedly in order to avoid or at least limit the deterioration of services of other users due to increased level of interference. Typically, the duration of the jamming may be limited to the shortest possible one. In defining the duration of the jamming, limiting the risk of dropping calls or causing pauses to real-time services of other uses, such as showing video streams, may also be taken into consideration. On the other hand, the power level of jamming may also be adjusted according to current circumstances.
  • FIG. 5 shows a diagram illustrating a third example of a procedure according to exemplifying embodiments of the present invention. In FIG. 5, various implementation examples on the basis of the procedure of FIG. 3 are illustrated, wherein these implementation examples are inherently independent from each other so that one or more of these may be implemented/realized in a procedure according to exemplifying embodiments of the present invention. Any one of the thus illustrated implementation examples may also be combined with any one of the implementation examples illustrated in FIG. 4 in an arbitrary manner.
  • As an implementation example according to FIG. 5, a procedure according to exemplifying embodiments of the present invention comprises, in the context of LISA determination, an operation of managing a candidate set of (potential) LISAs which are applicable for the connection of the proximity service between the at least two devices, and an operation of selecting the at least one LISA from the managed candidate set of LISAs.
  • As another implementation example according to FIG. 5, a procedure according to exemplifying embodiments of the present invention comprises, in the context of LISA candidate set management, an operation of obtaining one or more radio measurement, detection and/or discovery results, or the like, and an operation of forming and/or updating the LISA candidate set based on the obtained results or the like.
  • In a first example, the results or the like may be obtained from the at least one device to be intercepted (i.e. a targeted UE) among the at least two devices of the targeted D2D connection, wherein the LISA candidate set comprises a set of suitable ones of local devices and local deployed network nodes. Based upon reported radio measurement, detection or discovery by the targeted D2D user(s) on-the-fly, the serving/controlling network may form a dynamic set of potential suitable LISA devices, and may then select and configure at least one of them to act as LISA for the targeted D2D users.
  • In a second example, the results or the like may be obtained from local deployed network nodes and/or local devices with LISA capabilities (i.e. potential LISAs) with regard to the at least one device to be intercepted (i.e. a targeted UE), wherein the LISA candidate set comprises a set of suitable ones of the deployed network nodes and/or local devices with LISA capabilities (i.e. these potential LISAs). Based upon reported radio measurement, detection or discovery by (semi-static) deployed or pre-selected LISA devices, the serving/controlling network may choose some suitable LISA device(s) to form the candidate set for the targeted UE/s. The deployed or pre-selected LISA devices may be configured to scan and report on D2D discovery periodically, or may be requested to detect and report only targeted D2D user(s) in an event-triggered manner.
  • In a third example, the above examples may be combined such that the results or the like may be obtained from the at least one device to be intercepted (i.e. a targeted UE) among the at least two devices of the targeted D2D connection and from local deployed network nodes and/or local devices with LISA capabilities (i.e. potential LISAs) with regard to the at least one device to be intercepted (i.e. a targeted UE), wherein the LISA candidate set comprises a set of suitable ones of local deployed network nodes and/or local devices with LISA capabilities.
  • In view of the above, the first example may be preferable for a highly dynamic selection and configuration of LISA/s among any LISA-capable UE devices detected by the targeted UE on-the-fly under control of the controlling/controlling network. The second example may be preferable when LISA devices are preconfigured or preselected in the service area of interest (e.g. an interception area), such as a local access point, a small-cell eNB or local devices deployed beforehand. In this example, based on certain knowledge about the target UE's location and configuration, the controlling/controlling network may request one or several preselected LISA devices to detect and report about the targeted UE. The third example may be considered as an optimized hybrid approach combining the aforementioned benefits of the first and second examples.
  • Accordingly, in exemplifying embodiments of the present invention, suitable LISA or LISAs may be determined and selected from a candidate set corresponding to the targeted D2D by the serving/controlling network. Similarly, previously determined/selected LISA or LISAs may be released and/or re-/de-selected accordingly. Such determination/selection (including a release and re-/de-selection) may for example be based upon indicated radio measurement, detection or discovery contexts including location information of the targeted D2D users, local nodes or other LISA capable UE devices in proximity of the targeted D2D, connectivity, priority, security, network state, device status and channel condition of LISA candidates, or the like.
  • According to exemplifying embodiments of the present invention, a LISA, i.e. a device or network node capable of acting as a LISA, can also be configured to advertise its presence (possibly together with its LISA capability) to its surrounding environment. Such advertisement can be made explicitly or implicitly. Upon receipt thereof at a controlling network entity or device, the thus advertised presence (possibly together with its LISA capability) of a respective LISA can be used in the context of determining at least one LISA located within the proximity service range of at least one device to be intercepted among the at least two devices (i.e. LISA determination/selection) and/or in the context of determining availability of at least one LISA capable of performing a LISA in relation to a connection of a proximity service (i.e. LISA availability determination).
