6.7 UE related analytics
23.2883GPPArchitecture enhancements for 5G System (5GS) to support network data analytics servicesRelease 18TS
6.7.1 General
This clause specifies the UE related analytics which can be provided by NWDAF:
– UE mobility analytics;
– UE communication analytics;
– Expected UE behavioural parameters related network data analytics; and
– Abnormal behaviour related network data analytics.
The NWDAF service consumer may request for these analytics separately, or in a combined way. As an example, an NWDAF service consumer may learn from the NWDAF the expected UE behaviour parameters as defined in clause 4.15.6.3 of TS 23.502 [3] for a group of UEs or a specific UE, by requesting analytics for both UE mobility (see clause 6.7.2) and for UE communication (see clause 6.7.3).
Depending on local regulations, the NWDAF retrieves user consent for the UE with UDM prior to data collection as defined in clause 6.2.2.2 or clause 6.2.2.3. If user consent to collect data is not granted by the UE, the NWDAF rejects/cancels any analytics subscriptions to any of the UE related analytics with target for analytics set to the SUPI or GPSI of that UE. If the target for analytics is either an Internal or External Group Id or a list of SUPIs or "any UE", the NWDAF skips those SUPIs that do not grant user consent for the purpose of analytics or model training.
NOTE: Possible uses of such analytics is for the AMF to learn about expected UE behaviour to derive appropriate MICO mode configuration, or for an AF to learn about expected UE behaviour to further provision 5GC with appropriate UE parameters.
6.7.2 UE mobility analytics
6.7.2.1 General
NWDAF supporting UE mobility statistics or predictions shall be able to collect UE mobility related information from NF, OAM and to perform data analytics to provide UE mobility statistics or predictions.
The service consumer may be a NF (e.g. AMF, SMF or AF).
The consumer of these analytics may indicate in the request:
– Analytics ID = "UE Mobility".
– Target of Analytics Reporting: a single UE (SUPI) or a group of UEs (an Internal Group ID);
– Analytics Filter Information optionally containing:
– Area of Interest (AOI): restricts the scope of the UE mobility analytics to the provided area;
– Visited Area(s) of Interest (visited AOI(s)): additional filter to only consider UEs that are currently (i.e. now) in the "AOI" and had previously (i.e. in the "Analytics target period") been in at least one of the Visited AOI(s). If this parameter is provided, the Analytics target period shall be in the past (i.e. supported for statistics only);
NOTE 1: For LADN service, the consumer (e.g. SMF) provides the LADN DNN to refer the LADN service area as the AOI.
– An Analytics target period indicates the time period over which the statistics or predictions are requested;
NOTE 2: For regular analytics scenarios, the Analytics target period is associated with the Analytics Filter Information = AOI, while for the scenario that Analytics ID=UE Mobility and Analytics Filter Information = (AOI and visited AOI(s)), as described in this clause, the Analytics target period is associated with the visited AOI(s) and to obtain the statistics for those UEs that currently reside in the AOI and had previously (i.e. in the "Analytics target period") been in at least one of the Visited AOI(s).
– Optionally, maximum number of objects;
– Preferred level of accuracy of the analytics;
– Preferred order of results for the time slot entries: ascending or descending time slot start;
– Optionally, preferred granularity of location information: TA level or cell level; and
– In a subscription, the Notification Correlation Id and the Notification Target Address are included.
6.7.2.2 Input Data
The NWDAF supporting data analytics on UE mobility shall be able to collect UE mobility information from OAM, 5GC and AFs. The detailed information collected by the NWDAF could be MDT data from OAM, network data from 5GC and/or service data from AFs:
– UE mobility information from OAM is UE location carried in MDT data;
– Network data related to UE mobility from 5GC is UE location information, UE location trends or UE access behaviour trends, as defined in the Table 6.7.2.2-1;
Table 6.7.2.2-1: UE Mobility information collected from 5GC
|
Information |
Source |
Description |
|
UE ID |
AMF |
SUPI |
|
UE locations (1..max) |
AMF |
UE positions |
|
>UE location |
TA or cells that the UE enters (NOTE) |
|
|
>Timestamp |
A time stamp when the AMF detects the UE enters this location |
|
|
Type Allocation code (TAC) |
AMF |
To indicate the terminal model and vendor information of the UE. The UEs with the same TAC may have similar mobility behaviour. The UE whose mobility behaviour is unlike other UEs with the same TAC may be an abnormal one. |
|
Frequent Mobility Registration Update |
AMF |
A UE (e.g. a stationary UE) may re-select between neighbour cells due to radio coverage fluctuations. This may lead to multiple Mobility Registration Updates if the cells belong to different registration areas. The number of Mobility Registration Updates N within a period M may be an indication for abnormal ping-pong behaviour, where N and M are operator’s configurable parameters. |
|
UE access behaviour trends |
AMF |
Metrics on UE state transitions (e.g. access, RM and CM states, handover). |
|
UE location trends |
AMF |
Metrics on UE locations. |
|
NOTE: UE location includes either the last known location or the current location, under the conditions defined in Table 4.15.3.1-1 in TS 23.502 [3]. |
||
– Service data related to UE mobility provided by AFs is defined in the Table 6.7.2.2-2;
Table 6.7.2.2-2: Service Data from AF related to UE mobility
|
Information |
Description |
|
UE ID |
Could be external UE ID (i.e. GPSI) |
|
Application ID |
Identifying the application providing this information |
|
UE trajectory (1..max) |
Timestamped UE positions |
|
>UE location |
Geographical area that the UE enters |
|
>Timestamp |
A time stamp when UE enters this area |
|
NOTE: The application ID is optional. If the application ID is omitted, the collected UE mobility information can be applicable to all the applications for the UE. |
|
Depending on the requested level of accuracy, data collection may be provided on samples (e.g. spatial subsets of UEs or UE group, temporal subsets of UE location information).
