US 12,218,958 B2
Security threat mitigations in a zero trust network architecture
Marouane Balmakhtar, Fairfax, VA (US); Serge Manning, Plano, TX (US); and Gregory Schumacher, Holliston, MA (US)
Assigned to T-Mobile Innovations LLC, Overland Park, KS (US)
Filed by T-Mobile Innovations LLC, Overland Park, KS (US)
Filed on Sep. 6, 2022, as Appl. No. 17/903,509.
Prior Publication US 2024/0080323 A1, Mar. 7, 2024
Int. Cl. H04L 9/40 (2022.01); H04L 41/16 (2022.01)
CPC H04L 63/1416 (2013.01) [H04L 41/16 (2013.01); H04L 63/145 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method for identifying and remediating a security threat in a network, performed by a threat level engine in the network, wherein the method comprises:
receiving, by a security analysis application of the threat level engine, security data from a plurality of different sources, wherein the security data comprises control plane traffic data and user plane traffic data;
processing, by the security analysis application using a machine learning model of the threat level engine, the control plane traffic data and the user plane traffic data to determine a security related event occurring at one or more network elements in the network based on an inconsistency between the control plane traffic data and the user plane traffic data, wherein the security related event indicates that the security threat occurs at the one or more network elements forwarding packets carrying control data, and wherein the machine learning model is a neural network that is trained based on historical security data previously used to make accurate predictions about security conditions in the network;
determining, by the security analysis application using the machine learning model, a security event class of the security related event and a threat impact level of the security related event, wherein the threat impact level indicates a threat level of the security related event;
when the threat impact level of the security related event exceeds a threshold associated with the security event class:
determining, using a remediation application of the threat level engine, a remediation action for the security related event based on whether the security related event indicates that the security threat occurs in the packets carrying the control data; and
isolating, by the remediation application, the remediation action in the network to only the one or more network elements forwarding the packets carrying the control data by causing the remediation action to be implemented only at the one or more network elements forwarding the packets carrying the control data, wherein the remediation action is not performed based on packets carrying user data.