  • According to exemplifying embodiments of the present invention, a LISA, i.e. a device or network node capable of acting as a LISA, can also be configured to be operable in the context of admission control of a connection of a proximity service, i.e. in/for a control in relation to setting up or securing the connection of the proximity service. Namely, when a controlling network entity or a device among the at least two devices of the connection of the proximity service performs such control in relation to setting up or securing the connection of the proximity service, a LISA according to exemplifying embodiments of the present invention can be configured to provide for support in such context. More specifically, a LISA according to exemplifying embodiments of the present invention can be configured to confirm permission and/or authentication for setting up or securing a ProSe connection for the requesting controlling network entity or device. Upon a corresponding request from a controlling network entity or device, a LISA according to exemplifying embodiments of the present invention can authenticate one or more of the at least two devices of the ProSe connection and/or grant or deny permission for setting up or securing the ProSe connection.
  • By virtue of exemplifying embodiments of the present invention, as evident from the above, an available and capable local entity (including a local device and/or a local network node) within the proximity service range of at least one device to be intercepted, which is trusted by the serving/controlling network operator, can be utilized as a lawful interception and security agent (LISA). Such LISA is capable of discovering the at least one device to be intercepted and to perform a controlled lawful interception and/or security operation in relation to the at least one device to be intercepted accordingly. Thereby, lawful interception and security is facilitated in a case in which devices, including at least one device to be intercepted, use proximity service connections (such as e.g. direct D2D communications over the air interface without routing via any infrastructure network element).
  • The above-described methods, procedures and functions may be implemented by respective functional elements, entities, modules, units, processors, or the like, as described below.
  • While in the foregoing exemplifying embodiments of the present invention are described mainly with reference to methods, procedures and functions, corresponding exemplifying embodiments of the present invention also cover respective apparatuses, entities, modules, units, network nodes and/or systems, including both software and/or hardware thereof.
  • Respective exemplifying embodiments of the present invention are described below referring to FIG. 6, while for the sake of brevity reference is made to the detailed description of respective corresponding configurations/setups, schemes, methods and functionality, principles and operations according to FIGS. 1 to 5.
  • FIG. 6 shows a schematic diagram illustrating an example of a structure of apparatuses according to exemplifying embodiments of the present invention.
  • In FIG. 6, the solid line blocks are basically configured to perform respective methods, procedures and/or functions as described above. The entirety of solid line blocks are basically configured to perform the methods, procedures and/or functions as described above, respectively. With respect to FIG. 6, it is to be noted that the individual blocks are meant to illustrate respective functional blocks implementing a respective function, process or procedure, respectively. Such functional blocks are implementation-independent, i.e. may be implemented by means of any kind of hardware or software or combination thereof, respectively.
  • Further, in FIG. 6, only those functional blocks are illustrated, which relate to any one of the above-described methods, procedures and/or functions. A skilled person will acknowledge the presence of any other conventional functional blocks required for an operation of respective structural arrangements, such as e.g. a power supply, a central processing unit, respective memories or the like. Among others, one or more memories are provided for storing programs or program instructions for controlling or enabling the individual functional entities or any combination thereof to operate as described herein in relation to exemplifying embodiments.
  • As indicated in FIG. 6, according to exemplifying embodiments of the present invention, an apparatus 10 may comprise at least one processor 11 and at least one memory 12 (and possibly also at least one connector 13), which may be operationally connected or coupled, for example by a bus 14 or the like, respectively.
  • The processor 11 and/or the connector 13 of the apparatus 10 may also include a modem or the like to facilitate communication over a (hardwire or wireless) link, respectively. The connector 13 of the apparatus 10 may include a suitable transmitter, receiver or transceiver connected or coupled to one or more antennas, antenna units, such as antenna arrays or communication facilities or means for (hardwire or wireless) communications with the linked, coupled or connected device(s), respectively. The connector 13 of the apparatus 10 is generally configured to communicate with at least one other apparatus, device, node or entity (in particular, the connector thereof).
  • The memory 12 of the apparatus 10 may store respective programs, program products, macros or applets, etc. or parts of them, which may be assumed to comprise program instructions or computer program code that, when executed by the respective processor, enables the respective electronic device or apparatus to operate in accordance with the exemplifying embodiments of the present invention.
  • In general terms, respective devices/apparatuses (and/or parts thereof) may represent means for performing respective operations and/or exhibiting respective functionalities, and/or the respective devices (and/or parts thereof) may have functions for performing respective operations and/or exhibiting respective functionalities.
  • In view of the above, the thus illustrated apparatus 10 is suitable for use in practicing one or more of the exemplifying embodiments of the present invention, as described herein.