NOTE: Reporting current UE location can cause AMF to request NG-RAN to report UE location and consequently extra signalling and load in NG-RAN and AMF. The consumer retrieving data from AMF needs to use current location with care to avoid excessive signalling.
6.7.2.3 Output Analytics
The NWDAF supporting data analytics on UE mobility shall be able to provide UE mobility analytics to consumer NFs or AFs. The analytics results provided by the NWDAF could be UE mobility statistics as defined in table 6.7.2.3-1, UE mobility predictions as defined in Table 6.7.2.3-2:
Table 6.7.2.3-1: UE mobility statistics
|
Information |
Description |
|
UE group ID or UE ID |
Identifies a UE or a group of UEs, e.g. internal group ID defined in clause 5.9.7 of TS 23.501 [2], SUPI (see NOTE 1). |
|
Time slot entry (1..max) |
List of time slots during the Analytics target period |
|
> Time slot start |
Time slot start within the Analytics target period |
|
> Duration |
Duration of the time slot |
|
> UE location (1..max) |
Observed location statistics (see NOTE 2) |
|
>> UE location |
TA or cells which the UE stays (see NOTE 3) |
|
>> Ratio |
Percentage of UEs in the group (in the case of a UE group) |
Table 6.7.2.3-2: UE mobility predictions
|
Information |
Description |
|
UE group ID or UE ID |
Identifies a UE or a group of UEs, e.g. internal group ID defined in clause 5.9.7 of TS 23.501 [2], or SUPI (see NOTE). |
|
Time slot entry (1..max) |
List of predicted time slots |
|
>Time slot start |
Time slot start time within the Analytics target period |
|
> Duration |
Duration of the time slot |
|
> UE location (1..max) |
Predicted location prediction during the Analytics target period |
|
>> UE location |
TA or cells where the UE or UE group may move into (see NOTE 3) |
|
>> Confidence |
Confidence of this prediction |
|
>> Ratio |
Percentage of UEs in the group (in the case of a UE group) |
NOTE: When Target of Analytics Reporting is an individual UE, one UE ID (i.e. SUPI) will be included, the NWDAF will provide the analytics mobility result (i.e. list of (predicted) time slots) to NF service consumer(s) for the UE.
NOTE 2: If Visited AOI(s) was provided in the analytics request/subscription, the UE location provides information on the observed location(s) that the UE or group of UEs had been residing during the Analytics Target Period.
NOTE 3: When possible and applicable to the access type, UE location is provided according to the preferred granularity of location information.
The results for UE groups address the group globally. The ratio is the proportion of UEs in the group at a given location at a given time.
The number of time slots and UE locations is limited by the maximum number of objects provided as part of Analytics Reporting Information
The time slots shall be provided by order of time, possibly overlapping. The locations shall be provided by decreasing value of ratio for a given time slot. The sum of all ratios on a given time slot must be equal or less than 100%. Depending on the list size limitation, the least probable locations on a given Analytics target period may not be provided.
6.7.2.4 Procedures
The NWDAF can provide UE mobility related analytics, in the form of statistics or predictions or both, directly to another NF. If the NF is an AF and when the AF is untrusted, the AF will request analytics via the NEF and the NEF will then convey the request to NWDAF.
NOTE: In the case of untrusted AF the Target of Analytics Reporting can be a GPSI or an External Group Identifier that is mapped in the 5GC to a SUPI or an Internal Group Identifier.
Figure 6.7.2.4-1: UE mobility analytics provided to an NF
1. The NF sends a request (Analytics ID = UE mobility, Target of Analytics Reporting = UE id or Internal Group ID, Analytics Filter Information = AOI, Analytics Reporting Information= Analytics target period) to the serving NWDAF for analytics information on a specific UE or a group of UEs, using either the Nnwdaf_AnalyticsInfo or Nnwdaf_AnalyticsSubscription service to derive UE mobility information. The NF can request statistics or predictions or both. For LADN service, the NF (i.e. SMF) provides LADN DNN as AOI in the Analytics Filter Information.
If NF wants to obtain the aggregated mobility analytics of those UEs, that currently reside in the AOI and had visited at least one of visited AOI(s) during an Analytics target period, the NF may send a request for UE mobility analytics with Analytics ID = UE mobility, Target of Analytics Reporting = UE group ID or UE ID, Analytics Filter Information = (AOI, visited AOI(s)), Analytics Reporting information = Analytics target period. In this case, the requested mobility analytics is a statistics.
2. If the request is authorized and in order to provide the requested analytics, the NWDAF may subscribe to events with all the serving AMFs for the requested UE(s), for notification of location changes. This step may be skipped when e.g. the NWDAF already has the requested analytics available.
The NWDAF subscribes the service data for the requested UE(s) from AF(s) in the Table 6.7.2.2-2 by invoking Naf_EventExposure_Subscribe service or Nnef_EventExposure_Subscribe (if via NEF) using event ID "UE Mobility information" as defined in TS 23.502 [3].
The NWDAF collects UE mobility information from OAM for the requested UE(s), following the procedure captured in clause 6.2.3.2.
NOTE 1: The NWDAF determines the AMF serving the UE or the group of UEs as described in clause 6.2.2.1.
