US 11,930,366 B1
Automated suspect device filtering on equipment identity registers
Anil Kumar Mariyani, Ashburn, VA (US); Anuj Sharma, Broadlands, VA (US); Chris Jensen, Snoqualmie, WA (US); Tupalli Shruthisagar, Aldie, VA (US); and Rajil Malhotra, Olathe, KS (US)
Assigned to T-Mobile Innovations LLC, Overland Park, KS (US)
Filed by T-MOBILE INNOVATIONS LLC, Overland Park, KS (US)
Filed on Aug. 4, 2021, as Appl. No. 17/394,217.
Int. Cl. H04W 12/71 (2021.01); H04L 9/40 (2022.01); H04W 8/02 (2009.01); H04W 12/00 (2021.01); H04W 12/37 (2021.01); H04W 12/60 (2021.01)
CPC H04W 12/37 (2021.01) [H04L 63/0876 (2013.01); H04W 8/02 (2013.01); H04W 12/009 (2019.01); H04W 12/66 (2021.01); H04W 12/71 (2021.01)] 16 Claims
OG exemplary drawing
 
1. A method for suspect device filtering in a wireless communication network, the method comprising:
receiving, at a radio access network, a plurality of requests for a network service from a user device, wherein the user device is associated with a permanent device identifier;
communicating the plurality of requests for the network service to a first network function of a core network, wherein the first network function is associated with the provision of the requested network service;
determining, by the first network function, and based at least in part on the receipt of the plurality of requests for the network service from the user device during a first predetermined time period, that the user device is suspect;
based on the determination that the user device is suspect, communicating an indication from the first network function to a second network function of the core network that causes the user device to be added to a first suspect device list maintained on the second network function, the second network function being one or more of a unified data repository and an equipment identity register, wherein the second network function is remote from the first network function;
in response to an acknowledgement from the second network function, associating the user device with a second suspect device list stored locally on the first network function;
receiving, at the radio access network, a subsequent request for the network service from the user device;
communicating the subsequent request for the network service from the radio access network to the first network function; and
determining by the first network function, based on a query of the locally stored second suspect device list, that the user device is blacklisted; and
communicating an access denial for the network service from the first network function to the user device, via the radio access network, without a subsequent query to the second network function,
wherein determining that the user device is suspect comprises the first network function determining that a number of the plurality of requests that have been received by the network function within a predetermined time period exceed a predetermined threshold, and wherein the first network function comprises an access mobility function, and wherein the predetermined threshold and the predetermined time period are modifiably configurable parameters.