  • When in the subsequent description it is stated that the processor (or some other means) is configured to perform some function, this is to be construed to be equivalent to a description stating that a (i.e. at least one) processor or corresponding circuitry, potentially in cooperation with a computer program code stored in the memory of the respective apparatus or otherwise available (it should be appreciated that the memory may also be an external memory or provided/realized by a cloud service or the like), is configured to cause the apparatus to perform at least the thus mentioned function. Also, such function is to be construed to be equivalently implementable by specifically configured circuitry or means for performing the respective function (i.e. the expression “processor configured to [cause the apparatus to] perform xxx-ing” is construed to be equivalent to an expression such as “means for xxx-ing”).
  • The thus illustrated apparatus 10 may represent a (part of a) controlling network entity according to exemplifying embodiments of the present invention, and it may be configured to perform (or carry out, execute, etc.) a procedure and/or exhibit a functionality as described (for the controlling network entity) in any one of FIGS. 1 to 5.
  • In this case, the apparatus 10 or its processor 11 (possibly together with computer program code stored in the memory 12), in its most basic form, is configured to perform (or carry out, execute, etc.) control in relation to a connection of a proximity service between at least two devices, to determine at least one lawful interception and security agent located within the proximity service range of at least one device to be intercepted among the at least two devices, and to control the determined at least one lawful interception and security agent to perform (or carry out, execute, etc.) an operation relating to lawful interception and/or security in relation to the connection of the proximity service.
  • The thus illustrated apparatus 10 may represent a (part of a) LISA according to exemplifying embodiments of the present invention, i.e. a device or network node capable of acting as a LISA, and it may be configured to perform (or carry out, execute, etc.) a procedure and/or exhibit a functionality as described (for the LISA) in any one of FIGS. 1 to 5.
  • In this case, the apparatus 10 or its processor 11 (possibly together with computer program code stored in the memory 12), in its most basic form, is configured to obtain, from a network node in charge of control in relation to a connection of a proximity service between at least two devices, control information for performing (or carrying out, executing, etc.) an operation relating to lawful interception and/or security in relation to the connection of the proximity service, and to perform (or carry out, execute, etc.) the operation relating to lawful interception and/or security in relation to the connection of the proximity service with at least one device to be intercepted among the at least two devices.
  • For further details regarding the operability/functionality of the individual apparatuses according to exemplifying embodiments of the present invention, reference is made to the above description in connection with any one of FIGS. 1 to 5, respectively.
  • As mentioned above, any apparatus according to exemplifying embodiments of the present invention may be structured by comprising respective means for performing corresponding operations, procedures and/or functions. For example, such means may be implemented/realized on the basis of an apparatus structure, as exemplified in FIG. 6 above, i.e. by one or more processors 11, one or more memories 12, one or more connectors 13, or any combination thereof.
  • FIG. 7 shows a schematic diagram illustrating another example of a structure of apparatuses according to exemplifying embodiments of the present invention.
  • As shown in FIG. 7, an apparatus 100 according to exemplifying embodiments of the present invention may be operable as a controlling network entity. The apparatus 100 may comprise (at least) means for performing control in relation to a connection of a proximity service between at least two devices (denoted as ProSe connection control means 110), means for determining at least one lawful interception and security agent located within the proximity service range of at least one device to be intercepted among the at least two devices (denoted as LISA determination means 120), and means for controlling the determined at least one lawful interception and security agent to perform an operation relating to lawful interception and/or security in relation to the connection of the proximity service (denoted as LISA control means 130).
  • According to exemplifying embodiments, as described above, it is noted that the apparatus 100 may be further for (or comprise means for) obtaining lawful interception and security agent capabilities of devices and/or network nodes within the proximity service range of the at least one device to be intercepted, and/or the LISA determination means 120 may be further for (or comprise means for) managing a candidate set of lawful interception and security agents which are applicable for the connection of the proximity service between the at least two devices and means for selecting the at least one lawful interception and security agent from the managed candidate set of lawful interception and security agents, and/or the LISA control means 130 may be further for (or comprise means for) setting at least one of a passive listening mode, an active monitoring mode and an intervention mode.
  • As shown in FIG. 7, an apparatus 200 according to exemplifying embodiments of the present invention may be operable as a LISA. The apparatus 200 may comprise (at least) means for obtaining, from a network node in charge of control in relation to a connection of a proximity service between at least two devices, control information for performing an operation relating to lawful interception and/or security in relation to the connection of the proximity service (denoted as control information obtaining means 210), and means for performing the operation relating to lawful interception and/or security in relation to the connection of the proximity service with at least one device to be intercepted among the at least two devices (denoted as LISA operation means 220).