3. The NWDAF derives requested analytics.
If in step 1 the NWDAF receives analytics subscription/request from NF to obtain the aggregated mobility analytics of those UEs, which currently reside in AOI and had visited at least one of visited AOI(s) during an Analytics target period and if visited AOI(s) and AOI are covered by different NWDAFs, in addition to the data collected in the AOI in step 2, the NWDAF can also obtain UE mobility analytics in one of the visited AOI(s) during the Analytics target period from other NWDAF instance(s) for the requested UE(s). Then the NWDAF supporting analytics aggregation capability derives a UE ID list based on the request from the NF in step 1 and the requested aggregated analytics based on the data collected in the AOI in step 2 and UE mobility analytics in one or more of the visited AOI(s) obtained from the other NWDAF instance(s). UE visited locations in visited AOI(s) and AOI will be included in the aggregated UE mobility analytics.
NOTE 2: If the visited AOI(s) and AOI are covered by different NWDAFs, then consumer in the AOI firstly discovers a NWDAF supporting analytics aggregation capability in the AOI from the NRF, as defined in clause 6.3.13 of TS 23.501 [2].
4. The NWDAF provides requested UE mobility analytics to the NF, using either the Nnwdaf_AnalyticsInfo_Request response or Nnwdaf_AnalyticsSubscription_Notify, depending on the service used in step 1. The details for UE mobility analytics provided by NWDAF are defined in clause 6.7.2.3.
If in step 1 the NF wants to obtain the aggregated mobility analytics of those UEs, that currently reside in the AOI and had visited at least one of visited AOI(s) during an Analytics target period, the NWDAF will provide the requested aggregated analytics for the UE(s) matching this criteria, i.e. the derived mobility analytics can cover a subset of UEs compared to the Target of Analytics Reporting as provided in step 1.
5-6. If at step 1, the NF has subscribed to receive notifications for UE mobility analytics, after receiving event notification from the AMFs, AFs and OAM subscribed by NWDAF in step 2, the NWDAF may generate new analytics and provide them to the NF.
6.7.3 UE Communication Analytics
6.7.3.1 General
In order to support some optimized operations, e.g. customized mobility management, traffic routing handling, RFSP Index Management, QoS improvement or Inactivity Timer optimization, in 5GS, an NWDAF may perform data analytics on UE communication pattern and user plane traffic and provide the analytics results (i.e. UE communication statistics or prediction) to NFs in the 5GC or an AF.
An NWDAF supporting UE Communication Analytics collects per-application communication description from AFs. If consumer NF provides an Application ID, the NWDAF only considers the data from AF, SMF and UPF that corresponds to this application ID. NWDAF may also collect data from AMF.
The consumer of these analytics may indicate in the request:
– Analytics ID = "UE Communication".
– Target of Analytics Reporting: a single UE (SUPI) or a group of UEs (an Internal Group ID).
– Analytics Filter Information optionally including:
– S-NSSAI;
– DNN;
– Application ID;
– Area of Interest.
– an optional list of analytics subsets that are requested (see clause 6.7.3.3);
– An Analytics target period indicates the time period over which the statistics or predictions are requested.
– Preferred level of accuracy of the analytics.
– Optional Preferred level of accuracy per analytics subset (see clause 6.7.3.3);
– Optional preferred order of results for the list of UE Communications:
– ordering criterion: "start time" or "duration",
– order: ascending or descending;
– Optionally, maximum number of objects;
– In a subscription, the Notification Correlation Id and the Notification Target Address are included.
6.7.3.2 Input Data
The NWDAF supporting data analytics on UE communication shall be able to collect communication information for the UE from 5GC. The detailed information collected by the NWDAF includes service data related to UE communication as defined in the Table 6.7.3.2-1.
Table 6.7.3.2-1: Service Data from 5GC related to UE communication
|
Information |
Source |
Description |
|
UE ID |
SMF, AF |
SUPI in the case of SMF, external UE ID (i.e. GPSI) in the case of AF |
|
Group ID |
SMF, AF |
To identify UE group if available Internal Group ID in the case of SMF, External Group ID in the case of AF |
|
S-NSSAI |
SMF |
Information to identify a Network Slice |
|
DNN |
SMF |
Data Network Name where PDU connectivity service is provided |
|
Application ID |
SMF, AF |
Identifying the application providing this information |
|
Expected UE Behaviour parameters |
AF |
Same as Expected UE Behaviour parameters specified in TS 23.502 [3] |
|
UE communication (1..max) |
UPF, AF |
Communication description per application |
|
>Communication start |
The time stamp that this communication starts |
|
|
>Communication stop |
The time stamp that this communication stops |
|
|
>UL data rate |
UL data rate of this communication |
|
|
>DL data rate |
DL data rate of this communication |
|
|
>Traffic volume |
Traffic volume of this communication |
|
|
Type Allocation code (TAC) |
AMF |
To indicate the terminal model and vendor information of the UE. The UEs with the same TAC may have similar communication behaviour. The UE whose communication behaviour is unlike other UEs with the same TAC may be an abnormal one. |
|
UE locations (1..max) |
AMF |
UE positions |
|
>UE location |
TA or cells that the UE enters |
|
|
>Timestamp |
A time stamp when the AMF detects the UE enters this location |
|
|
UE location trends |
AMF |
Metrics on UE locations. |
|
PDU Session ID (1..max) |
SMF |
Identification of PDU Session. |
|
> Inactivity detection time |
SMF, UPF |
Value of session inactivity timer. |
|
> PDU Session status |
SMF |
Status of the PDU Session (activated, deactivated). |
|
UE CM state |
AMF |
UE connection management state (e.g. CM-IDLE). |
|
UE session behaviour trends |
SMF |
Metrics on UE state transitions (e.g. "PDU Session Establishment", "PDU Session Release"). |
|
UE communication trends |
SMF |
Metrics on UE communications. |
|
UE access behaviour trends |
AMF |
Metrics on UE state transitions (e.g. access, RM and CM states, handover). |
Depending on the requested level of accuracy, data collection may be provided on samples (e.g. spatial subsets of UEs or UE group, temporal subsets of UE communication information).
The application Id is optional. If the application Id is omitted, the collected UE communication information can be applicable to all the applications for the UE.
6.7.3.3 Output Analytics
The NWDAF supporting UE Communication Analytics provides the analytics results to consumer NFs. The analytics results provided by the NWDAF include the UE communication statistics as defined in Table 6.7.3.3-1 or predictions as defined in Table 6.7.3.3-2.
Table 6.7.3.3-1: UE Communication Statistics
|
Information |
Description |
|
UE group ID or UE ID |
Identifies a UE or a group of UEs, e.g. internal group ID defined in clause 5.9.7 of TS 23.501 [2] or SUPI (see NOTE). |
|
UE communications (1..max) (NOTE 1) |
List of communication time slots. |
|
> Periodic communication indicator (NOTE 1) |
Identifies whether the UE communicates periodically or not. |
|
> Periodic time (NOTE 1) |
Interval Time of periodic communication (average and variance) if periodic. Example: every hour |
|
> Start time (NOTE 1) |
Start time observed (average and variance) |
|
> Duration (NOTE 1) |
Duration of communication (average and variance). |
|
> Traffic characterization |
S-NSSAI, DNN, ports, other useful information. |
|
> Traffic volume (NOTE 1) |
Volume UL/DL (average and variance). |
|
> Ratio |
Percentage of UEs in the group (in the case of a UE group). |
|
Applications (0..max) (NOTE 1) |
List of application in use. |
|
> Application Id |
Identification of the application. |
|
> Start time |
Start time of the application. |
|
> Duration time |
Duration interval time of the application. |
|
> Occurrence ratio |
Proportion for the application used by the UE during requested period. |
|
> Spatial validity |
Area where the service behaviour applies. If Area of Interest information was provided in the request or subscription, spatial validity may be a subset of the requested Area of Interest. |
|
N4 Session ID (1..max) (NOTE 1) (NOTE 2) |
Identification of N4 Session. |
|
> Inactivity detection time |
Value of session inactivity timer (average and variance). |
|
NOTE 1: Analytics subset that can be used in "list of analytics subsets that are requested" and "Preferred level of accuracy per analytics subset". NOTE 2: This analytics subset shall only be included if the consumer is SMF. |
|
Table 6.7.3.3-2: UE Communication Predictions
|
Information |
Description |
|
UE group ID or UE ID |
Identifies a UE or a group of UEs, e.g. internal group ID defined in clause 5.9.7 of TS 23.501 [2] or SUPI (see NOTE). |
|
UE communications (1..max) (NOTE 1) |
List of communication time slots. |
|
> Periodic communication indicator (NOTE 1) |
Identifies whether the UE communicates periodically or not. |
|
> Periodic time (NOTE 1) |
Interval Time of periodic communication (average and variance) if periodic. Example: every hour. |
|
> Start time (NOTE 1) |
Start time predicted (average and variance). |
|
> Duration time (NOTE 1) |
Duration interval time of communication. |
|
> Traffic characterization |
S-NSSAI, DNN, ports, other useful information. |
|
> Traffic volume (NOTE 1) |
Volume UL/DL (average and variance). |
|
> Confidence |
Confidence of the prediction. |
|
> Ratio |
Percentage of UEs in the group (in the case of a UE group). |
|
Applications (0..max) (NOTE 1) |
List of application in use. |
|
> Application Id |
Identification of the application. |
|
> Start time |
Start time of the application. |
|
> Duration time |
Duration interval time of the application. |
|
> Occurrence probability |
Probability the application will be used by the UE. |
|
> Spatial validity |
Area where the service behaviour applies. If Area of Interest information was provided in the request or subscription, spatial validity may be a subset of the requested Area of Interest. |
|
N4 Session ID (1..max) (NOTE 1) (NOTE 2) |
Identification of N4 Session. |
|
> Inactivity detection time |
Value of session inactivity timer (average and variance). |
|
> Confidence |
Confidence of the prediction. |
|
NOTE 1: Analytics subset that can be used in "list of analytics subsets that are requested" and "Preferred level of accuracy per analytics subset". NOTE 2: This analytics subset shall only be included if the consumer is SMF. |
|
NOTE: When Target of Analytics Reporting is an individual UE, one UE ID (i.e. SUPI) will be included, the NWDAF will provide the analytics communication result (i.e. list of (predicted) communication time slots) to NF service consumer(s) for the UE.
The results for UE groups address the group globally. The ratio is the proportion of UEs in the group for a given communication at a given time and duration.
The number of UE communication entries (1..max) is limited by the maximum number of objects provided as part of Analytics Reporting Information. The communications shall be provided by order of time, possibly overlapping.
Depending on the list size limitation, the least probable communications on a given Analytics target period may not be provided.
6.7.3.4 Procedures
The NWDAF can provide UE communication related analytics, in the form of statistics or predictions or both, to a 5GC NF.
Figure 6.7.3.4-1: Procedure for UE communication analytics
1. 5GC NF to NWDAF: Nnwdaf_AnalyticsSubscription_Subscribe (Analytics ID = UE communication, Target of Analytics Reporting=SUPI, Analytics Filter Information = (Application ID, Area of Interest, etc.)).
5GC NF sends a request to the NWDAF for analytics on a specific UE(s), using either Nnwdaf_AnalyticsInfo or Nnwdaf_AnalyticsSubscription_Subscribe service. The analytics type indicated by "Analytics ID" is set to "UE communication". The Target of Analytics Reporting is set to SUPI or an Internal Group Identifier and Analytics Filter may include Application ID and Area of Interest.