  • According to exemplifying embodiments, as described above, it is noted that the apparatus 200 may be further for (or comprise means for) indicating, to the network node in charge of control in relation to the connection of the proximity service, lawful interception and security agent capabilities of the device or network node, and/or the LISA operation means 220 may be further for (or comprise means for) operating at least one of a passive listening mode, an active monitoring mode and an intervention mode.
  • In FIG. 7, the dashed arrows indicate a possible sequence of operations in terms of the participation of the individual means by way of example only. Yet, it is to be noted that the individual apparatuses as well as their respective means are generally independent from each other.
  • According to exemplifying embodiments of the present invention, any one of the processor, the memory and the connector, as well as any one of the means, may be implemented as individual modules, chips, chipsets, circuitries or the like, or one or more of them can be implemented as a common module, chip, chipset, circuitry or the like, respectively.
  • According to exemplifying embodiments of the present invention, a system may comprise any conceivable combination of the thus depicted devices/apparatuses and other network elements, which are configured to cooperate as described above.
  • In general, it is to be noted that respective functional blocks or elements according to above-described aspects can be implemented by any known means, either in hardware and/or software, respectively, if it is only adapted to perform the described functions of the respective parts. The mentioned method steps can be realized in individual functional blocks or by individual devices, or one or more of the method steps can be realized in a single functional block or by a single device.
  • Generally, any method step is suitable to be implemented as software or by hardware without changing the idea of the present invention. Such software may be software code independent and can be specified using any known or future developed programming language, such as e.g. Java, C++, C, and Assembler, as long as the functionality defined by the method steps is preserved. Such hardware may be hardware type independent and can be implemented using any known or future developed hardware technology or any hybrids of these, such as MOS (Metal Oxide Semiconductor), CMOS (Complementary MOS), BiMOS (Bipolar MOS), BiCMOS (Bipolar CMOS), ECL (Emitter Coupled Logic), TTL (Transistor-Transistor Logic), etc., using for example ASIC (Application Specific IC (Integrated Circuit)) components, FPGA (Field-programmable Gate Arrays) components, CPLD (Complex Programmable Logic Device) components or DSP (Digital Signal Processor) components. A device/apparatus may be represented by a semiconductor chip, a chipset, or a (hardware) module comprising such chip or chipset; this, however, does not exclude the possibility that a functionality of a device/apparatus or module, instead of being hardware implemented, be implemented as software in a (software) module such as a computer program or a computer program product comprising executable software code portions for execution/being run on a processor. A device may be regarded as a device/apparatus or as an assembly of more than one device/apparatus, whether functionally in cooperation with each other or functionally independently of each other but in a same device housing, for example.
  • Apparatuses and/or means or parts thereof can be implemented as individual devices, but this does not exclude that they may be implemented in a distributed fashion throughout the system, as long as the functionality of the device is preserved. Such and similar principles are to be considered as known to a skilled person.
  • Software in the sense of the present description comprises software code as such comprising code means or portions or a computer program or a computer program product for performing the respective functions, as well as software (or a computer program or a computer program product) embodied on a tangible medium such as a computer-readable (storage) medium having stored thereon a respective data structure or code means/portions or embodied in a signal or in a chip, potentially during processing thereof.
  • The present invention also covers any conceivable combination of method steps and operations described above, and any conceivable combination of nodes, apparatuses, modules or elements described above, as long as the above-described concepts of methodology and structural arrangement are applicable.
  • In view of the above, there are provided measures for lawful interception and security for proximity service. Such measures could comprise performing control in relation to a connection of a proximity service between at least two devices, determining at least one lawful interception and security agent located within the proximity service range of at least one device to be intercepted among the at least two devices, and controlling the determined at least one lawful interception and security agent to perform an operation relating to lawful interception and/or security in relation to the connection of the proximity service.
  • Even though the invention is described above with reference to the examples according to the accompanying drawings, it is to be understood that the invention is not restricted thereto. Rather, it is apparent to those skilled in the art that the present invention can be modified in many ways without departing from the scope of the inventive idea as disclosed herein.
    • LIST OF ACRONYMS AND ABBREVIATIONS
    • 3GPP 3rd Generation Partnership Project
    • ADMF Administration Function
    • CC Content of Communication
    • D2D device-to-device
    • DRSF D2D Registration Server Function
    • eNB enhanced NodeB
    • EPC Evolved Packet Core
    • IRI Intercept-Related Information
    • LEMF Law Enforcement Monitoring Facility
    • LI Lawful Interception
    • LISA Lawful Interception and Security Agent
    • LTE Long Term Evolution
    • LTE-A Long Term Evolution Advanced
    • M2M machine-to-machine
    • MME Mobility Management Entity
    • P2P peer-to-peer
    • P-GW Packet Gateway
    • ProSe Proximity Service
    • S-GW Serving Gateway
    • T2T terminal-to-terminal
    • UE User equipment