2a-b. NWDAF to AF (Optional): Naf_EventExposure_Subscribe (Event ID, external UE ID, Application ID, Area of Interest).
In order to provide the requested analytics, the NWDAF may subscribe per application communication information, which is identified by Application ID, from AFs for the UE. The Event ID "UE Communication information" as defined in TS 23.502 [3] is used, which indicates communication report for the UE which is requested by the 5GC NF in the step 1. The external UE ID is obtained by the NWDAF based on UE internal ID, i.e. SUPI. In the case of external AF, the NEF translates the requested Area of Interest into a list of geographic zone identifier(s) as described in clause 5.6.7.1 of TS 23.501 [2].
This step is skipped if the NWDAF already has the requested analytics available or has subscribed to the AF.
2c. NWDAF to SMF: Nsmf_EventExposure_Subscribe (Event ID, SUPI, Application ID).
In order to provide the requested analytics, the NWDAF subscribes to information of the UE and may subscribe to N4 Session related input data from SMFs as defined in Table 6.7.3.2-1.
2d-e. N4 related input data is provided by UPF to SMF.
NOTE: The NWDAF request does not trigger any N4 session Establishment/Modification procedure. N4 session related input is only retrieved if UPF has already been triggered to send reports. UPF sends N4 session level reports, including PDU session Inactivity to SMF, according to clause 4.4.2.2 of TS 23.502 [3].
2f. SMF provides the requested input data to NWDAF.
2g-h. NWDAF to AMF: Namf_EventExposure_Subscribe (Event ID, SUPI, Area of Interest).
In order to provide the requested analytics, the NWDAF retrieves one or more of Type Allocation code, UE connection management state, UE access behaviour trends and UE location trends from AMF.
NOTE: The NWDAF determines the SMF serving the UE as described in clause 6.2.2.1.
3. The NWDAF derives requested analytics, in the form of UE communication statistics or predictions or both.
4. NWDAF to 5GC NF: Nnwdaf_AnalyticsInfo_Request response or Nnwdaf_AnalyticsSubscription_Notify.
The NWDAF provides requested UE communication analytics to the NF, using either Nnwdaf_AnalyticsInfo_Request response or Nnwdaf_AnalyticsSubscription_Notify, depending on the service used in step 1.
5-7. If the NF subscribed UE communication analytics at step 1, when the NWDAF generates new analytics, it notifies the new generated analytics to the 5GC NF.
6.7.4 Expected UE behavioural parameters related network data analytics
6.7.4.1 General
The clause 6.7.4 defines how a service consumer learns from the NWDAF the expected UE behaviour parameters as defined in clause 4.15.6.3 of TS 23.502 [3] for a group of UEs or a specific UE.
The service consumer may be an NF (e.g. AMF, AF), or the OAM.
The consumer of these analytics shall indicate in the request:
– Analytics ID = "UE Mobility" or "UE Communication".
– Target of Analytics Reporting: a single UE (SUPI) or a group of UEs (an Internal Group ID).
NOTE: In the case of untrusted AF the Target of Analytics Reporting can be a GPSI or an External Group Identifier that is mapped in the 5GC to a SUPI or an Internal Group Identifier
– An Analytics target period, which indicates the time period over which the statistics or predictions are requested.
– Analytics Filter Information optionally including:
– Area of Interest (AOI);
– S-NSSAI;
– DNN;
– Application ID;
– an optional list of analytics subsets that are requested (see clause 6.7.3.3).
– Optional maximum number of objects.
– In a subscription, the Notification Correlation Id and the Notification Target Address are included.
The NWDAF shall notify the result of the analytics to the consumer as indicated in clause 6.7.4.3.
6.7.4.2 Input Data
In order to produce "UE Mobility" analytics, the NWDAF collects UE mobility information, UE location trends and/or UE access behaviour trends, as defined in clause 6.7.2.2.
In order to produce "UE Communication" analytics, the NWDAF collects UE communication information, UE communication trends, UE session behaviour trends and/or UE access behaviour trends, as defined in clause 6.7.3.2.
6.7.4.3 Output Analytics
The analytics results for "UE Mobility" are specified in Table 6.7.2.3-1 and Table 6.7.2.3-2.
The analytics results for "UE Communication" are specified in Table 6.7.3.3-1 and Table 6.7.3.3-2.
6.7.4.4 Procedures
6.7.4.4.1 NWDAF-assisted expected UE behavioural analytics
Figure 6.7.4.4.1-1: NWDAF assisted expected UE behavioural analytics procedure
1. 5GC NF (e.g. AMF, SMF and AF) to NWDAF: Nnwdaf_AnalyticsInfo_Request (Analytics ID, Target of Analytics Reporting, Analytics Filter Information) or Nnwdaf_AnalyticsSubscription_Subscribe (Analytics ID, Target of Analytics Reporting, Analytics Filter Information).
The Analytics ID is set to "UE Mobility" or to "UE Communication"," and the consumer request analytics.
2. If Analytics ID is set to "UE Mobility", the NWDAF collects data from OAM, AMF and/or AF as specified in clause 6.7.2.4 step 2, unless the information is already available.
If Analytics ID is set to "UE Communication", the NWDAF collects data from AMF, SMF and/or AF as specified in clause 6.7.3.4 step 2, unless the information is already available.
3. The NWDAF derives requested analytics.
4. NWDAF to 5GC NF: Nnwdaf_AnalyticsInfo_Request response or Nnwdaf_AnalyticsSubscription_Notify.
The NWDAF provides requested Expected UE behaviour to the NF, using either Nnwdaf_AnalyticsInfo_Request response or Nnwdaf_AnalyticsSubscription_Notify, depending on the service used in step 1.
5-6. If the NF subscribed to at step 1, when the NWDAF generates new analytics, it provides the new generated analytics to the NF.
6.7.5 Abnormal behaviour related network data analytics
6.7.5.1 General
This clause defines how to identify a group of UEs or a specific UE with abnormal behaviour, e.g. being misused or hijacked, with the help of NWDAF.
NOTE 1: The misused or hijacked UEs are UEs in which there are malicious applications running or UEs which have been stolen.
The consumer of this analytics could be a 5GC NF. The 5GC NF subscribes analytics on abnormal behaviour from a NWDAF based on the UE subscription, network configuration or application layer request.
The NWDAF performs data analytics on abnormal behaviour if there is a related subscription and returns exception reports that result from the analysis of the correlations between behavioural variables. The exception reports contain an Exception Level expressed in the form of a scalar value, possibly supplemented by additional measurements.
The consumer of this analytics shall indicate in the request:
– Analytics ID = "Abnormal behaviour";
– Target of Analytics Reporting: a single UE, any UE or an Internal Group Identifier;
– An Analytics target period indicates the time period over which the statistics or predictions are requested;
– Analytics Filter Information optionally including:
– expected UE behaviour parameters;
– expected analytics type or list of Exception IDs with associated thresholds for the Exception Level, where the expected analytics type can be mobility related, communication related or both;
– Area of interest;
– Application ID;
– DNN;
– S-NSSAI.
NOTE 2: The expected analytics type generally indicates whether mobility or communication related abnormal behaviour analytics or both are expected by the consumer and the list of exception IDs indicates what specific analytics are expected by the consumer. Either the expected analytics type or the list of Exception IDs needs to be indicated, but they are not presented simultaneously. When the expected analytics type is indicated, the NWDAF performs corresponding abnormal behaviour analytics which are supported by the NWDAF. The relation between the expected analytics type and Exception IDs is defined in Table 6.7.5.1-1.
– Optionally, maximum number of objects and maximum number of SUPIs;
– In a subscription, the Notification Correlation Id and the Notification Target Address are included.
Table 6.7.5.1-1: Relation between expected analytics type and Exception IDs
|
Expected analytics type |
Exception IDs matching the expected analytics type |
|
mobility related |
Unexpected UE location, Ping-ponging across neighbouring cells, Unexpected wakeup, Unexpected radio link failures. |
|
communication related |
Unexpected long-live/large rate flows, Unexpected wakeup, Suspicion of DDoS attack, Wrong destination address, Too frequent Service Access. |
If the Target of Analytics Reporting is any UE, then the Analytics Filter should at least include:
– Area of Interest or S-NSSAI, if the expected analytics type or the list of Exception IDs is mobility related.
– Area of Interest, application ID, DNN or S-NSSAI, if the expected analytics type or the list of Exception IDs is communication related.
If the Target of Analytics Reporting is any UE, the consumer of this analytics shall request either mobility related only or communication related only abnormal behaviour analytics, but not both at the same time.
The expected UE behaviour parameters that the consumer can indicate in the request when known depend on the Exception ID that the consumer expects. They may encompass UE behaviour parameters as defined in clause 4.15.6.3 of TS 23.502 [3] and other parameters. Table 6.7.5.1-2 shows the mapping between each Exception ID and UE behaviour parameters.
Table 6.7.5.1-2: Description of Expected UE Behaviour parameters per Exception ID
|
Exception ID |
UE behaviour parameters to provide |
|
Unexpected UE location |
Expected UE Moving Trajectory Stationary Indication |
|
Unexpected long-live/large rate flows |
Periodic Time Scheduled Communication Time Communication Duration Time |
|
Unexpected wakeup |
Periodic Time Communication Duration Time Scheduled Communication Time |
|
Suspicion of DDoS attack |
Periodic Time Communication Duration Time Scheduled Communication Time Scheduled Communication Type Traffic Profile Expected transaction Dispersion |
|
Too frequent Service Access |
Periodic Time |
|
Unexpected radio link failures |
Expected UE Moving Trajectory |
|
Ping-ponging across neighbouring cells |
Expected UE Moving Trajectory Stationary Indication |
When the NWDAF detects those UEs that deviate from the expected UE behaviour, e.g. unexpected UE location, abnormal traffic pattern, unexpected transaction dispersion amount, wrong destination address, etc. the NWDAF shall notify the result of the analytics to the consumer as specified in clause 6.7.5.3.
6.7.5.2 Input Data
The Exceptions information from AF is as specified in Table 6.7.5.2-1.
On request of the service consumer, the NWDAF shall collect and analyse UE behavioural information from the 5GC NFs (SMF, AMF, AF), or OAM as specified in clauses 6.7.2.2 and 6.7.3.2 and/or expected UE behavioural parameters from UDM as defined in clause 4.15.6.3, TS 23.502 [3], depending on Exception IDs.
NOTE: Care needs to be taken with regards to load by avoiding to cause major extra signalling when collecting data for any UE.