Claims (36)

1. A method comprising
performing control in relation to a connection of a proximity service between at least two devices,
determining at least one lawful interception and security agent located within the proximity service range of at least one device to be intercepted among the at least two devices, and
controlling the determined at least one lawful interception and security agent to perform an operation relating to lawful interception and/or security in relation to the connection of the proximity service.
2. (canceled)
3. The method according to claim 1, wherein
the determined at least one lawful interception and security agent comprises a device being capable of conducting a connection of a proximity service with the at least one device to be intercepted, and
the controlling comprises configuring the device to act as lawful interception and security agent.
4. The method according to claim 1, wherein
the determined at least one lawful interception and security agent comprises a deployed network node being capable of conducting a connection of a proximity service with the at least one device to be intercepted and pre-configured to act as lawful interception and security agent, and
the controlling comprises activating the deployed network node to act as lawful interception and security agent.
5. The method according to claim 1, wherein controlling the determined at least one lawful interception and security agent comprises
setting a passive listening mode for collecting interception information of the at least one device to be intercepted, comprising at least one of intercept-related information and content of communication, or
setting an active monitoring mode for joining in communication via the connection of the proximity service between the at least two devices.
6. The method according to claim 1, wherein controlling the determined at least one lawful interception and security agent comprises
setting an intervention mode for intervening in communication via the connection of the proximity service between the at least two devices by issuing an interference signal on resources allocated to the connection of the proximity service between the at least two devices.
7. (canceled)
8. The method according to claim 1, wherein determining at least one lawful interception and security agent comprises
managing a candidate set of lawful interception and security agents which are applicable for the connection of the proximity service between the at least two devices, and
selecting the at least one lawful interception and security agent from the managed candidate set of lawful interception and security agents.
9. (canceled)
10. (canceled)
11. A method comprising
obtaining, from a network node in charge of control in relation to a connection of a proximity service between at least two devices, control information for performing an operation relating to lawful interception and/or security in relation to the connection of the proximity service, and
performing the operation relating to lawful interception and/or security in relation to the connection of the proximity service with at least one device to be intercepted among the at least two devices.
12. The method according to claim 11, further comprising
indicating, to the network node in charge of control in relation to the connection of the proximity service, lawful interception and security agent capabilities of a device and/or a network node within the service range of the at least one device to be intercepted.
13. The method according to claim 11, wherein
the method is operable at or by a device being capable of conducting a connection of a proximity service with the at least one device to be intercepted, and
the control information comprises a configuration of the device to act as lawful interception and security agent.
14. The method according to claim 11, wherein
the method is operable at or by a deployed network node being capable of conducting a connection of a proximity service with the at least one device to be intercepted and pre-configured to act as lawful interception and security agent, and
the control information comprises an activation of the deployed network node to act as lawful interception and security agent.
15. The method according to claim 11, wherein the operation comprises
a passive listening mode for collecting interception information of the at least one device to be intercepted, comprising at least one of intercept-related information and content of communication, or
an active monitoring mode for joining in communication via the connection of the proximity service between the at least two devices.
16. The method according to claim 11, wherein the operation comprises
an intervention mode for intervening in communication via the connection of the proximity service between the at least two devices by issuing an interference signal on resources allocated to the connection of the proximity service between the at least two devices.
17. An apparatus comprising
a processor, and
a memory configured to store computer program code,
wherein the processor is configured to cause the apparatus to perform:
performing control in relation to a connection of a proximity service between at least two devices,
determining at least one lawful interception and security agent located within the proximity service range of at least one device to be intercepted among the at least two devices, and
controlling the determined at least one lawful interception and security agent to perform an operation relating to lawful interception and/or security in relation to the connection of the proximity service.