Table 6.7.5.2-1: Exceptions information from AF
|
Information |
Description |
|
IP address 5-tuple |
To identify a data flow of a UE via the AF (such as the Firewall or a Threat Intelligence Sharing platform) |
|
Exceptions (1..max) (NOTE 1) |
|
|
>Exception ID |
Indicating the Exception ID (such as Unexpected long-live/large rate flows and Suspicion of DDoS attack as defined in Table 6.7.5.3-2) of the data flow. |
|
>Exception Level |
Scalar value indicating the severity of the abnormal behaviour. |
|
>Exception trend |
Measured trend (up/down/unknown/stable) |
|
NOTE 1: The Exceptions information and the UE behavioural information as defined in clauses 6.7.2.2 and 6.7.3.2 could help NWDAF to train an Abnormal classifier, which could be used to classify a UE behaviour data into Normal behaviour or Exception. |
|
6.7.5.3 Output Analytics
Corresponding to the "abnormal behaviour" Analytics ID, the analytics result provided by the NWDAF is defined in Table 6.7.5.3-1 and Table 6.7.5.3-2. When the level of an exception trespasses above or below the threshold, the NWDAF shall notify the consumer with the exception ID associated with the exception if the exception ID is within the list of exception IDs indicated by the consumer or matches the expected analytics type indicated by the consumer. The NWDAF shall provide the Exception Level and determine which of the other information elements to provide, depending on the observed exception.
Abnormal behaviour statistics information is defined in Table 6.7.5.3-1.
Table 6.7.5.3-1: Abnormal behaviour statistics
|
Information |
Description |
|
Exceptions (1..max) |
List of observed exceptions |
|
> Exception ID |
The risk detected by NWDAF |
|
> Exception Level |
Scalar value indicating the severity of the abnormal behaviour |
|
> Exception trend |
Measured trend (up/down/unknown/stable) |
|
> UE characteristics |
Internal Group Identifier, TAC |
|
> SUPI list (1..SUPImax) |
SUPI(s) of the UE(s) affected with the Exception |
|
> Ratio |
Estimated percentage of UEs affected by the Exception within the Target of Analytics Reporting |
|
> Amount |
Estimated number of UEs affected by the Exception (applicable when the Target of Analytics Reporting = "any UE") |
|
> Additional measurement |
Specific information for each risk (see Table 6.7.5.3-3) |
Abnormal behaviour predictions information is defined in Table 6.7.5.3-2.
Table 6.7.5.3-2: Abnormal behaviour predictions
|
Information |
Description |
|
Exceptions (1..max) |
List of predicted exceptions |
|
> Exception ID |
The risk detected by NWDAF |
|
> Exception Level |
Scalar value indicating the severity of the abnormal behaviour |
|
> Exception trend |
Measured trend (up/down/unknown/stable) |
|
> UE characteristics |
Internal Group Identifier, TAC |
|
> SUPI list (1..SUPImax) |
SUPI(s) of the UE(s) affected with the Exception |
|
> Ratio |
Estimated percentage of UEs affected by the Exception within the Target of Analytics Reporting |
|
> Amount |
Estimated number of UEs affected by the Exception (applicable when the Target of Analytics Reporting = "any UE") |
|
> Additional measurement |
Specific information for each risk (see Table 6.7.5.3-3) |
|
> Confidence |
Confidence of this prediction |
The predictions are provided with a Validity Period, as defined in clause 6.1.3.
The UE characteristics may provide a set of features common to all UEs affected with the exception.
The number of exceptions and the length of the SUPI list shall respectively be lower than the parameters maximum number of objects and Maximum number of SUPIs provided as part of Analytics Reporting Information.
If PCF subscribes to notifications on "Abnormal behaviour", the NWDAF shall send the PCF notifications about the risk, which may trigger the PCF to update the AM/SM policies.
The NWDAF also sends the notification directly to the AMF or SMF, if the AMF or SMF subscribes to the notification, so that the AMF or SMF may, based on operator local policies defined on a per S-NSSAI basis (for AMF) or on a per S-NSSAI, per DNN, or per (DNN,S-NSSAI) basis (for SMF), take actions for risk solving.
If the AF subscribes to notifications on "Abnormal behaviour", the NWDAF sends the notifications to the AF so that the AF may take actions for risk solving.
The following Table 6.7.5.3-3 gives examples of additional measurement provided by the NWDAF and examples of NF actions for solving each risk.
Table 6.7.5.3-3: Examples of additional measurements and NF actions for risk solving
|
Exception ID and description |
Additional measurement |
Actions of NFs |
|
Unexpected UE location |
Unexpected UE location (TA or cells which the UE stays) |
PCF may extend the Service Area Restrictions with current UE location. AMF may extend the mobility restriction with current UE location. |
|
Ping-ponging across neighbouring cells |
Numbers, frequency, time and location information, assumption about the possible circumstances of the ping-ponging |
If the ping-ponging are per UE, then: 1. the AMF may adjust the UE (e.g. a stationary UE) registration area. 2. the AMF and/or the AF may allow the use of Coverage Enhancement for the affected UE. |
|
Unexpected long-live/large rate flows |
Unexpected flow template (IP address 5 tuple) |
SMF updates the QoS rule, e.g. decrease the MBR for the related QoS flow. PCF, if dynamic PCC applies for corresponding DNN, S-NSSAI, updates PCC Rules that triggers SMF updates the QoS rule, e.g. decrease the MBR for the related QoS flow. |
|
Unexpected wakeup |
Time of unexpected wake-up |
AMF applies MM back-off timer to the UE. |
|
Suspicion of DDoS attack |
Victim’s address (target IP address list) |
PCF may request SMF to release the PDU session. SMF may release the PDU session and apply SM back-off timer. |
|
Wrong destination address |
Wrong destination address (target IP address list) |
PCF updates the packet filter in the PCC Rules that triggers the SMF to update the related QoS flow and configures the UPF. |
|
Too frequent Service Access |
Volume, frequency, time, assumptions about the possible circumstances |
AF may release the AF session. PCF may request SMF to release the PDU session. SMF may release the PDU session and apply SM back-off timer. |
|
Unexpected radio link failures |
Numbers, frequency, time and location, assumptions about the possible circumstances |
If the unexpected radio link failures are per UE location bases, the AMF may allow the use of CE (Coverage Enhancement) in the affected location. Also, the Operator may improve the coverage conditions in the affected location. If the unexpected radio link failures are per UE bases, then the AMF and/or the AF may allow the use of CE for the affected UE. |
6.7.5.4 Procedure
Figure 6.7.5.4-1: Procedure for NWDAF assisted misused or hijacked UEs identification
1a. A consumer NF subscribes to/requests NWDAF using Nnwdaf_AnalyticsSubscription_Subscribe/ Nnwdaf_AnalyticsInfo_Request (Analytics ID = Abnormal behaviour, Target of Analytics Reporting = Internal-Group-Identifier, any UE or SUPI, Analytics Filter Information).