18. The apparatus according to claim 17, wherein the processor is configured to cause the apparatus to perform:
obtaining lawful interception and security agent capabilities of devices and/or network nodes within the proximity service range of the at least one device to be intercepted,
wherein determining at least one lawful interception and security agent is based on the obtained lawful interception and security agent capabilities of the devices and/or network nodes.
19. (canceled)
20. The apparatus according to claim 17, wherein
the processor is configured to cause the apparatus to determine a deployed network node being capable of conducting a connection of a proximity service with the at least one device to be intercepted and pre-configured to act as lawful interception and security agent, and
controlling the determined at least one lawful interception and security agent comprises activating the deployed network node to act as lawful interception and security agent.
21. The apparatus according to claim 17, wherein controlling the determined at least one lawful interception and security agent comprises
setting a passive listening mode for collecting interception information of the at least one device to be intercepted, comprising at least one of intercept-related information and content of communication, or
setting an active monitoring mode for joining in communication via the connection of the proximity service between the at least two devices.
22. The apparatus according to claim 17, wherein controlling the determined at least one lawful interception and security agent comprises
setting an intervention mode for intervening in communication via the connection of the proximity service between the at least two devices by issuing an interference signal on resources allocated to the connection of the proximity service between the at least two devices.
23. (canceled)
24. The apparatus according to claim 17, wherein determining at least one lawful interception and security agent comprises
managing a candidate set of lawful interception and security agents which are applicable for the connection of the proximity service between the at least two devices, and
selecting the at least one lawful interception and security agent from the managed candidate set of lawful interception and security agents.
25. (canceled)
26. (canceled)
27. An apparatus comprising a processor, and
a memory configured to store computer program code,
wherein the processor is configured to cause the apparatus to perform:
obtaining, from a network node in charge of control in relation to a connection of a proximity service between at least two devices, control information for performing an operation relating to lawful interception and/or security in relation to the connection of the proximity service, and
performing the operation relating to lawful interception and/or security in relation to the connection of the proximity service with at least one device to be intercepted among the at least two devices.
28. The apparatus according to claim 27, wherein the processor is configured to cause the apparatus to perform
indicating, to the network node in charge of control in relation to the connection of the proximity service, lawful interception and security agent capabilities of a device and/or a network node within the service range of the at least one device to be intercepted.
29. The apparatus according to claim 27 or 28, wherein
the apparatus is operable at or by a device being capable of conducting a connection of a proximity service with the at least one device to be intercepted, and
the control information comprises a configuration of the device to act as lawful interception and security agent.
30. The apparatus according to claim 27, wherein
the apparatus is operable at or by a deployed network node being capable of conducting a connection of a proximity service with the at least one device to be intercepted and pre-configured to act as lawful interception and security agent, and
the control information comprises an activation of the deployed network node to act as lawful interception and security agent.
31. The apparatus according to claim 27, wherein the operation comprises
a passive listening mode for collecting interception information of the at least one device to be intercepted, comprising at least one of intercept-related information and content of communication, or
an active monitoring mode for joining in communication via the connection of the proximity service between the at least two devices.
32. The apparatus according to claim 27, wherein the operation comprises
an intervention mode for intervening in communication via the connection of the proximity service between the at least two devices by issuing an interference signal on resources allocated to the connection of the proximity service between the at least two devices.
33. (canceled)
34. (canceled)
35. A computer program product comprising computer-executable computer program code which, when the computer program code is executed on a computer, is configured to cause the computer to carry out the method according to claim 1.
36. (canceled)
US14/907,594 2013-06-14 2013-08-28 Lawful Interception and Security for Proximity Service Abandoned US20160182571A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
PCT/CN2013/077258 WO2014198063A1 (en) 2013-06-14 2013-06-14 Lawful interception for proximity service
CNPCT/CN2013/077258 2013-06-14
PCT/EP2013/067750 WO2014198349A1 (en) 2013-06-14 2013-08-28 Lawful interception and security for proximity service