A consumer NF may subscribe to/request abnormal behaviour notification/response from NWDAF for a group of UEs, any UE or a specific UE. The Analytics ID indicates the NWDAF to identify misused or hijacked UEs through abnormal behaviour analytic.
1b. AF to NWDAF: Nnwdaf_AnalyticsSubscription_Subscribe or Nnwdaf_AnalyticsInfo_Request (Analytics ID, Target of Analytics Reporting = External-group identifier, any UE or External UE ID, Analytics Filter Information).
For untrusted AFs, the AF sends the subscription via a NEF, where the AF invokes NEF service Nnef_AnalyticsExposure_Subscribe or Nnef_AnalyticsExposure_Fetch (Analytics ID, Target of Analytics Reporting = External-group-identifier, any UE or External UE ID, Analytics Filter Information).
An AF may also subscribe to/request abnormal behaviour notification/response from NWDAF for a group of UEs, a specific UE or any UE, where the subscription/request message may contain expected UE behaviour parameters identified on the application layer. If an External-Group-Identifier is provided by the AF, the NEF interrogates UDM to map the External-Group-Identifier to the Internal-Group-Identifier and obtain SUPI list corresponding to the Internal-Group-Identifier.
2. [Conditional] NWDAF to AMF: Namf_EventExposure_Subscribe (Event ID(s), Event Filter(s), Internal-Group-Identifier, any UE or SUPI).
The NWDAF sends subscription requests to the related AMF to collect UE behavioural information if it has not subscribed such data.
NOTE 1: The NWDAF determines the related AMF(s) as described in clause 6.2.2.1.
The AMF sends event reports to the NWDAF based on the report requirements contained in the subscription request received from the NWDAF.
If requested by NWDAF via Event Filter(s), the AMF checks whether the UE’s behaviour matches its expected UE behavioural information. In this case, the AMF sends event reports to the NWDAF only when it detects that the UE’s behaviour deviated from its expected UE behaviour.
Depending on the Exception ID, the NWDAF may in addition perform data collection from OAM as specified in clause 6.2.3.2.
3. [Conditional] NWDAF to SMF: Nsmf_EventExposure_Subscribe (Event ID(s), Event Filter(s), Internal-Group-Identifier, any UE or SUPI).
The NWDAF sends subscription requests to the related SMF(s) if it has not subscribed to such data.
NOTE 2: Besides Analytics Filter Information, other mechanisms such as setting maximum number of SUPIs and/ or using sampling ratio as part of Analytics Reporting Parameters as per Event Reporting Information (clause 4.15.1 of TS 23.502 [3]) can be used by the analytics consumer to limit signalling load, e.g. when the Target of Analytics Reporting is "any UE". The NWDAF can also use sampling ratio, possibly with partition criteria, when subscribing towards AMF and SMF.
NOTE 3: The NWDAF determines the related SMF(s) as described in clause 6.2.2.1.
The SMF sends event reports to the NWDAF based on the report requirements contained in the subscription request received from the NWDAF.
If requested by NWDAF via Event Filter(s), the SMF checks whether the UE’s behaviour matches its expected UE behavioural information. In this case, the SMF sends event reports to the NWDAF only when it detects that the UE’s behaviour deviated from its expected UE behaviour.
4. The NWDAF performs data analytics for misused or hijacked UEs identification. Based on the analytics and operator’s policies the NWDAF determines whether to send a notification to the consumer NF or AF.
5a. [Conditional] NWDAF to consumer NF (AMF or PCF or SMF depending on the subscription): Nnwdaf_AnalyticsSubscription_Notify or Nnwdaf_AnalyticsInfo_Request response (Analytics ID, Exception ID, Internal-Group-Identifier or SUPI, Exception level) (which is used depending on the service used in step 1a).
If the NWDAF determines to send a notification/response to the consumer 5GC NFs, the NWDAF invokes Nnwdaf_AnalyticsSubscription_Notify or Nnwdaf_AnalyticsInfo_Request response service operations. Based on the notification/response, the 5G NFs adopt configured actions to resolve/mitigate/avoid the risks as described in the Table 6.7.5.3-1.
5b. [Conditional] NWDAF to AF: Nnwdaf_AnalyticsSubscription_Notify or Nnwdaf_AnalyticsInfo_Request response (Analytics ID, Exception ID, External UE ID, Exception level) (which is used depending on the service used in step 1b).
If the NWDAF determines to send a notification/response to the consumer AF, the NWDAF needs to include external UE ID of the identified UE into the notification/response message.
NOTE 3: Based on the notification, the AF can adopt corresponding actions, e.g. adjusting recommended TCP Window Size, adjusting recommended Service Start and End.
NOTE 4: The call flow only shows a subscribe-notify model for the interaction of NWDAF and consumer NF for simplicity instead of both request-response model and subscription-notification model.