Publications (1)

Publication Number Publication Date
US20160182571A1 true US20160182571A1 (en) 2016-06-23

Family

ID=49111169

Family Applications (3)

Application Number Title Priority Date Filing Date
US14/897,800 Abandoned US20160127420A1 (en) 2013-06-14 2013-06-14 Lawful Interception for Proximity Service
US14/897,928 Active 2033-08-30 US10182079B2 (en) 2013-06-14 2013-08-28 Lawful interception and security based admission control for proximity service
US14/907,594 Abandoned US20160182571A1 (en) 2013-06-14 2013-08-28 Lawful Interception and Security for Proximity Service

Family Applications Before (2)

Application Number Title Priority Date Filing Date
US14/897,800 Abandoned US20160127420A1 (en) 2013-06-14 2013-06-14 Lawful Interception for Proximity Service
US14/897,928 Active 2033-08-30 US10182079B2 (en) 2013-06-14 2013-08-28 Lawful interception and security based admission control for proximity service

Country Status (3)

Country Link
US (3) US20160127420A1 (en)
EP (3) EP3008934A4 (en)
WO (3) WO2014198063A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9674876B2 (en) * 2011-01-19 2017-06-06 Telefonaktiebolaget Lm Ericsson (Publ) Local data bi-casting between core network and radio access
WO2014198063A1 (en) * 2013-06-14 2014-12-18 Siemens Networks Oy Nokia Lawful interception for proximity service
US9813550B2 (en) * 2013-07-08 2017-11-07 Samsung Electronics Co., Ltd. Lawful interception method and apparatus of D2D communication-capable terminal
US20150264552A1 (en) * 2014-03-14 2015-09-17 Gang Xiong Systems, methods, and devices for device-to-device discovery and communication
WO2015142227A1 (en) * 2014-03-17 2015-09-24 Telefonaktiebolaget L M Ericsson (Publ) Control of user equipment identity dependent service
WO2016013964A1 (en) * 2014-07-25 2016-01-28 Telefonaktiebolaget L M Ericsson (Publ) Method and entity in a li system for positioning of a target connected to a wi-fi network
MX2018001874A (en) 2015-08-26 2018-06-20 Ericsson Telefon Ab L M Method and device for lawful interception for proximity services.
EP3276907A1 (en) * 2016-07-29 2018-01-31 Rohde & Schwarz GmbH & Co. KG A method and apparatus for testing a security of communication of a device under test

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050020244A1 (en) * 2003-07-23 2005-01-27 Hyokang Chang RF firewall for a wireless network
US20090128286A1 (en) * 2007-11-20 2009-05-21 Vitito Christopher J System for controlling the use of electronic devices within an automobile
US20090300137A1 (en) * 2008-05-29 2009-12-03 Research In Motion Limited Method, system and devices for communicating between an internet browser and an electronic device
US20090298478A1 (en) * 2008-05-29 2009-12-03 Research In Motion Limited Method and system for establishing a service relationship between a mobile communication device and a mobile data server for connecting to a wireless network
US20110029667A1 (en) * 2008-02-21 2011-02-03 Telefonaktiebolaget L M Ericsson (Publ) Data Retention and Lawful Intercept for IP Services
US8364147B2 (en) * 2010-04-28 2013-01-29 Verint Americas, Inc. System and method for determining commonly used communication terminals and for identifying noisy entities in large-scale link analysis
US20130111312A1 (en) * 2011-10-31 2013-05-02 Amit Vishram Karmarkar Method and system of jamming specified media content by age category
US20130183967A1 (en) * 2012-01-13 2013-07-18 Tim J. Olker Lawful Intercept Of Mobile Units In Proximity To A Target Mobile Unit
US20130203380A1 (en) * 2012-02-05 2013-08-08 Institute For Information Industry Network device, core network, direct mode communication system and lawful interception method thereof
WO2014113083A1 (en) * 2013-01-17 2014-07-24 Intel Corporation Lawful interception for device-to-device (d2d) communication
US20160127420A1 (en) * 2013-06-14 2016-05-05 Nokia Solutions And Networks Oy Lawful Interception for Proximity Service

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6963739B2 (en) 2002-10-21 2005-11-08 Motorola, Inc. Method and apparatus for providing information intercept in an ad-hoc wireless network
CN101102223A (en) * 2007-06-14 2008-01-09 中兴通讯股份有限公司 Network management system and method for legal detection
US9106603B2 (en) * 2009-12-23 2015-08-11 Synchronics plc Apparatus, method and computer-readable storage mediums for determining application protocol elements as different types of lawful interception content
CN103152748B (en) * 2011-12-07 2015-11-25 华为技术有限公司 communication monitoring method, base station and terminal
US9532400B2 (en) * 2013-02-28 2016-12-27 Intel Deutschland Gmbh Radio communication devices and cellular wide area radio base station

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050020244A1 (en) * 2003-07-23 2005-01-27 Hyokang Chang RF firewall for a wireless network
US20090128286A1 (en) * 2007-11-20 2009-05-21 Vitito Christopher J System for controlling the use of electronic devices within an automobile
US20110029667A1 (en) * 2008-02-21 2011-02-03 Telefonaktiebolaget L M Ericsson (Publ) Data Retention and Lawful Intercept for IP Services
US20090300137A1 (en) * 2008-05-29 2009-12-03 Research In Motion Limited Method, system and devices for communicating between an internet browser and an electronic device
US20090298478A1 (en) * 2008-05-29 2009-12-03 Research In Motion Limited Method and system for establishing a service relationship between a mobile communication device and a mobile data server for connecting to a wireless network
US8364147B2 (en) * 2010-04-28 2013-01-29 Verint Americas, Inc. System and method for determining commonly used communication terminals and for identifying noisy entities in large-scale link analysis
US20130111312A1 (en) * 2011-10-31 2013-05-02 Amit Vishram Karmarkar Method and system of jamming specified media content by age category
US20130183967A1 (en) * 2012-01-13 2013-07-18 Tim J. Olker Lawful Intercept Of Mobile Units In Proximity To A Target Mobile Unit
US20130203380A1 (en) * 2012-02-05 2013-08-08 Institute For Information Industry Network device, core network, direct mode communication system and lawful interception method thereof
WO2014113083A1 (en) * 2013-01-17 2014-07-24 Intel Corporation Lawful interception for device-to-device (d2d) communication
US20160127420A1 (en) * 2013-06-14 2016-05-05 Nokia Solutions And Networks Oy Lawful Interception for Proximity Service

Also Published As

Publication number Publication date
US10182079B2 (en) 2019-01-15
WO2014198350A1 (en) 2014-12-18
EP3008883A1 (en) 2016-04-20
EP3008934A1 (en) 2016-04-20
WO2014198349A1 (en) 2014-12-18
WO2014198063A1 (en) 2014-12-18
US20160134662A1 (en) 2016-05-12
EP3008884A1 (en) 2016-04-20
EP3008934A4 (en) 2017-02-22
US20160127420A1 (en) 2016-05-05

Similar Documents

Publication Publication Date Title
US10182079B2 (en) Lawful interception and security based admission control for proximity service
US11923939B2 (en) Distributed mobility for radio devices
US20220369215A1 (en) Relay selection in cellular sliced networks
JP6959695B2 (en) Traffic steering and switching between multiple access networks
US11638200B2 (en) Method, apparatus, system and computer program for vehicular communication smart radio access zones
US9717042B2 (en) Network discovery and selection
US9832807B2 (en) Method and device for mode switching
KR20200109303A (en) Enhanced NEF functionality, MEC and 5G integration
US10834593B2 (en) Method, apparatus and computer program product for accessing a local area scoped network having non-access-stratum procedures
EP3669585A1 (en) Terminal requesting network slice capabilities from non-3gpp access network
US9386454B2 (en) Mechanism usable for validating a communication device for allowing usage of television radio bands/channels
KR20160010612A (en) Method of device discovery for device-to-device communication in a telecommunication network, user equipment device and computer program product
EP3761751A1 (en) Relay selection in cellular sliced networks
JP2023514257A (en) Unmanned aerial vehicle authentication and authorization with unmanned aerial system traffic management via user plane
US20230354152A1 (en) Sidelink relay enhancements to support multipath
JP2022551599A (en) Device-to-device discovery via relay devices
WO2021163507A1 (en) Security and privacy support for direct wireless communications
EP3962131A1 (en) Relay selection in cellular sliced networks
US9973350B2 (en) Method for network sharing of multiple network operators and network sharing management proxy device using the same
CN114631341A (en) Relationship indication for multi-SIM devices
EP4030800A1 (en) Privacy of relay selection in cellular sliced networks
US20240147288A1 (en) Enhanced wireless device measurement gap pre-configuration, activation, and concurrency
WO2023059612A1 (en) Customer premises network access control
CN115735372A (en) Method and apparatus for secure establishment, modification and revocation of C2 communications

Legal Events

Date Code Title Description
AS Assignment

Owner name: NOKIA SOLUTIONS AND NETWORKS OY, FINLAND

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:VAN PHAN, VINH;YU, LING;HORNEMAN, KARI VEIKKO;SIGNING DATES FROM 20151208 TO 20151210;REEL/FRAME:037581/0053

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION