WO2023151825A1 - First node, second node, third node and methods performed thereby for handling access to content - Google Patents

Abstract

A computer-implemented method, performed by a first node (111), for handling access to content. First node (111) operates in a communications system (100). The first node (111) obtains (303), from one or more second nodes (112) operating in the communications system (100), a respective message. The respective message comprises a respective type of information. The respective type of information indicates that one or more devices (130) operating in the communications system (100) have exchanged traffic with one or more applications that are to be subject to content filtering. The first node (111) also initiates (305) sending another message to a third node (113) operating in the communications system (100). The another message is based on the received respective message. The another message comprises analytic information generated by the first node (111), about the one or more devices (130) having exchanged traffic with the one or more applications.

Description

FIRST NODE, SECOND NODE, THIRD NODE AND METHODS PERFORMED THEREBY

FOR HANDLING ACCESS TO CONTENT

TECHNICAL FIELD

The present disclosure relates generally to a first node and methods performed thereby for handling access to content. The present disclosure also relates generally to a second node, and methods performed thereby for handling access to content. The present disclosure also relates generally to a third node, and methods performed thereby for handling access to content.

BACKGROUND

Computer systems in a communications network may comprise one or more nodes. A node may comprise one or more processors which, together with computer program code may perform different functions and actions, a memory, a receiving port and a sending port. A node may be, for example, a server. Nodes may perform their functions entirely on the cloud.

The standardization organization 3GPP is currently in the process of specifying a New Radio Interface called Next Generation Radio/New Radio (NR) or 5G-UTRA, as well as a Fifth Generation (5G) Packet Core Network, which may be referred to as 5G Core Network, abbreviated as 5GC.

A 3GPP system comprising a 5G Access Network (AN), a 5G Core Network and a User Equipment (UE) may be referred to as a 5G system.

Figure 1 is a schematic diagram depicting a particular example of a 5G architecture of policy and charging control framework, which may be used as a reference for the present disclosure.

An Application Function (AF) 1 , may interact with the 3GPP Core Network, and specifically in the context of this document, may allow external parties to use Exposure Application Programming Interfaces (APIs) that may be offered by the network operator.

A Network Exposure Function (NEF) 2 may support different functionality and, specifically in the context of this document, the NEF 2 may support different Exposure APIs.

A Network Data Analytics Function (NWDAF) 3 may be understood to represent an operator managed network analytics logical function. The NWDAF 3 may be part of the 5GC architecture and may use the mechanisms and interfaces specified for 5GC and Operation Administration and Maintenance (OAM).

The NWDAF 3 may interact with different entities for different purposes. A first purpose may be data collection based on event subscription, provided by Access and Mobility Function (AMF) 4, Session Management Function (SMF) 5, Policy Control Function (PCF) 6, Unified Data Management (UDM), AF 1 , directly or via NEF 2, and OAM. A second purpose may be retrieval of information from data repositories, e.g., Unified Data Repository (UDR) 7 via UDM for subscriber-related information. A third purpose may be retrieval of information about Network Functions (NFs), e.g., Network Repository Function (NRF) for Network Function (NF)-related information, and Network Slice Selection Function (NSSF) for slice-related information. A fourth purpose may be on demand provision of analytics to consumers.

The UDR 7 may store data grouped into distinct collections of subscription-related information, such as subscription data, policy data, structured data for exposure, and application data.

The PCF 6 may support a unified policy framework to govern the network behavior. Specifically, the PCF may provide Policy and Charging Control (PCC) rules to the Policy and Charging Enforcement Function (PCEF), that is, the SMF 5/User Plane function (UPF) 8 that may enforce policy and charging decisions according to provisioned PCC rules.

The SMF 5 may support different functionalities, e.g., the SMF 5 may receive PCC rules from the PCF 6 and may configure the UPF 8 accordingly.

The UPF 8 may support handling of User Plane (UP) traffic based on the rules received from the SMF 5, e.g., packet inspection and different enforcement actions such as Quality of Service (QoS) handling.

Figure 1 further depicts a Charging Function (CHF) 9. Each of the UDR 7, the NEF 2, the NWDAF 3, the AF 1 , the PCF 6, the CHF 9, the AMF 4 and the SMF 5 may have an interface through which they may be accessed, which as depicted in the Figure, may be, respectively: Nudr 10, Nnef 11 , Nnwdaf 12, Naf 13, Npcf 14, Nchf 15, Namf 16 and Nsmf 17. The UPF 8 may have an interface N4 18 with the SMF 5.

The communications network may cover a geographical area which may be divided into cell areas, each cell area being served by another type of node, a network node in the Radio Access Network (RAN), radio network node or Transmission Point (TP), for example, an access node such as a Base Station (BS), e.g. a Radio Base Station (RBS), which sometimes may be referred to as e.g., evolved Node B (“eNB”), “eNodeB”, “NodeB”, “B node”, or Base Transceiver Station (BTS), depending on the technology and terminology used. The base stations may be of different classes such as e.g., Wide Area Base Stations, Medium Range Base Stations, Local Area Base Stations and Home Base Stations, based on transmission power and thereby also cell size. A cell is the geographical area where radio coverage is provided by the base station at a base station site. One base station, situated on the base station site, may serve one or several cells. Further, each base station may support one or several communication technologies. The telecommunications network may also comprise network nodes which may serve receiving nodes, such as user equipments, with serving beams.

Machine Learning (ML)

Machine learning (ML) may be understood as the study of computer algorithms that may improve automatically through experience. It is seen as a part of artificial intelligence. Machine learning algorithms may build a model based on sample data, known as "training data", in order to make predictions or decisions without being explicitly programmed to do so. Machine learning algorithms may be used in a wide variety of applications, such as email filtering and computer vision, where it may be difficult or unfeasible to develop conventional algorithms to perform the needed tasks.

There may be basically 3 types of Machine Learning Algorithms: Supervised Learning, Unsupervised Learning, and Reinforcement Learning.

Supervised Learning algorithms may comprise a target / outcome variable, or dependent variable, which may have to be predicted from a given set of predictors, that is, independent variable. Using this set of variables, a function may be generated that may map inputs to desired outputs. The training process may continue until the model may achieve a desired level of accuracy on the training data. Examples of Supervised Learning may be Regression, Decision Tree, Random Forest, KNN, Logistic Regression etc.

In Unsupervised Learning algorithms, there may be no target or outcome variable to predict I estimate. It may be used for clustering a population into different groups, which may be widely used for segmenting customers in different groups for specific intervention. Examples of Unsupervised Learning may be K-means, mean-shift clustering, Density-Based Spatial Clustering of Applications with Noise (DBSCAN), Expectation-Maximization (EM) Clustering using Gaussian Mixture Models (GMM), and Agglomerative Hierarchical Clustering.

Cluster analysis or clustering may be understood as an ML technique which may comprise grouping a set of objects in such a way that objects in the same group, which may be called a cluster, may be understood to be more similar, in some sense, to each other than to those in other groups, that is, other clusters. It may be understood as a main task of exploratory data mining, and a common technique for statistical data analysis, used in many fields, including pattern recognition, image analysis, information retrieval, bioinformatics, data compression, computer graphics and machine learning.

Using the Reinforcement Learning algorithm, a machine may be trained to make specific decisions. It may be understood to work as follows: the machine may be exposed to an environment where it may train itself continually using trial and error. This machine may learn from past experience and may try to capture the best possible knowledge to make accurate business decisions. An example of Reinforcement Learning may be a Markov Decision Process.

Traffic encryption and network management

Traffic encryption is growing significantly in mobile networks and at the same time, the encryption mechanisms are growing in complexity. In particular, most applications today may not be based on Hypertext Transport Protocol (HTTP) cleartext, but instead they may be based on Hypertext Transport Protocol Secure (HTTPS) using Transport Layer Security (TLS). Additionally, a significant part of the traffic may be based on Quick User Datagram Protocol Internet Connection (QUIC) transport, which may be understood to have an encryption level higher than TLS. In the future, it is foreseen that most applications will be based on QUIC transport.

TLS Server Name Indication

The TLS protocol specifies an extension known as Server Name Indication (SNI). It may be common for content servers to host multiple origins behind a single Internet Protocol (IP)- address. In order to route application flows to the correct server without having to decrypt the entire flow, the Server Name Indication (SNI) extension was introduced. The SNI extension may be sent by the client in the Client Hello message and may contain a clear text string of the domain name of the server that the client may be attempting to connect to. Since the SNI field may be sent in clear text, it may be commonly used by on-path network elements in order to classify flows.

TLS 1.3 and QUIC Server Name Indication encryption

At the Internet Engineering Task Force (IETF), for TLS 1.3, it is proposed to encrypt the SNI extension. There are several IETF drafts on this, specifically draft-ietf-tls-esni-05, which has been adopted by the TLS working group.

QUIC may be understood to be a User Datagram Protocol (UDP)-based, streammultiplexing, encrypted transport protocol. QUIC may be basically understood as a UDP based replacement for Transmission Control Protocol (TCP). QUIC is now under standardization at the IETF and may rely on TLS 1.3. Therefore, QUIC based applications may also have the SNI extension encrypted.

Domain Name Service (DNS) encryption

DNS may be considered as one of the fundamental building blocks of the Internet. DNS may be understood to be used any time a website is visited, an email is sent, an Instant Messaging (IM) conversation is maintained, or any other task is performed online. When a user opens an application, DNS protocol may be used to retrieve the server Internet Protocol (IP) address/es for the target application domain. DNS protocol today may be usually unencrypted, that is, it may be used as DNS over UDP/TCP, but there may be different IETF drafts proposing DNS encryption to prevent middle boxes to detect DNS traffic. There are different proposals at IETF such as DNS Security Extensions (DNSSEC), DNS over HTTP/2 (DOH), DNSCrypt, Quad9, etc. It is foreseen that in the 5G timeframe, the 2020-2030 decade, most DNS traffic will be encrypted.

Internet usage and security in a communications network

Internet usage creates security risks in communications networks. Internet communications may be subject to cyber attackers targeting an application or a website, or trying to acquire online credentials of users, such as banking passwords and personal details. As a result, internet users may divulge confidential information unknowingly and expose their devices, networks and accounts to malware, spyware or phishing attacks. Consequently, they may lose data, privacy and account access, and result in and impaired performance of the communications service.

SUMMARY

As part of the development of embodiments herein, one or more challenges with the existing technology will first be identified and discussed.

In order to manage security risks involved in internet usage, network operators today may apply different traffic management actions. One of them may be content filtering, which may allow to manage risk by blocking traffic to sites that may be known to expose users to security risks. However, it is currently not possible to apply content filtering for HTTP based applications when traffic may be encrypted, specifically when both the DNS and TLS/QUIC SNI are encrypted. This may be understood to apply both to HTTPS, HTTP/HTTP2 over TLS, and to QUIC based applications, such as HTTP3 over QUIC.

Since most applications today may be understood to be encrypted, e.g., HTTPS/TLS or QUIC, for those, content filtering is not possible. In addition, DNS traffic may be encrypted, e.g. DoH. Therefore, it may be understood to not even be possible to support content filtering based on DNS inspection at the UPF.

Furthermore, today, there is no automatic procedure to apply content filtering when traffic is encrypted.

It is an object of embodiments herein to improve the handling of security in a communications network.

According to a first aspect of embodiments herein, the object is achieved by a method, performed by a first node. The method is for access to content. The first node operates in a communications system. The first node obtains, from one or more second nodes operating in the communications system, a respective message. The respective message comprises a respective type of information. The respective type of information indicates that one or more devices operating in the communications system have exchanged traffic with one or more applications that are to be subject to content filtering. The first node then initiates sending another message to a third node operating in the communications system: The another message is based on the received respective message. The another message comprises analytic information generated by the first node. The analytic information is about the one or more devices having exchanged traffic with the one or more applications.

According to a second aspect of embodiments herein, the object is achieved by a method, performed by the third node. The method is for handling access to content. The third node operates in a communications system. The third node receives the another message from the first node operating in the communications system. The another message comprises the analytic information generated by the first node. The analytic information is about the one or more devices operating in the communications system having exchanged traffic with the one or more applications that are to be subject to content filtering. The third node also initiates performing, based on the received another message, one or more actions. The one or more actions are to apply content filtering to the one or more applications for the one or more devices.

According to a third aspect of embodiments herein, the object is achieved by a method, performed by a second node. The method is for handling access to content. The second node operates in a communications system. The second node sends, to the first node operating in the communications system, the respective message. The respective message comprises the respective type of information. The respective type of information indicates that the one or more devices operating in the communications system have exchanged traffic with the one or more applications that are to be subject to content filtering.

According to a fourth aspect of embodiments herein, the object is achieved by the first node, for handling access to content. The first node is configured to operate in the communications system. The first node is further configured to obtain, from the one or more second nodes configured to operate in the communications system, the respective message. The respective message is configured to comprise the respective type of information. The respective type of information is configured to indicate that the one or more devices configured to operate in the communications system have exchanged traffic with one or more applications that are to be configured to be subject to content filtering. The first node is also configured to initiate sending the another message to the third node configured to operate in the communications system. The another message is configured to be based on the respective message configured to be received. The another message is configured to comprise the analytic information configured to be generated by the first node, about the one or more devices having exchanged traffic with the one or more applications. According to a fifth aspect of embodiments herein, the object is achieved by the third node, for handling access to content. The third node is configured to operate in the communications system. The third node is further configured to receive the another message from the first node configured to operate in the communications system. The another message is configured to comprise the analytic information configured to be generated by the first node, about the one or more devices configured to operate in the communications system having exchanged traffic with the one or more applications that are to be configured to be subject to content filtering. The third node is further configured to initiate performing, based on the another message configured to be received, the one or more actions to apply content filtering to the one or more applications for the one or more devices.

According to a sixth aspect of embodiments herein, the object is achieved by the second node, for handling access to content. The second node is configured to send, to the first node configured to operate in the communications system, the respective message. The respective message is configured to comprise the respective type of information. The respective type of information is configured to indicate that the one or more devices configured to operate in the communications system have exchanged traffic with one or more applications that are to be configured to be subject to content filtering.

One advantage of embodiments herein is that they may allow a network operator to detect, in an automated way and in real time, unsafe content, and to expose this information towards a consumer such as the third node, which may apply the corresponding actions, e.g., block traffic, redirect traffic, notify user, trigger FM alarm, etc.

By the second node sending, and by the first node then obtaining the respective second message(s), the first node may be enabled to generate the analytic information about whether or not the one or more devices may have exchanged traffic with the one or more applications, which are to be subject to content filtering. The first node may then be enabled to provide this analytic information to the third node by sending the another message.

By sending the another message, the first node may enable the third node to take remedial action, e.g., to enforce the content filtering if appropriate. The third node may, based on the analytic output, apply the corresponding actions. For example, the third node may block the PFDs corresponding to unsafe content for the one or more devices, and/or report that one or more devices may have tried to access unsafe content. The first node may therefore be enabled to provide a service to the third node, which may enable the third node to monitor traffic, and as one advantage, enable it to ensure the security of the wireless communications network may be preserved.

Another advantage of embodiments herein may be that they may allow the network operator to support content filtering for the user traffic in a simple an efficient way. A further advantage of embodiments herein may be understood to be that they may work even when the traffic may be encrypted, e.g., HTTPS (TLS) or QIIIC based applications, for which existing content filtering mechanisms do not work. They may also work when the SNI field may be encrypted and when DNS traffic may be encrypted, e.g., DoH.

BRIEF DESCRIPTION OF THE DRAWINGS

Examples of embodiments herein are described in more detail with reference to the accompanying drawings, according to the following description.

Figure 1 is a schematic diagram illustrating a non-limiting example of a 5G Network Architecture.

Figure 2 is a schematic diagram illustrating a non-limiting example of a communications system, according to embodiments herein.

Figure 3 is a flowchart depicting embodiments of a method in a first node, according to embodiments herein.

Figure 4 is a flowchart depicting embodiments of a method in a third node, according to embodiments herein.

Figure 5 is a flowchart depicting embodiments of a method in a second node, according to embodiments herein.

Figure 6 is a schematic diagram depicting a first non-limiting example, over panels a-f, of signalling between nodes in a communications system, according to embodiments herein.

Figure 7 is a schematic diagram depicting another non-limiting example, over panels a-f, of signalling between nodes in a communications system, according to embodiments herein.

Figure 8 is a schematic block diagram illustrating two non-limiting examples, a) and b), of a first node, according to embodiments herein.

Figure 9 is a schematic block diagram illustrating two non-limiting examples, a) and b), of a third node, according to embodiments herein.

Figure 10 is a schematic block diagram illustrating two non-limiting examples, a) and b), of a second node, according to embodiments herein.

DETAILED DESCRIPTION

Certain aspects of the present disclosure and their embodiments address one or more of the issues with the existing methods discussed in the background section and provide solutions to the challenges discussed. Embodiments herein may be understood to relate in general to a mechanism which may allow a network operator to solve the above problems based on using Analytics to support content filtering policies. Further particularly, embodiments herein may be understood to be related to content filtering based on analytics in 5G networks.

As a summarized overview, embodiments herein may be understood to relate to a mechanism which may allow the network operator to automate the process for applying content filtering policies based on Analytics performed by a node, such as a NWDAF. The mechanism may be understood to allow to expose this information and to take the corresponding actions.

The embodiments will now be described more fully hereinafter with reference to the accompanying drawings, in which examples are shown. In this section, embodiments herein are illustrated by exemplary embodiments. It should be noted that these embodiments are not mutually exclusive. Components from one embodiment or example may be tacitly assumed to be present in another embodiment or example and it will be obvious to a person skilled in the art how those components may be used in the other exemplary embodiments. All possible combinations are not described to simplify the description.

Figure 2 depicts two non-limiting examples, in panels “a” and “b”, respectively, of a communications system 100, in which embodiments herein may be implemented. In some example implementations, such as that depicted in the non-limiting example of Figure 2a, the communications system 100 may be a computer network. In other example implementations, such as that depicted in the non-limiting example of Figure 2b, the communications system 100 may be implemented in a telecommunications network, sometimes also referred to as a cellular radio system, cellular network or wireless communications system. In some examples, the telecommunications network may comprise network nodes which may serve receiving nodes, such as wireless devices, with serving beams.

In some examples, the telecommunications network may for example be a network such as 5G system, or a newer system supporting similar functionality. The telecommunications system may also support other technologies, such as, for example, a Fourth Generation (4G) system, such as a Long-Term Evolution (LTE) network, e.g., LTE Frequency Division Duplex (FDD), LTE Time Division Duplex (TDD), LTE Half-Duplex Frequency Division Duplex (HD- FDD), LTE operating in an unlicensed band, Wideband Code Division Multiple Access (WCDMA), Universal Terrestrial Radio Access (UTRA) TDD, Global System for Mobile communications (GSM) network, GSM/Enhanced Data Rate for GSM Evolution (EDGE) Radio Access Network (GERAN) network, Ultra-Mobile Broadband (UMB), EDGE network, network comprising of any combination of Radio Access Technologies (RATs) such as e.g. Multi- Standard Radio (MSR) base stations, multi-RAT base stations etc., any 3rd Generation Partnership Project (3GPP) cellular network, Wireless Local Area Network/s (WLAN) or WiFi network/s, Worldwide Interoperability for Microwave Access (WiMax), IEEE 802.15.4-based low-power short-range networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LowPAN), Zigbee, Z-Wave, Bluetooth Low Energy (BLE), or any cellular network or system. The telecommunications system may for example support a Low Power Wide Area Network (LPWAN). LPWAN technologies may comprise Long Range physical layer protocol (LoRa), Haystack, SigFox, LTE-M, and Narrow-Band loT (NB-loT).

Although terminology from Long Term Evolution (LTE)/5G has been used in this disclosure to exemplify the embodiments herein, this should not be seen as limiting the scope of the embodiments herein to only the aforementioned system. Other wireless systems support similar or equivalent functionality may also benefit from exploiting the ideas covered within this disclosure. In future telecommunication networks, e.g., in the sixth generation (6G), the terms used herein may need to be reinterpreted in view of possible terminology changes in future technologies.

The communications system 100 may comprise a plurality of nodes, whereof a first node 111, one or more second nodes 112, and a third node 113 are depicted in Figure 2. The plurality of nodes, in some embodiments may further comprise a fourth node 114, also depicted in Figure 2. The one or more second nodes 112 may comprise a first second node 121 , a second second node 122, a third second node 123, a fourth second node 124 and a fifth second node 125. The plurality of nodes comprised in the communications system may further comprise additional nodes, such as a which are not depicted in Figure 2 in order to simply the Figure.

Any of the first node 111 , the one or more second nodes 112, e.g., the first second node

121 , the second second node 122, the third second node 123, the fourth second node 124, and the fifth second node 125, the third node 113 and the fourth node 114 may be understood, respectively, as a first computer system, one or more second computer systems, e.g., a first second computer system, a second second computer system, a third second computer system, a fourth second computer system, and a fifth second computer system, a third computer system and a fourth computer system. In some examples, any of the first node 111, the one or more second nodes 112, e.g., the first second node 121 , the second second node

122, the third second node 123, the fourth second node 124, and the fifth second node 125, the third node 113 and the fourth node 114 may be implemented as a standalone server in e.g., a host computer in the cloud 120. This is illustrated in the non-limiting example depicted on panel b) of Figure 2. Any of the first node 111 , the one or more second nodes 112, e.g., the first second node 121 , the second second node 122, the third second node 123, the fourth second node 124, and the fifth second node 125, the third node 113 and the fourth node 114 may in some examples be a distributed node or distributed server, with some of their respective functions being implemented locally, e.g., by a client manager, and some of its functions implemented in the cloud 120, by e.g., a server manager. Yet in other examples, any of the first node 111, the one or more second nodes 112, e.g., the first second node 121, the second second node 122, the third second node 123, the fourth second node 124, and the fifth second node 125, the third node 113 and the fourth node 114 may also be implemented as processing resources in a server farm.

In some embodiments, any of the first node 111, the one or more second nodes 112, e.g., the first second node 121 , the second second node 122, the third second node 123, the fourth second node 124, and the fifth second node 125, the third node 113 and the fourth node 114 may be independent and separated nodes. In other embodiments, Any of the first node 111 , the one or more second nodes 112, e.g., the first second node 121, the second second node 122, the third second node 123, the fourth second node 124, and the fifth second node 125, the third node 113 and the fourth node 114, and the third node 113 may be co-located or be the same node. All the possible combinations are not depicted in Figure 2 to simplify the Figure.

In some examples of embodiments herein, the first node 111 may be understood as a node that may have a capability to aggregate data or analytics from other nodes, such as the one or more second nodes 112. The first node 111 may further have a capability to analyze the aggregated the data or analytics. Non-limiting examples of the first node 111 wherein the communications system 100 may be a 5G network, may be a server NWDAF.

Any of the second nodes in the first group of second nodes 112 may be a node having a capability to collect data regarding the communications system 100 and provide it to the first node 111.

The first second node 121 may be a node having a capability to store data, e.g., grouped into distinct collections of subscription-related information, such as subscription data, policy data, structured data for exposure, and application data. The first second node 121 may further have a capability to supply the data to another node, such as e.g., the first node 111 or any of the other one or more second nodes 112. In some particular examples wherein the communications system 100 may be a 5G network, the first second node 121 may be a UDR.

The second second node 122 may be a server or database, which may have a capability to store a list of sites corresponding to content of a certain type, e.g., unsafe content. In particular examples, the certain type of content may be inappropriate content, e.g., adult, violence, gambling, etc. In some particular examples wherein the communications system 100 may be a 5G network, the second second node 122 may be an Internet Content Adaptation Protocol (ICAP) Server.

The third second node 123 may be a node which may support handling of user plane (UP) traffic based on rules, e.g., received from the fourth node 114, e.g., an SMF, such as packet inspection and different enforcement actions such as Quality of Service (QoS) handling. In some particular examples wherein the communications system 100 may be a 5G network, the third second node 123 may be a UPF.

The fourth second node 124 may be a node which may support different functionality e.g., different Exposure Application Programming Interfaces (APIs). The fourth second node 124 may enable the fifth second node 125 to connect to the other nodes in the communications system 100. In some particular examples wherein the communications system 100 may be a 5G network, the fourth second node 124 may be a NEF.

The fifth second node 125 may be a node having a capability to provide content to the one or more devices 130. The fifth second node 125 may interact with a core network of the communications system 100 and may allow external parties to use APIs that may be offered by a network operator of the communications system 100. In some particular examples wherein the communications system 100 may be a 5G network, the fifth second node 125 may be an Application Server/Application Function (AS/AF).

The third node 113 may be a node having a capability to consume services provided by an analytics function in the communications system 100. The third node 113 may provide rules, e.g., PCC rules, to the fourth node 114 and/or the third second node 123, which nodes may enforce policy and charging decisions according to provisioned rules. In some particular examples wherein the communications system 100 may be a 5G network, the fourth node 114 may be, for example, a PCF.

The fourth node 114 may be a node which may receive rules, e.g., PCC rules, from the third node 113 and may configure the third second node 123 accordingly.

Any of the one or more devices 130 may be also known as e.g., user equipment (UE), a wireless device, mobile terminal, wireless terminal and/or mobile station, mobile telephone, cellular telephone, or laptop with wireless capability, or a Customer Premises Equipment (CPE), just to mention some further examples. Any of the one or more devices 130 in the present context may be, for example, portable, pocket-storable, hand-held, computer- comprised, or a vehicle-mounted mobile device, enabled to communicate voice and/or data, via a RAN, with another entity, such as a server, a laptop, a Personal Digital Assistant (PDA), or a tablet computer, sometimes referred to as a tablet with wireless capability, or simply tablet, a sensor, a Machine-to-Machine (M2M) device, a device equipped with a wireless interface, such as a printer or a file storage device, modem, Laptop Embedded Equipped (LEE), Laptop Mounted Equipment (LME), USB dongles, CPE or any other radio network unit capable of communicating over a radio link in the communications system 100. Any of the one or more devices 130 may be wireless, i.e. , it may be enabled to communicate wirelessly in the communications system 100 and, in some particular examples, may be able support beamforming transmission. The communication may be performed e.g., between two devices, between a device and a radio network node, and/or between a device and a server. The communication may be performed e.g., via a RAN and possibly one or more core networks, comprised, respectively, within the communications system 100. In some particular embodiments, any of the one or more devices may be an loT device, e.g., a NB loT device.

The communications system 100 may comprise one or more radio network nodes, whereof a radio network node 140 is depicted in Figure 2b. The radio network node 140 may typically be a base station or Transmission Point (TP), or any other network unit capable to serve a wireless device or a machine type node in the communications system 100. The radio network node 140 may be e.g., a 5G gNB, a 4G eNB, or a radio network node in an alternative 5G radio access technology, e.g., fixed or WiFi. The radio network node 140 may be e.g., a Wide Area Base Station, Medium Range Base Station, Local Area Base Station and Home Base Station, based on transmission power and thereby also coverage size. The radio network node 140 may be a stationary relay node or a mobile relay node. The radio network node 140 may support one or several communication technologies, and its name may depend on the technology and terminology used. The radio network node 140 may be directly connected to one or more networks and/or one or more core networks.

The communications system 100 covers a geographical area which may be divided into cell areas, wherein each cell area may be served by a radio network node, although, one radio network node may serve one or several cells.

The first node 111 may communicate with one or more second devices 112 over a respective link. In the non-limiting example depicted in Figure 2, the first node 111 may communicate with the first second node 121 over a first link 151. The first node 111 may communicate with the second second node 122 over a second link 152. The first node 111 may communicate with the third second node 116 over a third link 153. The first node 111 may communicate with the fourth second node 124 over a fourth link 154. The first node 111 may communicate with the one or more devices 130 over a respective fifth link 155. The first node 111 may communicate with the third node 113 over a sixth link 156. The fourth second node 124 may communicate with the fifth second node 125 over a seventh link 157. The third second node 123 may communicate with the one or more devices 130 over a respective eighth link 158. Any of the one or more devices 130 may communicate with the fifth second node 125 over a respective ninth link 159. The third node 113 may communicate with the fourth node 114 over a tenth link 160. The fourth node 114 may communicate with the third second node 123 over an eleventh link 161. The radio network node 140 may communicate with the third second node 123 over a twelfth link 162. The radio network node 140 may communicate with the first node 111 over a thirteenth link 163. The radio network node 140 may communicate with the fifth second node 125 over a fourteenth link 164. The radio network node 140 may communicate with the one or more devices 130 over a respective fifteenth link 16.

Any of the links just described may be, e.g., a radio link or a wired link, and may be a direct link or it may go via one or more computer systems or one or more core networks in the communications system 100, or it may go via an optional intermediate network. The intermediate network may be one of, or a combination of more than one of, a public, private or hosted network; the intermediate network, if any, may be a backbone network or the Internet, which is not shown in Figure 2.

In general, the usage of “first”, “second”, “third”, “fourth”, “fifth”,... , and/or “fifteenth” herein may be understood to be an arbitrary way to denote different elements or entities, and may be understood to not confer a cumulative or chronological character to the nouns they modify.

Embodiments of a method, performed by the first node 111 , will now be described with reference to the flowchart depicted in Figure 3. The method may be understood to be for handling access to content. The first node 111 operates in the communications system 100.

The method may comprise the actions described below. In some embodiments all the actions may be performed. In some embodiments some of the actions may be performed. In Figure 3, optional actions are indicated with a dashed box. One or more embodiments may be combined, where applicable. All possible combinations are not described to simplify the description. It should be noted that the examples herein are not mutually exclusive. Components from one example or embodiment may be tacitly assumed to be present in another example or embodiment and it will be obvious to a person skilled in the art how those components may be used in the other examples or embodiments.

Action 301

In the course of communications in the wireless communications network 100, content filtering may need to be triggered, e.g., to some devices, and/or to some applications. This may happen, for example, whenever the third node 113, which may be understood to be a consumer of a service described herein, e.g., a PCF, may retrieve subscriber data which may indicate that one or more content filtering policies may need to be applied. In in this Action 301 , the first node 111 may receive a first message from the third node 113. The first message may request that the first node 111 provide analytic information. The analytic information may be about the one or more devices 130 having exchanged traffic with one or more applications, which may have to be subject to content filtering. That is, the analytic information may indicate whether or not the one or more devices 130 have exchanged traffic with the one or more applications which may have to be subject to content filtering. Although content filtering may have to be applied, e.g., according to the one or more policies, it may not have been applied to the traffic exchanged. That is, the one or more applications should be subject to content filtering for the one or more devices 130, e.g., for their respective subscribers, for example according to a respective policy of the one or more devices 130 in the communications system 100, but the content filtering may not have been applied in the exchange of the traffic. The first message may indicate that the third node 113 may want to know whether the one or more devices 130 may have, or may have had, access to content they should not have had access to, based on content filtering policy/ies pertaining to them.

The first node 111 may be able to generate the analytic information.

In some embodiments, the first message may indicate at least one of the one or more following options. According to a first option, the first message may indicate a first identifier of the analytic information. For example, the first identifier may be a parameter, such as e.g., an Analytic-ID, which may be set to, e.g., "ContenttobeFiltered”. According to a second option, the first message may indicate a first indication indicating a type of the analytic. For example, the first indication may be another parameter, such as e.g., Analytic-Type, which may be set to Unsafe content Type 1, e.g., “executable software”, Unsafe content Type 2, e.g., “spyware identifier X” Unsafe content Type 2, e.g., “virus identifier Y” etc. According to a third option, the first message may indicate a respective second identifier of the one or more applications. The second identifier may be yet another parameter such as e.g., an “App-ID”, or “List of App- ID”. The second identifier may indicate the App-ID/s which may be the target for this analytic e.g., a browser application such as Chrome or Safari. When not present, any App-ID may apply. According to a fourth option, the first message may indicate a respective third identifier of the one or more devices 130. The respective third identifier may be another parameter such as UE-ID or list of UE-ID, UE-Group-ID or list of UE-Group-ID, or AnyUE. This may indicate the one or more devices 130, e.g., UE/s, which may be the target for the analytic information. When not present, AnyUE may be understood to apply. According to a fifth option, the first message may indicate first information indicating how the content is to be filtered. For example, the first information may comprise other filter information such as e.g., Data Network Name (DNN), Single Network Slice Selection Assistance Information (S-NSSAI), Area of Interest, Radio Access Technology (RAT)-Type, etc. According to a sixth option, the first message may indicate a second indication indicating a time period for which the analytic information may have to apply. For example, the second indication may be yet another parameter, such as e.g., timePeriod, which may be set to indicate e.g., daily, weekly, monthly. According to a seventh option, the first message may indicate a third indication indicating a confidence level the analytic information is to have. The third indication may indicate the required confidence level from the third node 113, e.g., the consumer. According to an eighth option, the first message may indicate a fourth indication of traffic subject to the content filtering. For example, the fourth indication may be yet another parameter such as Packet Flow Descriptors (“PFDs”), which may be understood to identify the traffic which may correspond to content to be filtered, of the requested category.

The first message may be a subscription for a new Analytic, as e.g., identified by the first identifier. In some embodiments, e.g., wherein the first node 111 may be an NWDAF, the first message may be a Nnwdaf_AnalyticsSubscription_Subscribe request message.

The receiving in this Action 301 may be performed, e.g., via the sixth link 156. The first node 111 may answer to the third node 113 indicating successful operation. By receiving the first message in this Action 301 , the first node 111 may then be enabled to trigger collection of a respective type of information from the one or more second nodes 112, which may then enable the first node 111 to generate the analytic information about whether or not the one or more devices 130 may have exchanged traffic with the one or more applications, which are to be subject to content filtering. The first node 111 may then be enabled to provide this analytic information to the third node 113 and thereby enable it to take remedial action, e.g., to enforce the content filtering if appropriate.

Action 302

In this Action 302, the first node 111 may send, based on the received first message, a respective second message to the one or more second nodes 112. The respective second message may be understood to be a second message to each of the one or more second nodes 112. It may be understood herein that the statements regarding one of the messages originating from or targeting one of the one or more second nodes 112 may equally apply to a plurality of the same messages originating from or targeting more than one of the one or more second nodes 112.

The respective second message may request the provision of a respective message. The respective message may be understood to be a respective third message. The respective third message may comprise a respective type of information, that is one type from every type of second node of the one or more second nodes 112. The respective type of information may indicate that the one or more devices 130 operating in the communications system 100 may have exchanged traffic with the one or more applications that may be to be subject to content filtering.

The kind of message the respective second message may be, may depend on which, e.g., which type, of the one or more second nodes 112, the first node 111 may send the respective second message to.

In some embodiments, the one or more second nodes 112 may comprise the first second node 121. In some of such embodiments, the respective second message may request to indicate at least one of: a) whether or not one or more subscribers associated to the one or more devices 130 are subject to content filtering, e.g., the respective type of information may comprise subscriber data, specifically if the subscriber is subject to content filtering policies; and b) historical exchange of traffic of the one or more devices 130 with the one or more applications, e.g., any potential previous access to unfiltered content for this subscriber, which should have been subject to content filtering.

In particular embodiments, the first second node 121 may be a UDR, the first node 111 may be a NWDAF, and the respective second message may be a Nudr_Query Request message, which may include the subscriber identifier, e.g., LIE-ID.

In some embodiments, the one or more second nodes 112 may comprise the second second node 122. In some of such embodiments, the respective second message may request to indicate at least one of: a) one or more second applications providing traffic of content corresponding to one or more types of content, and b) a fifth indication indicating the one or more types of content. The one or more second applications providing traffic of content corresponding to one or more types of content may be requested by indicating another parameter, such as for example, a “List of sites” corresponding to an indicated Category, e.g., Category= Unsafe content Type 1. The fifth indication may indicate such category, e.g., the parameter Category= Unsafe content Type 1.

In particular embodiments, the second second node 122 may be an ICAP server, or another node, the first node 111 may be a NWDAF, and the respective second message may be a Query request message, which may include the requested content category of content subject to content filtering, e.g., unsafe content, e.g. Category= Unsafe content Type 1. The another node may be in general, any database including a list of sites corresponding to content of a certain type that may have to be filtered.

In some embodiments, the one or more second nodes 112 may comprise the third second node 123. In some of such embodiments, the respective second message may request to indicate at least one of the following options. According to a first option, the respective second message may request to indicate a fourth identifier of an event indicating collection of the analytic information. For example, the fourth identifier may be a parameter, such as “Event-1 D”, which may be set to Event-1 D= ApplicationData. According to a second option, the respective second message may request to indicate the respective third identifier of the one or more devices 130, e.g., LIE-ID or list of LIE-ID, UE-Group-ID or list of UE-Group-ID, or AnyllE. This may indicate the one or more devices 130, e.g., UE/s, which may be the target for the analytic information. When not present, AnyllE may be understood to apply. According to a third option, the respective second message may request to indicate second information of user plane traffic analysis and classification, or mirrored traffic data, that is, raw packets. The second information of user plane traffic analysis may be e.g. flow information, Uniform Resource Locators (URLs), Server Name Indicators (SNIs). The second information of user plane classification may be , e.g. App-ID.

In particular embodiments, the third second node 123 may be a UPF, the first node 111 may be a NWDAF, and the respective second message may be a Nupf_EventExposure_Subscribe request.

In some embodiments, the one or more second nodes 112 may comprise the first fourth second node 124, or the fifth second node 125. In some of such embodiments, the respective second message may request to indicate at least one of the following options. According to a first option, the respective second message may request to indicate a fifth identifier of an event indicating collection of the analytic information. For example, the fifth identifier may be the parameter, such as “Event-ID”, which may be set to another value, e.g., Event- ID=TrafficAnalysis&Classification.

According to a second option, the respective second message may request to indicate a sixth indication indicating a type of the event. For example, the sixth indication may be another parameter, such as “Event-Type”, which may identify the type of category for the above event, e.g., Event-Type= Unsafe content Type 1.

According to a third option, the respective second message may request to indicate the respective second identifier of the one or more applications, e.g., List of App-ID or Any App-ID.

According to a fourth option, the respective second message may request to indicate the respective third identifier of the one or more devices 130, e.g., UE-ID or AnyUE.

According to a fifth option, the respective second message may request to indicate third information of application layer content, e.g., the third information may originate from the AF of a Film provider, indicating the user/subscriber may be accessing unsecured pirate content.

In particular embodiments, the fourth second node 124 may be a NEF, the first node 111 may be a NWDAF, and the respective second message may be a Nnef_EventExposure_Subscribe message. The fifth second node 125 may be an AS/AF, and may receive the respective second message, indirectly, via the fourth second node 124 as a Naf_EventExposure_Subscribe request.

In some embodiments, the one or more second nodes 112 may comprise at least one of the one or more devices 130, e.g., UEs. In some of such embodiments, the respective second message may request to indicate at least one of the following options. According to a first option, the respective second message may request to indicate a sixth identifier indicating a type of the event. For example, the sixth identifier may be the parameter, such as “Event-ID”, which may be set to the same, or another value, e.g., Event-ID=OSApplications.

According to a second option, the respective second message may request to indicate the respective third identifier of the one or more devices 130, e.g., LIE-ID or AnyllE. According to a third option, the respective second message may request to indicate a respective seventh identifier of one or more of the one or more applications installed., e.g., OS installed, in the at least one of the one or more devices 130, e.g., which may be run by the one or more devices 130.

In particular embodiments, the at least one of the one or more devices 130 may be a UE, the first node 111 may be a NWDAF, and the respective second message may be a Nue_EventExposure_Subscribe request.

In some embodiments, the respective second message, or respective second messages, may be obtained by the first node 111 from: the first second node 121, e.g., via the first link 151 , the second second node 122, e.g., via the second link 152, the third second node 123, e.g., via the third link 153, the fourth second node 124, e.g., via the fourth link 154, the fifth second node 125, e.g., via the fourth link 154 and the seventh link 157, the one or more devices 130, e.g., via the respective fifth link 155, and/or the thirteenth link 163 and the fifteenth link 165. In some embodiments, e.g., based on which of the one or more second nodes 112 the first node 111 may send the respective second message to, the sending may be performed, directly, e.g., via one hop, or indirectly, via one or more hops or intermediary nodes. For example, the first node 111 may request the third information from the fifth second node 125, e.g., a content provider, such as an AF, via the fourth second node 124.

By sending the respective second message(s) to the one or more second nodes 112 in this Action 302, based on the received first message, the first node 111 may trigger collection of the respective type of information as requested by the third node 113. The first node 111 may then be enabled to collect the requested information, and then generate the analytic information about whether or not the one or more devices 130 may have exchanged traffic with the one or more applications, which are to be subject to content filtering. The first node 111 may then be enabled to provide this analytic information to the third node 113 and thereby enable it to take remedial action, e.g., to enforce the content filtering if appropriate.

Action 303

In this Action 303, the first node 111 obtains, from the one or more second nodes 112 operating in the communications system 100, a respective message. The respective message may be understood to be the respective third message. As explained above, respective may be understood to mean that the first node 111 may obtain a message from each of the one or more second nodes 112.

The respective message comprises a respective type of information. The respective type of information indicates that the one or more devices 130 operating in the communications system 100 have exchanged traffic with the one or more applications that are to be subject to content filtering.

The obtaining in this Action 303 of the respective third message may be based on the sent respective second message. That is, the respective type of information comprised in the respective third message may be obtained in response to the request for its provision sent in the respective second message, and may vary from second node 112 to second node 112, e.g., it may be different when obtained from the first second node 121 than from the second second node 122.

In accordance with the foregoing, in some embodiments, wherein the one or more second nodes 112 may comprise the first second node 121, at least one of i) the respective second message may request to indicate, and ii) the respective third message may indicate at least one of: a) whether or not one or more subscribers associated to the one or more devices 130 are subject to content filtering, and b) the historical exchange of traffic of the one or more devices 130 with the one or more applications.

As stated earlier, in particular embodiments, the first second node 121 may be a UDR, the first node 111 may be a NWDAF, and the respective second message may be a Nudr_Query Request message, which may include subscriber data for, e.g., LIE-ID. The respective third message may be a response message to this request.

In other embodiments, wherein the one or more second nodes 112 may comprise the second second node 122, at least one of i) the respective second message may request to indicate and ii) the respective third message may indicate at least one of: a) the one or more second applications providing traffic of content corresponding to the one or more types of content, and b) the fifth indication indicating the one or more types of content. In particular embodiments, the second second node 122 may be an ICAP server, or another node, the first node 111 may be a NWDAF, and the respective second message may be a Query request message. The respective third message may be a response message to this request.

In some embodiments, wherein the one or more second nodes 112 may comprise the third second node 123, at least one of i) the respective second message may request to indicate and ii) the respective third message may indicate at least one of the following options. According to a first option, the fourth identifier of the event indicating collection of the analytic information. For example, the fourth identifier may be “Event-ID”, which may be set to Event- ID= ApplicationData. According to the second option, the respective third identifier of the one or more devices 130, e.g., LIE-ID or list of LIE-ID, UE-Group-ID or list of UE-Group-ID, or AnyllE. According to a third option, the respective second message may request to indicate the second information of the user plane traffic analysis and classification or mirrored traffic data.

In particular embodiments, the third second node 123 may be a UPF, the first node 111 may be a NWDAF, and the respective second message may be a Nupf_EventExposure_Subscribe request and the respective third message may be a Nupf_EventExposure_Notify message.

In some embodiments, wherein the one or more second nodes 112 may comprise the first fourth second node 124, or the fifth second node 125, at least one of i) the respective second message may request to indicate and ii) the respective third message may indicate at least one of the following options. According to a first option, the fifth identifier of the event indicating collection of the analytic information. For example, the fifth identifier may be Event- ID=TrafficAnalysis&Classification.

According to a second option, the sixth indication indicating the type of the event. For example, the sixth indication may be Event-Type= Unsafe content Type 1.

According to a third option, the respective second identifier of the one or more applications, e.g., List of App-ID or Any App-ID.

According to a fourth option, the respective third identifier of the one or more devices 130, e.g., UE-ID or AnyUE.

According to a fifth option, the third information of application layer content.

In particular embodiments, wherein the fourth second node 124 may be a NEF, the first node 111 may be a NWDAF, the respective second message may be a Nnef_EventExposure_Subscribe message and the respective third message may be a Nnef_EventExposure_Notify request. In some embodiments, the one or more second nodes 112 may comprise at least one of the one or more devices 130, at least one of i) the respective second message may request to indicate and ii) the respective third message may indicate at least one of the following options. According to a first option, the sixth identifier indicating the type of the event. For example, Event-I D=OSApplications.

According to a second option, the respective third identifier of the one or more devices 130, e.g., LIE-ID or AnyllE. According to a third option, the respective seventh identifier of the one or more of the one or more applications installed in the at least one of the one or more devices 130.

In some embodiments, the another message may indicate how the content is to be filtered. How the content is to be filtered may indicate at least one action to apply to the traffic of the content.

In some embodiments, the first message may be a Nnwdaf_AnalyticsSubscription_Subscribe request message and the another message may be a Nnwdaf_AnalyticsSubscription_Notify request message. This may be understood to apply to embodiments wherein the first node 111 may be an NWDAF.

In particular embodiments, wherein the at least one of the one or more devices 130 may be a UE, the first node 111 may be a NWDAF, the respective second message may be a Nue_EventExposure_Subscribe request and the respective third message may be a Nue_EventExposure_Notify.

In some embodiments, the respective second message, or respective second messages, may be obtained by the first node 111 from: the first second node 121 , e.g., via the first link 151, the second second node 122, e.g., via the second link 152, the third second node 123, e.g., via the third link 153, the fourth second node 124, e.g., via the fourth link 154, the one or more devices 130, e.g., via the respective fifth link 155, and/or the thirteenth link 163 and the fifteenth link 165. In some embodiments, obtaining, may comprise receiving, directly, e.g., via one hop, or indirectly, via one or more hops or intermediary nodes. This may apply to embodiments wherein the second node 112 may be a NEF, and the first node 111 may be able to request and retrieve information from a content provider, e.g., the fifth second node 125, via the NEF.

By obtaining the respective second message(s) in this Action 302, the first node 111 may therefore be enabled to generate the analytic information about whether or not the one or more devices 130 may have exchanged traffic with the one or more applications, which are to be subject to content filtering. The first node 111 may then be enabled to provide this analytic information to the third node 113 and thereby enable it to take remedial action, e.g., to enforce the content filtering if appropriate. Action 304

In some embodiments, in this Action 304, the first node 111 may generate the analytic information. The first node 111 may generate the analytic information based on the received respective message, e.g., the received respective messages, if received from more than one of the one or more second nodes 112. This may be data collected from UDR, ICAP Server, UPF, UE and AF/AS.

Generating may be understood as determining, calculating, deriving, etc...

That the first node 111 may generate the analytic information based on the received respective message may be understood to mean that the first node 111 may generate the analytic information using the respective type of information comprised in the received respective message.

Specifically, the first node 111 may analyze the traffic collected from the third second node 123, and optionally from the fifth second node 125 and/or the one or more devices 130, for the one or more devices 130, e.g., UE-IDs which may be subject to content filtering policies for the requested category, e.g., Unsafe content Type 1 , in the example sequence diagram of Figure 6, based on data collected from the third second node 123. The analyzed traffic and specifically the extracted metadata, e.g., 5-tuples including server IP addresses, SNIs, URLs, may be matched against a database of the second second node 112, e.g., an ICAP database, for the requested category, to check if there may be any access to content subject to content filtering, e.g., unsafe content. In case of data collection from the fifth second node 125, e.g., an AF/AS, the first node 111 may also checks if the fifth second node 125 may report any access to the requested traffic category.

Additionally, a Machine Learning (ML) model previously trained may be used, which may be continuously validated based on collected data, e.g., based on supervised ML, or the first node 111 may build a model to detect access to content subject to content filtering, e.g., unsafe content, on a per category basis.

The first node 111 may run analytic processes and generate analytics output which may indicate at least one of the one or more following options. According to a first option, the first identifier of the analytic information, such as e.g., Analtytic-ID, which may be set to, e.g., "ContenttobeFiltered”. According to a second option, the first indication indicating the type of the analytic, such as e.g., Analytic-Type, which may be set to Unsafe content Type 1 , e.g., “executable software”, Unsafe content Type 2, e.g., “spyware identifier X” Unsafe content Type 2, e.g., “virus identifier Y” etc. According to a third option, the respective second identifier of the one or more applications, e.g., “App-ID”, or “List of App-ID”. According to a fourth option, the respective third identifier of the one or more devices 130, e.g., UE-ID or list of UE-ID, UE- Group-ID or list of UE-Group-ID, or AnyllE who may have accessed content subject to content filtering, e.g., unsafe content. According to a fifth option, the first information indicating how the content is to be filtered, e.g., DNN, S-NSSAI, Area of Interest, Radio Access Technology (RAT)-Type, etc. According to a sixth option, the second indication indicating the time period for which the analytic information may have to apply, e.g., timePeriod, which may be set to indicate e.g., daily, weekly, monthly. According to a seventh option, the third indication indicating the confidence level the analytic information is to have, e.g., a %, which may indicate the confidence that content subject to content filtering, e.g., unsafe content, has been accessed by the one or more devices 130, e.g., LIE-ID. According to an eighth option, the fourth indication of traffic subject to the content filtering, e.g., “PFDs”, which may be understood to identify the traffic which may correspond to content to be filtered, of the requested category.

The first node 111 may generate the analytic information by checking whether traffic in the communications system 100 matches one or more options that may have been indicated in the first message. The generated analytic information may therefore be based on the received first message.

By generating the analytic information about whether or not the one or more devices 130 may have exchanged traffic with the one or more applications which are to be subject to content filtering in this Action 304, the first node 111 may then be enabled to provide this analytic information to the third node 113 and thereby enable the third node 113 to take remedial action, e.g., to enforce the content filtering if appropriate.

Action 305

In this Action 305, the first node 111 initiates sending another message to the third node 113 operating in the communications system 100. The another message is based on the received respective message. The another message comprises the analytic information generated by the first node 111, about the one or more devices 130 having exchanged traffic with the one or more applications. As stated earlier, the one or more applications are to be subject to content filtering. However, no content filtering may have been applied to the traffic exchanged by the one or more devices 130 with the one or more applications.

That the another message is based on the received respective message may be understood to mean that the analytic information comprised in the another message has been generated using the information obtained by respective type of information comprised in the obtained respective message(s).

In some embodiments, at least one of the first message and the another message may indicate at least one of the one or more following options. According to a first option, at least one of the first message and the another message may indicate the first identifier of the analytic information, such as e.g., Analtytic-ID, which may be set to, e.g., "ContenttobeFiltered”. According to a second option, at least one of the first message and the another message may indicate the first indication indicating the type of the analytic, such as e.g., Analytic-Type, which may be set to Unsafe content Type 1 , e.g., “executable software”, Unsafe content Type 2, e.g., “spyware identifier X” Unsafe content Type 2, e.g., “virus identifier Y” etc. According to a third option, at least one of the first message and the another message may indicate the respective second identifier of the one or more applications, e.g., “App-ID”, or “List of App-ID”. According to a fourth option, at least one of the first message and the another message may indicate the respective third identifier of the one or more devices 130, e.g., UE- ID or list of UE-ID, UE-Group-ID or list of UE-Group-ID, or AnyUE. According to a fifth option, at least one of the first message and the another message may indicate the first information indicating how the content is to be filtered, e.g., DNN, S-NSSAI, Area of Interest, Radio Access Technology (RAT)-Type, etc. According to a sixth option, at least one of the first message and the another message may indicate the second indication indicating the time period for which the analytic information may have to apply, e.g., timePeriod, which may be set to indicate e.g., daily, weekly, monthly. According to a seventh option, at least one of the first message and the another message may indicate the third indication indicating the confidence level the analytic information is to have. According to an eighth option, at least one of the first message and the another message may indicate the fourth indication of traffic subject to the content filtering, e.g., “PFDs”, which may be understood to identify the traffic which may correspond to content to be filtered, of the requested category.

In some particular examples, the another message may indicate: a) the first identifier of the analytic information, b) the first indication indicating the type of the analytic, and c) for every device of the one or more devices 130 having exchanged unfiltered traffic for the indicated type of analytic with the one or more applications that are to be subject to content filtering: i) the respective third identifier, ii) the fourth indication, and iii) the third indication indicating the confidence level that the device has exchanged unfiltered traffic for the indicated type of analytic with the one or more applications that are to be subject to content filtering. Option c) may be indicated as part of a parameter such as e.g., AnalyticResult. This parameter may include options i), ii) and iii) as a list, e.g., List of (UE-ID, PFDs, Confidence metric), where for each UE-ID, UE-ID may be understood to identify the user who has accessed inappropriate content of the requested category, PFDs may be understood to identify the traffic which corresponds to inappropriate content of the requested category, and confidence metric, e.g., as a %, may indicate the confidence that inappropriate content of the requested category has been accessed by UE-ID. In some embodiments, the first message may be a Nnwdaf_AnalyticsSubscription_Subscribe request message.

The sending may be performed e.g., via the sixth link 156.

By sending the another message in this Action 305, the first node 111 may enable the third node 113 to take remedial action, e.g., to enforce the content filtering if appropriate. The third node 113 may, based on the analytic output, apply the corresponding actions. For example, the third node 113 may block the PFDs corresponding to unsafe content for the one or more devices 130, and/or report that one or more devices 130 may have tried to access unsafe content. The first node 111 may therefore be enabled to provide a service to the third node 113, which may enable the third node 113 to monitor traffic, and as one advantage, enable it to ensure the security of the wireless communications network 100 may be preserved.

Embodiments of a method performed by the third node 113 will now be described with reference to the flowchart depicted in Figure 4. The method may be understood to be for handling access to content. The third node 113 may operate in the communications system 100.

The method may comprise the following actions. In some embodiments all the actions may be performed. In some embodiments some of the actions may be performed. In Figure 4, optional actions are indicated with a dashed box. One or more embodiments may be combined, where applicable. All possible combinations are not described to simplify the description. It should be noted that the examples herein are not mutually exclusive. Components from one example or embodiment may be tacitly assumed to be present in another example or embodiment, and it will be obvious to a person skilled in the art how those components may be used in the other examples.

The detailed description of some of the following corresponds to the same references provided above, in relation to the actions described for the communications system 100 and will thus not be repeated here to simplify the description. For example, the first identifier may be a parameter, such as e.g., an Analtytic-ID, which may be set to, e.g., "ContenttobeFiltered”.

Action 401

In this Action 401 , the third node 113 may send the first message to the first node 111. The first message may request that the first node 111 provide the analytic information. The generated analytic information may be based on the received first message.

In some embodiments, e.g., wherein the first node 111 may be an NWDAF, the first message may be a Nnwdaf_AnalyticsSubscription_Subscribe request message. The sending in this Action 401 may be performed, e.g., via the sixth link 156.

Action 402

In this Action 402, the third node 113 receives the another message from the first node 111 operating in the communications system 100. The another message comprises the analytic information generated by the first node 111 , about the one or more devices 130 operating in the communications system 100 having exchanged traffic with the one or more applications that are to be subject to content filtering.

In some embodiments, at least one of the first message and the another message may indicate at least one of the one or more following options: a) the first identifier of the analytic information, b) the first indication indicating the type of the analytic, c) the respective second identifier of the one or more applications, d) the respective third identifier of the one or more devices 130, e) the first information indicating how the content is to be filtered, e) the second indication indicating the time period for which the analytic information may have to apply, g) the third indication indicating the confidence level the analytic information is to have, and h) the fourth indication of traffic subject to the content filtering.

In some particular examples, the another message may indicate: a) the first identifier of the analytic information, b) the first indication indicating the type of the analytic, and c) for every device of the one or more devices 130 having exchanged unfiltered traffic for the indicated type of analytic with the one or more applications that are to be subject to content filtering: i) the respective third identifier, ii) the fourth indication, and iii) the third indication indicating the confidence level that the device has exchanged unfiltered traffic for the indicated type of analytic with the one or more applications that are to be subject to content filtering.

In some embodiments wherein the another message may indicate how the content is to be filtered, how the content is to be filtered may indicate at least one action to apply to the traffic of the content.

In some embodiments, the first message may be a Nnwdaf_AnalyticsSubscription_Subscribe request message and the another message may be a Nnwdaf_AnalyticsSubscription_Notify request message. This may be understood to apply to embodiments wherein the first node 111 may be an NWDAF.

The third node 113 may answer to the first node 111 indicating successful operation.

Action 403

In this Action 403, the third node 113 initiates performing, based on the received another message, one or more actions to apply content filtering to the one or more applications for the one or more devices 130. The third node 113 may apply the corresponding actions based on the AnalyticResult.

According to the foregoing, the one or more actions may comprise sending, directly or indirectly, a fourth message to at least one of: the one or more second nodes 112 operating in the communications system 100, and the fourth node 114 or the one or more second nodes 112 operating in the communications system 100.

The fourth message to the one or more second nodes 112 may indicate to store subscriber information indicating the exchange of traffic. One of the actions may be for example, that the third node 113 store in the first second node 121 , as part of subscriber data, an indication of access to unsafe content of a certain category, and to block the traffic for that particular device, e.g., LIE-ID, for the PFDs indicated in the AnalyticResult. For each device identified in the another message, e.g., each LIE-ID included in the AnalyticResult, the third node 113 may triggers a Nudr_Store request message including the following information: the respective third identifier of the device, e.g., LIE-ID, a new parameter, e.g., UnfilteredContentlnfo, which may contain: an indication that the device, e.g., LIE-ID, has access inappropriate content, and the category, e.g., executable code in this example.

This may enable the first second node 121 to store the UnfilteredContentlnfo in the subscriber data for the UE-ID and answer to the third node 113 indicating successful operation.

The fourth message to the fourth node 114 or the one or more second nodes 112 may indicate to block further traffic with one or more of the one or more applications. For each device identified in the another message, e.g., each UE-ID included in the AnalyticResult, the third node 113 may trigger a Npcf_SMPolicyControl_Update Request message towards the fourth node 114, e.g., an SMF, to update the PCC rules, specifically to install a new PCC rule including: List of PFD which may indicate to which traffic the PCC rule may apply to, and Block which may indicate the action to apply to the traffic matching the above PFDs. The fourth node 114 may answer to the third node 113 indicating successful operation. The fourth node 114 may then translate the PCC rule into a Packet Detection Rule (PDR)/Forwarding Action Rule (FAR) and trigger a Packet Flow Control Protocol (PFCP) Session Modification Request message towards the third second node 123, e.g., a UPF, which may comprise the PDR with Packet Detection Information (PDI) set to Service Data Flow Filter (SDFFilter), Packet Flow Descriptions (PFDs), and the FAR indicating block action. Based on the above, the third second node 123, e.g., the UPF, may block all traffic matching the above PFDs.

Embodiments of a method performed by a second node 112, that is, any second node 112 of the one or more second nodes 112, will now be described with reference to the flowchart depicted in Figure 5. The method may be understood to be for handling access to content. The second node 112 may operate in the communications system 100.

The method may comprise the following actions. In some embodiments all the actions may be performed. In some embodiments some of the actions may be performed. In Figure 5, optional actions are indicated with a dashed box. One or more embodiments may be combined, where applicable. All possible combinations are not described to simplify the description. It should be noted that the examples herein are not mutually exclusive. Components from one example or embodiment may be tacitly assumed to be present in another example or embodiment, and it will be obvious to a person skilled in the art how those components may be used in the other examples.

The detailed description of some of the following corresponds to the same references provided above, in relation to the actions described for the first node 111 and will thus not be repeated here to simplify the description. For example, the respective type of information may comprise subscriber data, specifically if the subscriber is subject to content filtering policies.

Action 501

In this Action 501 , the second node 112 may receive the respective second message from the first node 111. The respective second message requests the provision of the respective message. The respective message is the respective third message described earlier.

As explained earlier, the kind of message the respective second message may be, may depend on which, e.g., which type of node the second node 112 may be.

Action 502

In this Action 502, the second node 112 sends, to the first node 111 operating in the communications system 100, the respective message. The respective message comprises the respective type of information. The respective type of information indicates that one or more devices 130 operating in the communications system 100 have exchanged traffic with the one or more applications that are to be subject to content filtering.

The sending 502 of the respective third message may be based on the received respective second message.

As described earlier, in some embodiments wherein the second node 112 may be the first second node 121, at least one of i) the respective second message may request to indicate, and ii) the respective third message may indicate at least one of: a) whether or not one or more subscribers associated to the one or more devices 130 are subject to content filtering, and b) the historical exchange of traffic of the one or more devices 130 with the one or more applications.

In particular embodiments, the first second node 121 may be a UDR, the first node 111 may be a NWDAF, and the respective second message may be a Nudr_Query Request message.

In other embodiments, wherein the second node 112 may be the second second node 122, at least one of i) the respective second message may request to indicate and ii) the respective third message may indicate at least one of: a) the one or more second applications providing traffic of content corresponding to the one or more types of content, and b) the fifth indication indicating the one or more types of content.

In particular embodiments, the second second node 122 may be an ICAP server, or another node, the first node 111 may be a NWDAF, and the respective second message may be a Query request message.

In some embodiments, wherein the second node 112 may be the third second node 123, at least one of i) the respective second message may request to indicate and ii) the respective third message may indicate at least one of: a) the fourth identifier of the event indicating collection of the analytic information, b) the respective third identifier of the one or more devices 130, and c) the second information of the user plane traffic analysis and classification or mirrored traffic data.

In particular embodiments, the third second node 123 may be a UPF, the first node 111 may be a NWDAF, and the respective second message may be a Nupf_EventExposure_Subscribe request and the respective third message may be a Nupf_EventExposure_Notify message.

In some embodiments, wherein the second node 112 may be the first fourth second node 124, or the fifth second node 125, at least one of i) the respective second message may request to indicate and ii) the respective third message may indicate at least one of the following options: a) the fifth identifier of the event indicating collection of the analytic information, b) the sixth indication indicating the type of the event, c) the respective second identifier of the one or more applications, d) the respective third identifier of the one or more devices 130, and e) the third information of application layer content.

In particular embodiments, wherein the fourth second node 124 may be a NEF, and the first node 111 may be a NWDAF, the respective second message may be a Nnef_EventExposure_Subscribe message and the respective third message may be a Nnef_EventExposure_Notify request.

In some embodiments, wherein the second node 112 may be at least one of the one or more devices 130, at least one of i) the respective second message may request to indicate and ii) the respective third message may indicate at least one of: a) the sixth identifier indicating the type of the event, b) the respective third identifier of the one or more devices 130, and c) the respective seventh identifier of the one or more of the one or more applications installed in the at least one of the one or more devices 130.

In particular embodiments, wherein the at least one of the one or more devices 130 may be a UE, and the first node 111 may be a NWDAF, the respective second message may be a Nue_EventExposure_Subscribe request and the respective third message may be a Nue_EventExposure_Notify.

Action 503

In this Action 503, the second node 112 may receive, directly or indirectly, the fourth message from the third node 113 operating in the communications network 100. The fourth message may indicate to perform the one or more actions. The one or more actions may comprise one of: to store subscriber information indicating the exchange of traffic, and to block further traffic with one or more of the one or more applications.

Action 504

In this Action 504, the second node 112 may initiate performing the indicated one or more actions.

In particular embodiments, wherein the second node 112 may be the first second node 121 , e.g., a UDR, the second node 112 may store subscriber information indicating the exchange of traffic.

In particular embodiments, wherein the second node 112 may be the third second node 123, e.g., a UPF, the second node 112 may block further traffic with one or more of the one or more applications. The third second node 123 may have received the fourth message indirectly from the third node 113, via the fourth node 114, e.g., an SMF.

Figure 6 is a signalling diagram depicting a non-limiting example of embodiments herein extending from panels a)-f), in alphabetical order. In this example, the first node 111 is an NWDAF, the first second node 121 is a UDR, the second second node 122 is an ICAP server, the third second node 123 is a UPF, the fourth second node 124 is NEF, the fifth second node 125 is an AS/AF, the third node 113 is a consumer, e.g., a PCF, the fourth node 114 is an SMF, and the one or more second nodes 112 further comprise the one or more devices 130, represented in Figure 6 as a single UE. Figure 6 shows a sequence diagram describing the proposed mechanism in an example on how to apply content filtering policies based on analytics. The steps are detailed as follows. At Steps 1 and 2, whenever content filtering may need to be triggered, e.g., the PCF may retrieve subscriber data which may indicate content filtering policies are to be applied, the third node 113 may subscribe to the first node 111 for a new Analytic, e.g., Analytic-ID= ContenttobeFiltered, by, in accordance with Action 401 and Action 301 , triggering a Nnwdaf_AnalyticsSubscription_Subscribe request message including the following parameters: a) Analytic-ID set to "ContenttobeFiltered", b) Analytic-Type= set to Unsafe content Type 1, e.g., “executable software”, Unsafe content Type 2, e.g., “spyware identifier X” Unsafe content Type 2, e.g., “virus identifier Y” etc. In this example, it is set to Executable software, c) List of App-ID, d) list of UE-ID, d) Analytic-Filter comprising other filter information such as DNN, S-NSSAI, Area of Interest, RAT-Type, timePeriod, and confidence level. At Step 3, the first node 111 may answer the the third node 113 indicating successful operation. At Steps 4 and 5, the first node 111 may trigger data collection from the first second node 121 to retrieve subscriber data, specifically if the subscriber is subject to content filtering policies, e.g., a particular type of subscription. Additionally, to retrieve any potential previous access to unfiltered content for this subscriber. In order retrieve subscriber data, the first node 111 may, in accordance with Action 302 and Action 501 , trigger a Nudr_Query Request message including the subscriber identifier, UE-ID. At Step 6, the first second node 121 , in accordance with Action 502 and Action 303, may answer the message in Step 5 including subscriber data for UE-ID, which may specifically include the following information: a) indication if subscriber, UE-ID, is subject to content filtering policies, and b) historic access to unfiltered content to be filtered content for UE-ID. At Steps 7 and 8, the first node 111 may trigger data collection from the second second node 122. In order to do this, the first node 111 may, in accordance with Action 302 and Action 501, trigger a Nicap_Query request message including the requested unfiltered content to be filtered content category, e.g., Category= Executable software. At Step 9, the second second node 122, in accordance with Action 502 and Action 303, may answer the message in Step 8 including the following information: a) List of sites corresponding to Category=Executable software. Continuing on panel b), at Steps 10 and 11 , the first node 111 , in accordance with Action 501 and Action 302, may trigger data collection from the third second node 123 relative to traffic analysis, e.g., flow information, URLs, SNIs, and classification, e.g., App-ID, for UE-ID. Alternatively, data collection from the third second node 123 regarding mirrored data, e.g., raw packets. The first node 111 may trigger a Nupf_EventExposure_Subscribe request including the following parameters: Event- ID=TrafficAnalysis&Classification, UE-ID, which may identify the target subscriber for the above event. It is not in scope of this document to describe the specific mechanism for the NWDAF triggering data collection from the UPF. It is assumed the existing mechanisms proposed, e.g., in 3GPP TR 23.700-91 , v. 17.0.0 may be used, e.g., through SMF or directly, assuming a service based UPF. At Step 12, the third second node 123 answers the first node 111 indicating successful operation. At Steps 13 and 14, optionally, the first node 111 may, in accordance with Action 302 and Action 501 , trigger data collection from the fifth second node 125 through the fourth second node 124, relative to application layer content, e.g., to request a first content provider AF to indicate if the user/subscriber may be accessing unfiltered content to be filtered in a webpage. The first node 111 , in accordance with Action 302 and Action 501 , may trigger a Nnef_EventExposure_Subscribe request including the following parameters: a) Event-ID=ApplicationData, b) Event-Type= Executable software, identifying the type (category) for the above event, c) App-ID, identifying the target application for the above event, and d) LIE-ID, identifying the target subscriber for the above event. At Step 15, the fourth second node 124 may answer the first node 111 indicating successful operation. At Step 16, the fourth second node 124 may forward to the fifth second node 125 the request in Step 14 above by triggering a Naf_EventExposure_Subscribe request including the same parameters in Step 14 above: a) Event-ID=ApplicationData, b) Event-Type=Executable software, which may identify the type, e.g., category, for the above event, c) App-ID identifying the target application for the above event, and d) LIE-ID identifying the target subscriber for the above event. At Step 17, the fifth second node 125 may answer the fourth second node 124 indicating successful operation. At Step 18, optionally, the first node 111, in accordance with Action 302 and Action 501 , may trigger data collection from the UE regarding OS installed applications run by the user, by triggering a Nue_EventExposure_Subscribe request including the following parameters: a) Event-ID=OSApplications, and b) LIE-ID identifying the target subscriber for the above event. At Step 19) The UE may answer the first node 111 indicating successful operation. At Steps 20 and, continuing on panel c), Step 21 , a user of the UE may start application, e.g., example.com. The UE may detect it and gathers data for Event- ID=OSApplications. At Steps 23 and 24, the third second node 123 may detect UE traffic and may gather data for Event-ID=TrafficAnalysis&Classification. The third second node 123 may forward UE traffic to the fifth second node 125. At Step 25, the fifth second node 125 may detect application traffic for UE-ID and may gather data for Event-ID=ApplicationData. Continuing on panel d), at Steps 26 and 27, the UE may continue gathering data for Event- ID=OSApplications and at some point, e.g., periodic reporting, may UE, in accordance with Action 502 and Action 303, may report data by triggering a Nue_EventExposure_Notify request including the following parameters: a) Event-ID= OSApplications, b) UE-ID, and c) OSApplicationsInfo, comprising information relative to OS installed applications run by the user. At Step 28) NWDAF answers UE indicating successful operation. At Steps 29 and 30, the third second node 123 may continue gathering data for Event- ID=TrafficAnalysis&Classification and at some point, e.g., periodic reporting, the third second node 123 may, in accordance with Action 502 and Action 303, report data by triggering a Nupf_EventExposure_Notify request including the following parameters: a) Event-1 D= TrafficAnalysis&Classification, b) LIE-ID, and c) TrafficAnalysis&Classificationlnfo, comprising information relative to user plane traffic analysis, e.g., flow information, URLs, SNIs, and classification, e.g., App-ID, for UE-ID. Alternatively, instead of reporting the above metadata, the third second node 123 may report mirrored data, e.g., raw packets. At Step 31, the first node 111 may answer the third second node 123 indicating successful operation. At Steps 32 and, continuing on panel e), Step 33, the fifth second node 125 may continue gathering data for Event-ID=ApplicationData and, at some point, e.g., periodic reporting, the fifth second node 125 may report data by triggering a Naf_EventExposure_Notify request towards the fourth second node 124 including the following parameters: a) Event-ID= ApplicationData, UE-ID, and ApplicationDatalnfo, comprising information relative to application layer content, specifically for the requested App-ID and Event-Type, Executable software, as requested in the message in Step 16 above, e.g., the first content provider indicating the user/subscriber is accessing a website with executable software. At Step 34, the fourth second node 124 may answer the fifth second node 125 indicating successful operation. At Steps 35, the fourth second node 124 may, in accordance with Action 502 and Action 303, forward to the first node 111 the request in Step 33 above by triggering a Nnef_EventExposure_Notify request including the same parameters in Step 33: a) Event-ID= ApplicationData, b) UE-ID and c) ApplicationDatalnfo, comprising information relative to application layer content, specifically for the requested App-ID and Event-Type, Executable software, as requested in the message in Step 16 above, e.g., the first content provider indicating the user/subscriber is accessing a website with executable software. At Step 36, the first node 111 may answers the fourth second node 124 indicating successful operation. At Step 37, the first node 111 may, in accordance with Action 304, produce analytics based on the data collected from the first second node 121 , the second second node 122, the third second node 123, the UE, and the fifth second node 125. Specifically, the first node 111 may analyze the traffic collected from the third second node 123, and optionally from the fifth second node 125 and/or the UE, for the UE-IDs which may be subject to content filtering policies for the requested category, e.g., Executable software in the example sequence diagram of Figure 6, based on data collected from the first second node 121. The analyzed traffic and specifically the extracted metadata, e.g., 5-tuples including server IP addresses, SNIs, URLs, may be matched against the database of the second second node 122 for the requested category to check if there is any access to unfiltered content to be filtered. In case of data collection from the fifth second node 125, the first node 111 may also check if the fifth second node 125 may report any access to the requested traffic category. Additionally, an ML model previously trained may be used, which may be continuously validated based on collected data, e.g., based on supervised ML, or the first node 111 may build a model to detect access to unfiltered content to be filtered content, on a per category basis. At Step 38, the first node 111 may, in accordance with Action 305 and Action 402, report the analytic output to the third node 113 by triggering a Nnwdaf_AnalyticsSubscription_Notify request message, including the following information: a) Analytic-ID set to "ContenttobeFiltered", b) Analytic-Type= Unsafe content Type 1, e.g., “executable software”, Unsafe content Type 2, e.g., “spyware identifier X” Unsafe content Type 2, e.g., “virus identifier Y” etc. Executable software, in the example sequence diagram of Figure 6, and c) AnalyticResult, including a List of (UE-ID, PFDs, Confidence metric), where for each UE-ID: i) UE-ID may identify the user who has accessed unfiltered content to be filtered content of the requested category, ii) PFDs may identify the traffic which may correspond to unfiltered content to be filtered content of the requested category, and iii) Confidence metric (%), which may indicate the confidence that inappropriate content of the requested category has been accessed by UE-ID. At Step 39, the third node 113 answers the first node 111 indicating successful operation. At Step 40, the third node 113, in accordance with Action 403, may apply the corresponding actions based on the AnalyticResult. In this example, the PCF as consumer to store in UDR as part of subscriber data an indication of access to unfiltered content to be filtered content of a certain category, Executable software in this example, and to block the UE-ID traffic for the PFDs indicated in the AnalyticResult. Continuing on panel f), at Step 41 , for each UE-ID included in the AnalyticResult, the third node 113, in accordance with Action 403 and Action 503, may trigger a Nudr_Store request message including the following information: a) UE-ID, b) ContenttobeFilteredlnfo, which may comprise: i) an indication that UE-ID has access unfiltered content to be filtered content, and ii) category, Executable software in this example. At Steps 42 and 43, the first second node 121 may, in accordance with Action 504, store the ContenttobeFilteredlnfo in the subscriber data for UE-ID and may answer the third node 113 indicating successful operation. At Step 44, for each UE-ID included in the AnalyticResult, the third node 113, in accordance with Action 403 and Action 503, may trigger a Npcf_SMPolicyControl_Update Request message towards the fourth node 114 to update the PCC rules, specifically to install a new PCC rule including: a) List of PFD, indicating to which traffic the PCC rule applies to, and b) Block, indicating the action to apply to the traffic matching the above PFDs. At Step 45, the fourth node 114 may answer the third node 113 indicating successful operation. At Steps 46 and 47, the fourth node 114 may translate the PCC rule in Step 44 above into PDR/FAR and, in accordance with Action 503, trigger a PFCP Session Modification Request message towards the third second node 123 including: i) PDR with PDI set to SDFFilter, PFDs, and ii) FAR indicating block action. At Step 48, the third second node 123 may answer the fourth node 114 indicating successful operation. At Step 49, based on the above, the third second node 123, in accordance with Action 504, may block all traffic matching the above PFDs.

In another non-limiting example use case, embodiments herein may be also advantageously applied to, for example, filter inappropriate content to certain subscribers, e.g., a child subscription. The demand for parental control methods that may restrict content has increased over the decades due to the rising availability of the Internet. A survey showed that almost a quarter of people under the age of 12 had been exposed to online pornography. Restricting may be especially helpful in cases when children may be exposed to inappropriate content by accident. Children are more likely to unknowingly access illegal content such as pirated movies or music. They may be easily influenced by recommendations from peers, especially to bypass family restrictions on their favorite content and circumvent spending limits set by their parents. Children may also be more likely to respond to attractive ads and click baits that may pop up on their screens. In doing so, they may easily fall prey to cyber attackers targeting an application or a website or trying to acquire online credentials such as banking passwords and personal details. As a result, young internet users may often divulge confidential information unknowingly. They may expose their devices, networks and accounts to malware, spyware or phishing attacks. Consequently, they may lose data, privacy and account access, resulting in various financial implications. With COVID-19 preventing meetups, disrupting schedules and getting in the way of face-to-face classes, children and teenagers across the globe have turned to the internet not only to attend online lessons but also to use it as their main form of social interaction. While interaction over the internet offers some sense of normalcy during these times, excessive levels of unmonitored online activity may result in increased cyberbullying from both peers and strangers, potentially inappropriate contact with adults or adverse health effect. Operator-based controls may provide a more comprehensive approach to parental controls. Here, rules and configurations may be synchronized across all the devices under a subscriber’s plan regardless of the operating system or the applications being accessed.

In particular examples, the respective type of information may indicate that the one or more devices 130 operating in the communications system 100 have exchanged traffic with the one or more applications that are to be subject to content filtering for inappropriate content. Unfiltered traffic may therefore be, in such embodiments, inappropriate traffic.

Figure 7 is a signalling diagram depicting a non-limiting example of embodiments herein extending from panels a)-f), in alphabetical order. Figure 7 shows a sequence diagram describing the proposed mechanism in an example on how to apply content filtering policies based on analytics, for the use case of filtering of inappropriate content. The nodes and steps are described as described for Figure 6 with the following exceptions. The Analytic-1 D may now be set as Analytic-ID= InappropriateContent. Analytic-Type may now be set as Analytic- Type=Adult, Violence, Gambling, etc. In this example, it is set to Adult. The subscriber data retrieved and/or provided by the first second node 121 may be specifically if the subscriber is subject to content filtering policies, e.g., a child subscription. The unfiltered content to be filtered may be Inappropriate content. The Category may now be set as Category=Adult in this example. The content provider may be a Movie provider, and the unfiltered content to be filtered may be an adult movie. The Event-Type may now be set as Event-Type=Adult. The Steps applied may otherwise be the same.

One advantage of embodiments herein is that they may allow a network operator to detect, in an automated way and in real time, unsafe, and/or inappropriate content, and to expose this information towards a consumer which may apply the corresponding actions, e.g., block traffic, redirect traffic, notify user, trigger Fault Management (FM) alarm, etc. Another advantage of embodiments herein may be that they may allow the network operator to support content filtering for the user traffic in a simple an efficient way. A further advantage of embodiments herein may be understood to be that they may work even when the traffic may be encrypted, e.g., HTTPS (TLS) or QIIIC based applications, for which existing content filtering mechanisms do not work. It may also work when the SNI field may be encrypted and when DNS traffic may be encrypted, e.g., DoH.

Figure 8 depicts two different examples in panels a) and b), respectively, of the arrangement that the first node 111 may comprise to perform the method actions described above in relation to Figure 3, Figure 6 and/or Figure 7. In some embodiments, the first node 111 may comprise the following arrangement depicted in Figure 8a. The first node 111 may be understood to be for handling access to content. The first node 111 is configured to operate in the communications system 100.

Several embodiments are comprised herein. Components from one embodiment may be tacitly assumed to be present in another embodiment and it will be obvious to a person skilled in the art how those components may be used in the other exemplary embodiments. In Figure 8, optional boxes are indicated by dashed lines. The detailed description of some of the following corresponds to the same references provided above, in relation to the actions described for the first node 111 and will thus not be repeated here. For example, the first node 111 may be configured to be an NWDAF, the first second node 121 may be configured to be a UDR, the second second node 122 may be configured to be an ICAP server, the third second node 123 may be configured to be a UPF, the fourth second node 124 may be configured to be NEF, the fifth second node 125 may be configured to be an AS/AF, the third node 113 may be configured to be a consumer, e.g., a PCF, the fourth node 114 may be configured to be an SMF, and the one or more second nodes 112 may further comprise the one or more devices 130, e.g., UEs.

The first node 111 is configured to, e.g., by means of an obtaining unit 801 within the first node 111 configured to, obtain, from the one or more second nodes 112 configured to operate in the communications system 100, the respective message. The respective message is configured to comprise the respective type of information. The respective type of information is configured to indicate that the one or more devices 130 configured to operate in the communications system 100 have exchanged traffic with one or more applications that are to be configured to be subject to content filtering.

The first node 111 is also configured to, e.g., by means of an initiating unit 802 within the first node 111 configured to, initiate sending the another message to the third node 113 configured to operate in the communications system 100. The another message is configured to be based on the respective message configured to be received. The another message is configured to comprise analytic information configured to be generated by the first node 111, about the one or more devices 130 having exchanged traffic with the one or more applications.

In some embodiments, the first node 111 may be also configured to, e.g., by means of a receiving unit 803 within the first node 111 configured to, receive the first message from the third node 113. The first message may be configured to request that the first node 111 provide the analytic information.

In some embodiments, the first node 111 may be also configured to, e.g., by means of a generating unit 804 within the first node 111 configured to, generate the analytic information based on the respective message configured to be received, by checking whether traffic in the communications system 100 may match the one or more options configured to be indicated in the first message. The analytic information configured to be generated may be based on the first message configured to be received.

In some embodiments, at least one of the first message and the another message may be configured to indicate at least one of the one or more options: a) the first identifier of the analytic information, b) the first indication indicating the type of the analytic, c) the respective second identifier of the one or more applications, d) the respective third identifier of the one or more devices 130, e) the first information configured to indicate how the content is to be filtered, f) the second indication configured to indicate the time period for which the analytic information may be configured to apply, g) the third indication configured to indicate the confidence level the analytic information is to have, and h) the fourth indication of traffic configured to be subject to the content filtering.

In some embodiments, the another message may be configured to indicate how the content is to be filtered. How the content is to be filtered may be configured to indicate at least one action to apply to the traffic of the content.

In some embodiments, the another message may be configured to indicate: a) the first identifier of the analytic information, b) the first indication configured to indicate the type of the analytic, and c) for every device of the one or more devices 130 having exchanged unfiltered traffic for the indicated type of analytic with the one or more applications that are to be configured to be subject to content filtering: i) the respective third identifier, ii) the fourth indication, and iii) the third indication configured to indicate the confidence level that the device has exchanged unfiltered traffic for the indicated type of analytic with the one or more applications that are to be configured to be subject to content filtering.

In some embodiments, the first message may be configured to be a Nnwdaf_AnalyticsSubscription_Subscribe request message and the another message may be configured to be a Nnwdaf_AnalyticsSubscription_Notify request message.

In some embodiments, the first node 111 may be also configured to, e.g., by means of a sending unit 805 within the first node 111 configured to, send, based on the first message configured to be received, the respective second message to the one or more second nodes 112. The respective second message may be configured to request the provision of the respective message. The respective message may be configured to be the respective third message. The obtaining of the respective third message may be configured to be based on the respective second message configured to be sent.

In some embodiments, the one or more second nodes 112 may be configured to comprise the first second node 121, and at least one of: i) the respective second message may be configured to request to indicate, and ii) the respective third message may be configured to indicate at least one of: a) whether or not one or more subscribers associated to the one or more devices 130 are subject to content filtering, and b) the historical exchange of traffic of the one or more devices 130 with the one or more applications.

In some embodiments, the first second node 121 may be configured to be a UDR, the first node 111 may be configured to be an NWDAF, and the respective second message may be configured to be a Nudr_Query Request message.

In some embodiments, the one or more second nodes 112 may be configured to comprise the second second node 122, and at least one of: i) the respective second message may be configured to request to indicate, and ii) the respective third message may be configured to indicate at least one of: a) the one or more second applications configured to provide traffic of content corresponding to one or more types of content, and b) the fifth indication configured to indicate the one or more types of content.

In some embodiments, the second second node 122 may be configured to be an ICAP server, or another node, the first node 111 may be configured to be an NWDAF, and the respective second message may be configured to be a Query request message.

In some embodiments, the one or more second nodes 112 may be configured to comprise the third second node 123, and at least one of: i) the respective second message may be configured to request to indicate, and ii) the respective third message may be configured to indicate at least one of: a) the fourth identifier of the event configured to indicate collection of the analytic information, b) the respective third identifier of the one or more devices 130, and c) the second information of user plane traffic analysis and classification or mirrored traffic data.

In some embodiments, the third second node 123 may be configured to be a UPF, the first node 111 may be configured to be an NWDAF, the respective second message may be configured to be a Nupf_EventExposure_Subscribe request and the respective third message may be configured to be a Nupf_EventExposure_Notify.

In some embodiments, the one or more second nodes 112 may be configured to comprise the fourth second node 124, or the fifth second node 125, and at least one of: i) the respective second message may be configured to request to indicate, and ii) the respective third message may be configured to indicate at least one of: a) the fifth identifier of the event configured to indicate collection of the analytic information, b) the sixth indication configured to indicate the type of the event, c) the respective second identifier of the one or more applications, d) the respective third identifier of the one or more devices 130, and e) the third information of application layer content.

In some embodiments, the fourth second node 124 may be configured to be a NEF, the first node 111 may be configured to be an NWDAF, the respective second message may be configured to be a Nnef_EventExposure_Subscribe and the respective third message may be configured to be a Nnef_EventExposure_Notify request.

In some embodiments, the one or more second nodes 112 may be configured to comprise at least one of the one or more devices 130, and at least one of: i) the respective second message may be configured to request to indicate, and ii) the respective third message may be configured to indicate at least one of: a) the sixth identifier configured to indicate the type of the event, b) the respective third identifier of the one or more devices 130, and c) the respective seventh identifier of the one or more of the one or more applications configured to be installed in the at least one of the one or more devices 130. In some embodiments, the at least one of the one or more devices 130 may be configured to be a UE, the first node 111 may be configured to be an NWDAF, the respective second message may be configured to be a Nue_EventExposure_Subscribe request and the respective third message may be configured to be a Nue_EventExposure_Notify.

The embodiments herein may be implemented through one or more processors, such as a processor 806 in the first node 111 depicted in Figure 8, together with computer program code for performing the functions and actions of the embodiments herein. The program code mentioned above may also be provided as a computer program product, for instance in the form of a data carrier carrying computer program code for performing the embodiments herein when being loaded into the in the first node 111. One such carrier may be in the form of a CD ROM disc. It is however feasible with other data carriers such as a memory stick. The computer program code may furthermore be provided as pure program code on a server and downloaded to the first node 111.

The first node 111 may further comprise a memory 807 comprising one or more memory units. The memory 807 is arranged to be used to store obtained information, store data, configurations, schedulings, and applications etc. to perform the methods herein when being executed in the first node 111.

In some embodiments, the first node 111 may receive information from, e.g., any of the one or more second nodes 112, the third node 113, the fourth node 114, the radio network node 140, the one or more devices 130 and/or another node or device through a receiving port 808. In some examples, the receiving port 808 may be, for example, connected to one or more antennas in the first node 111. In other embodiments, the first node 111 may receive information from another structure in the communications system 100 through the receiving port 808. Since the receiving port 808 may be in communication with the processor 806, the receiving port 808 may then send the received information to the processor 806. The receiving port 808 may also be configured to receive other information.

The processor 806 in the first node 111 may be further configured to transmit or send information to e.g., any of the one or more second nodes 112, the third node 113, the fourth node 114, the radio network node 140, the one or more devices 130, another node or device and/or another structure in the communications system 100, through a sending port 809, which may be in communication with the processor 806, and the memory 807.

Those skilled in the art will also appreciate that any of the units 801-805 described above may refer to a combination of analog and digital circuits, and/or one or more processors configured with software and/or firmware, e.g., stored in memory, that, when executed by the one or more processors such as the processor 806, perform as described above. One or more of these processors, as well as the other digital hardware, may be included in a single Application-Specific Integrated Circuit (ASIC), or several processors and various digital hardware may be distributed among several separate components, whether individually packaged or assembled into a System-on-a-Chip (SoC).

Any of the units 801-805 described above may be the processor 806 of the first node 111 , or an application running on such processor.

Thus, the methods according to the embodiments described herein for the first node 111 may be respectively implemented by means of a computer program 810 product, comprising instructions, i.e. , software code portions, which, when executed on at least one processor 806, cause the at least one processor 806 to carry out the actions described herein, as performed by the first node 111. The computer program 810 product may be stored on a computer- readable storage medium 811. The computer-readable storage medium 811 , having stored thereon the computer program 810, may comprise instructions which, when executed on at least one processor 806, cause the at least one processor 806 to carry out the actions described herein, as performed by the first node 111. In some embodiments, the computer- readable storage medium 811 may be a non-transitory computer-readable storage medium, such as a CD ROM disc, a memory stick, or stored in the cloud space. In other embodiments, the computer program 810 product may be stored on a carrier containing the computer program, wherein the carrier is one of an electronic signal, optical signal, radio signal, or the computer-readable storage medium 811 , as described above.

The first node 111 may comprise an interface unit to facilitate communications between the first node 111 and other nodes or devices, e.g., any of the one or more second nodes 112, the third node 113, the fourth node 114, the radio network node 140, the one or more devices 130, another node or device and/or another structure in the communications system 100. In some particular examples, the interface may, for example, include a transceiver configured to transmit and receive radio signals over an air interface in accordance with a suitable standard.

In other embodiments, the first node 111 may comprise the following arrangement depicted in Figure 8b. The first node 111 may comprise a processing circuitry 806, e.g., one or more processors such as the processor 806, in the first node 111 and the memory 807. The first node 111 may also comprise a radio circuitry 812, which may comprise e.g., the receiving port 808 and the sending port 809. The processing circuitry 806 may be configured to, or operable to, perform the method actions according to Figure 3, Figure 6 and/or Figure 7, in a similar manner as that described in relation to Figure 8a. The radio circuitry 812 may be configured to set up and maintain at least a wireless connection with any of the one or more second nodes 112, the third node 113, the fourth node 114, the radio network node 140, the one or more devices 130, another node or device and/or another structure in the communications system 100. Hence, embodiments herein also relate to the first node 111 operative for handling access to content, the first node 111 being operative to operate in the communications system 100. The first node 111 may comprise the processing circuitry 806 and the memory 807, said memory 807 containing instructions executable by said processing circuitry 806, whereby the first node 111 is further operative to perform the actions described herein in relation to the first node 111 , e.g., in Figure 3, Figure 6 and/or Figure 7.

Figure 9 depicts two different examples in panels a) and b), respectively, of the arrangement that the third node 113, may comprise to perform the method actions described above in relation to Figure 4, Figure 6 and/or Figure 7. In some embodiments, the third node 113 may comprise the following arrangement depicted in Figure 9a. The third node 113 may be understood to be for handling access to content. The third node 113 is configured to operate in the communications system 100.

Several embodiments are comprised herein. Components from one embodiment may be tacitly assumed to be present in another embodiment and it will be obvious to a person skilled in the art how those components may be used in the other exemplary embodiments. In Figure 9, optional boxes are indicated by dashed lines. The detailed description of some of the following corresponds to the same references provided above, in relation to the actions described for the third node 113 and will thus not be repeated here. For example, the first node 111 may be configured to be an NWDAF, the first second node 121 may be configured to be a UDR, the second second node 122 may be configured to be an ICAP server, the third second node 123 may be configured to be a UPF, the fourth second node 124 may be configured to be NEF, the fifth second node 125 may be configured to be an AS/AF, the third node 113 may be configured to be a consumer, e.g., a PCF, the fourth node 114 may be configured to be an SMF, and the one or more second nodes 112 may further comprise the one or more devices 130, e.g., UEs.

The third node 113 is configured to, e.g., by means of a receiving unit 901 within the third node 113 configured to, receive the another message from the first node 111 configured to operate in the communications system 100. The another message is configured to comprise the analytic information configured to be generated by the first node 111 , about the one or more devices 130 configured to operate in the communications system 100 having exchanged traffic with the one or more applications that are to be configured to be subject to content filtering.

In some embodiments, the third node 113 is also configured to, e.g., by means of an initiating unit 902 within the third node 113 configured to, initiate performing, based on the another message configured to be received, the one or more actions to apply content filtering to the one or more applications for the one or more devices 130.

In some embodiments, the third node 113 may be configured to, e.g., by means of a sending unit 903 within the third node 113 configured to, send the first message to the first node 111. The first message may be configured to request that the first node 111 provide the analytic information. The analytic information configured to be generated may be configured to be based on the first message configured to be received.

In some embodiments, at least one of the first message and the another message may be configured to indicate at least one of the one or more options: a) the first identifier of the analytic information, b) the first indication configured to be indicating the type of the analytic, c) the respective second identifier of the one or more applications, d) the respective third identifier of the one or more devices 130, e) the first information configured to indicate how the content is to be filtered, f) the second indication configured to indicate the time period for which the analytic information is to apply, g) the third indication configured to indicate the confidence level the analytic information is to have, and h) the fourth indication of traffic subject to the content filtering.

In some embodiments, the another message may be configured to indicate how the content is to be filtered. How the content is to be filtered may be configured to indicate at least one action to apply to the traffic of the content.

In some embodiments, the another message may be configured to indicate: a) the first identifier of the analytic information, b) the first indication configured to indicate the type of the analytic, and c) for every device of the one or more devices 130 having exchanged unfiltered traffic for the indicated type of analytic with the one or more applications that are to be configured to be subject to content filtering: i) the respective third identifier, ii) the fourth indication, and c) the third indication configured to indicate the confidence level that the device has exchanged unfiltered traffic for the indicated type of analytic with the one or more applications that are to be configured to be subject to content filtering.

In some embodiments, the first message may be configured to be a Nnwdaf_AnalyticsSubscription_Subscribe request message and the another message may be configured to be a Nnwdaf_AnalyticsSubscription_Notify request message.

In some embodiments, the one or more actions may be configured to comprise sending, directly or indirectly, the fourth message to at least one of: a) the one or more second nodes 112 configured to operate in the communications system 100, the fourth message being configured to indicate to store subscriber information configured to indicate the exchange of traffic, and b) the fourth node 114 or the one or more second nodes 112 configured to operate in the communications system 100, the fourth message being configured to indicate to block further traffic with one or more of the one or more applications.

The embodiments herein may be implemented through one or more processors, such as a processor 904 in the third node 113 depicted in Figure 9, together with computer program code for performing the functions and actions of the embodiments herein. The program code mentioned above may also be provided as a computer program product, for instance in the form of a data carrier carrying computer program code for performing the embodiments herein when being loaded into the in the third node 113. One such carrier may be in the form of a CD ROM disc. It is however feasible with other data carriers such as a memory stick. The computer program code may furthermore be provided as pure program code on a server and downloaded to the third node 113.

The third node 113 may further comprise a memory 905 comprising one or more memory units. The memory 905 is arranged to be used to store obtained information, store data, configurations, schedulings, and applications etc. to perform the methods herein when being executed in the third node 113.

In some embodiments, the third node 113 may receive information from, e.g., the first node 111 , any of the one or more second nodes 112, the fourth node 114, the radio network node 140, the one or more devices 130, and/or another node or device, through a receiving port 906. In some examples, the receiving port 906 may be, for example, connected to one or more antennas in the third node 113. In other embodiments, the third node 113 may receive information from another structure in the communications system 100 through the receiving port 906. Since the receiving port 906 may be in communication with the processor 904, the receiving port 906 may then send the received information to the processor 904. The receiving port 906 may also be configured to receive other information.

The processor 904 in the third node 113 may be further configured to transmit or send information to e.g., the first node 111, any of the one or more second nodes 112, the fourth node 114, the radio network node 140, the one or more devices 130, and/or another node or device and/or another structure in the communications system 100, through a sending port 907, which may be in communication with the processor 904, and the memory 905.

Those skilled in the art will also appreciate that any of the units 901-903 described above may refer to a combination of analog and digital circuits, and/or one or more processors configured with software and/or firmware, e.g., stored in memory, that, when executed by the one or more processors such as the processor 904, perform as described above. One or more of these processors, as well as the other digital hardware, may be included in a single Application-Specific Integrated Circuit (ASIC), or several processors and various digital hardware may be distributed among several separate components, whether individually packaged or assembled into a System-on-a-Chip (SoC).

Any of the units 901-903 described above may be the processor 904 of the third node 113, or an application running on such processor.

Thus, the methods according to the embodiments described herein for the third node 113 may be respectively implemented by means of a computer program 908 product, comprising instructions, i.e., software code portions, which, when executed on at least one processor 904, cause the at least one processor 904 to carry out the actions described herein, as performed by the third node 113. The computer program 908 product may be stored on a computer-readable storage medium 909. The computer-readable storage medium 909, having stored thereon the computer program 908, may comprise instructions which, when executed on at least one processor 904, cause the at least one processor 904 to carry out the actions described herein, as performed by the third node 113. In some embodiments, the computer-readable storage medium 909 may be a non-transitory computer-readable storage medium, such as a CD ROM disc, a memory stick, or stored in the cloud space. In other embodiments, the computer program 908 product may be stored on a carrier containing the computer program, wherein the carrier is one of an electronic signal, optical signal, radio signal, or the computer-readable storage medium 909, as described above.

The third node 113 may comprise an interface unit to facilitate communications between the third node 113 and other nodes or devices, e.g., the first node 111, any of the one or more second nodes 112, the fourth node 114, the radio network node 140, the one or more devices 130, another node or device and/or another structure in the communications system 100. In some particular examples, the interface may, for example, include a transceiver configured to transmit and receive radio signals over an air interface in accordance with a suitable standard.

In other embodiments, the third node 113 may comprise the following arrangement depicted in Figure 9b. The third node 113 may comprise a processing circuitry 904, e.g., one or more processors such as the processor 904, in the third node 113 and the memory 905. The third node 113 may also comprise a radio circuitry 910, which may comprise e.g., the receiving port 906 and the sending port 907. The processing circuitry 904 may be configured to, or operable to, perform the method actions according to Figure 4, Figure 6 and/or Figure 7, in a similar manner as that described in relation to Figure 9a. The radio circuitry 910 may be configured to set up and maintain at least a wireless connection with the first node 111, any of the one or more second nodes 112, the fourth node 114, the radio network node 140, the one or more devices 130, another node or device and/or another structure in the communications system 100. Hence, embodiments herein also relate to the third node 113 operative for handling access to content, the third node 113 being operative to operate in the communications system 100. The third node 113 may comprise the processing circuitry 904 and the memory 905, said memory 905 containing instructions executable by said processing circuitry 904, whereby the third node 113 is further operative to perform the actions described herein in relation to the third node 113, e.g., in Figure 4, Figure 6 and/or Figure 7.

Figure 10 depicts two different examples in panels a) and b), respectively, of the arrangement that the second node 112 may comprise to perform the method actions described above in relation to Figure 5, Figure 6 and/or Figure 7. In some embodiments, the second node 112 may comprise the following arrangement depicted in Figure 10a. The second node 112 may be understood to be for handling access to content. The second node 112 is configured to operate in the communications system 100.

Several embodiments are comprised herein. Components from one embodiment may be tacitly assumed to be present in another embodiment and it will be obvious to a person skilled in the art how those components may be used in the other exemplary embodiments. In Figure 10, optional boxes are indicated by dashed lines. The detailed description of some of the following corresponds to the same references provided above, in relation to the actions described for the third node 113 and will thus not be repeated here. For example, the first node 111 may be configured to be an NWDAF, the first second node 121 may be configured to be a UDR, the second second node 122 may be configured to be an ICAP server, the third second node 123 may be configured to be a UPF, the fourth second node 124 may be configured to be NEF, the fifth second node 125 may be configured to be an AS/AF, the third node 113 may be configured to be a consumer, e.g., a PCF, the fourth node 114 may be configured to be an SMF, and the one or more second nodes 112 may further comprise the one or more devices 130, e.g., UEs.

The second node 112 is configured to, e.g., by means of a sending unit 1001 within the second node 112 configured to, send, to the first node 111 configured to operate in the communications system 100, the respective message. The respective message is configured to comprise the respective type of information. The respective type of information is configured to indicate that the one or more devices 130 configured to operate in the communications system 100 have exchanged traffic with the one or more applications that are to be configured to be subject to content filtering.

In some embodiments, the second node 112 may be further configured to, e.g., by means of a receiving unit 1002 within the second node 112 configured to, receive the respective second message from the first node 111. The respective second message may be further configured to request the provision of the respective message. The respective message may be configured to be the respective third message. The sending of the respective third message may be configured to be based on the respective second message configured to be received.

In some embodiments, the second node 112 may be configured to be the first second node 121, and at least one of: i) the respective second message may be configured to request to indicate, and ii) the respective third message may be configured to indicate at least one of: a) whether or not the one or more subscribers associated to the one or more devices 130 are subject to content filtering, and b) the historical exchange of traffic of the one or more devices 130 with the one or more applications.

In some embodiments, the first second node 121 may be configured to be a UDR, the first node 111 may be configured to be a NWDAF, and wherein the respective second message may be configured to be a Nudr_Query Request message.

In some embodiments, the second node 112 may be configured to be the second second node 122, and at least one of: i) the respective second message may be configured to request to indicate, and ii) the respective third message may be configured to indicate at least one of: a) the one or more second applications providing traffic of content corresponding to the one or more types of content, and b) the fifth indication configured to indicate the one or more types of content.

In some embodiments, the second second node 122 may be configured to be an ICAP server, or another node, the first node 111 may be configured to be an NWDAF, and the respective second message may be configured to be a Query request message.

In some embodiments, the second node 112 may be configured to be the third second node 123, and at least one of: i) the respective second message may be configured to request to indicate, and ii) the respective third message may be configured to indicate at least one of: a) the fourth identifier of the event configured to indicate collection of the analytic information, b) the respective third identifier of the one or more devices 130, and c) the second information of user plane traffic analysis and classification or mirrored traffic data.

In some embodiments, the third second node 123 may be configured to be a UPF, the first node 111 may be configured to be an NWDAF, the respective second message may be configured to be a Nupf_EventExposure_Subscribe request and the respective third message may be configured to be a Nupf_EventExposure_Notify.

In some embodiments, the second node 112 may be configured to be the fourth second node 124, or the fifth second node 125, and at least one of: i) the respective second message may be configured to request to indicate, and ii) the respective third message may be configured to indicate at least one of: a) the fifth identifier of the event configured to indicate collection of the analytic information, b) the sixth indication configured to indicate the type of the event, c) the respective second identifier of the one or more applications, d) the respective third identifier of the one or more devices 130, and f) the third information of application layer content.

In some embodiments, the fourth second node 124 may be configured to be a NEF, the first node 111 may be configured to be an NWDAF, the respective second message may be configured to be a Nnef_EventExposure_Subscribe and the respective third message may be configured to be a Nnef_EventExposure_Notify request.

In some embodiments, the second node 112 may be configured to be at least one of the one or more devices 130, and at least one of: i) the respective second message may be configured to request to indicate, and ii) the respective third message may be configured to indicate at least one of: a) the sixth identifier configured to indicate the type of the event, b) the respective third identifier of the one or more devices 130, and c) the respective seventh identifier of the one or more of the one or more applications configured to be installed in the at least one of the one or more devices 130.

In some embodiments, the at least one of the one or more devices 130 may be configured to be a UE, the first node 111 may be configured to be an NWDAF, the respective second message may be configured to be a Nue_EventExposure_Subscribe request and the respective third message may be configured to be a Nue_EventExposure_Notify.

In some embodiments, the second node 112 may be further configured to, e.g., by means of the receiving unit 1002 within the second node 112 configured to, receive, directly or indirectly, the fourth message from the third node 113 configured to operate in the communications network 100. The fourth message may be configured to indicate to perform the one or more actions. The one or more actions may be configured to comprise one of: to store subscriber information indicating the exchange of traffic, and to block further traffic with the one or more of the one or more applications.

The second node 112 is configured to, e.g., by means of an initiating unit 1003 within the second node 112 configured to, initiate performing the one or more actions configured to be indicated.

The embodiments herein may be implemented through one or more processors, such as a processor 1004 in the second node 112 depicted in Figure 10, together with computer program code for performing the functions and actions of the embodiments herein. The program code mentioned above may also be provided as a computer program product, for instance in the form of a data carrier carrying computer program code for performing the embodiments herein when being loaded into the in the second node 112. One such carrier may be in the form of a CD ROM disc. It is however feasible with other data carriers such as a memory stick. The computer program code may furthermore be provided as pure program code on a server and downloaded to the second node 112.

The second node 112 may further comprise a memory 1005 comprising one or more memory units. The memory 1005 is arranged to be used to store obtained information, store data, configurations, schedulings, and applications etc. to perform the methods herein when being executed in the second node 112.

In some embodiments, the second node 112 may receive information from, e.g., the first node 111 , any of the other one or more second nodes 112, the third node 113, the fourth node 114, the radio network node 140, the one or more devices 130, and/or another node or device, through a receiving port 1006. In some examples, the receiving port 1006 may be, for example, connected to one or more antennas in the second node 112. In other embodiments, the second node 112 may receive information from another structure in the communications system 100 through the receiving port 1006. Since the receiving port 1006 may be in communication with the processor 1004, the receiving port 1006 may then send the received information to the processor 1004. The receiving port 1006 may also be configured to receive other information.

The processor 1004 in the second node 112 may be further configured to transmit or send information to e.g., the first node 111, any of the other one or more second nodes 112, the third node 113, the fourth node 114, the radio network node 140, the one or more devices 130, another node or device and/or another structure in the communications system 100, through a sending port 1007, which may be in communication with the processor 1004, and the memory 1005.

Those skilled in the art will also appreciate that the units 1001-1003 described above may refer to a combination of analog and digital circuits, and/or one or more processors configured with software and/or firmware, e.g., stored in memory, that, when executed by the one or more processors such as the processor 1004, perform as described above. One or more of these processors, as well as the other digital hardware, may be included in a single Application-Specific Integrated Circuit (ASIC), or several processors and various digital hardware may be distributed among several separate components, whether individually packaged or assembled into a System-on-a-Chip (SoC).

The units 1001-1003 described above may be the processor 1004 of the second node 112, or an application running on such processor.

Thus, the methods according to the embodiments described herein for the second node 112 may be respectively implemented by means of a computer program 1008 product, comprising instructions, i.e., software code portions, which, when executed on at least one processor 1004, cause the at least one processor 1004 to carry out the actions described herein, as performed by the second node 112. The computer program 1008 product may be stored on a computer-readable storage medium 1009. The computer-readable storage medium 1009, having stored thereon the computer program 1008, may comprise instructions which, when executed on at least one processor 1004, cause the at least one processor 1004 to carry out the actions described herein, as performed by the second node 112. In some embodiments, the computer-readable storage medium 1009 may be a non-transitory computer-readable storage medium, such as a CD ROM disc, a memory stick, or stored in the cloud space. In other embodiments, the computer program 1008 product may be stored on a carrier containing the computer program, wherein the carrier is one of an electronic signal, optical signal, radio signal, or the computer-readable storage medium 1009, as described above.

The second node 112 may comprise an interface unit to facilitate communications between the second node 112 and other nodes or devices, e.g., the first node 111, any of the other one or more second nodes 112, the third node 113, the fourth node 114, the radio network node 140, the one or more devices 130, another node or device and/or another structure in the communications system 100. In some particular examples, the interface may, for example, include a transceiver configured to transmit and receive radio signals over an air interface in accordance with a suitable standard.

In other embodiments, the second node 112 may comprise the following arrangement depicted in Figure 10b. The second node 112 may comprise a processing circuitry 1004, e.g., one or more processors such as the processor 1004, in the second node 112 and the memory 1005. The second node 112 may also comprise a radio circuitry 1010, which may comprise e.g., the receiving port 1006 and the sending port 1007. The processing circuitry 1004 may be configured to, or operable to, perform the method actions according to Figure 5, Figure 6 and/or Figure 7, in a similar manner as that described in relation to Figure 10a. The radio circuitry 1010 may be configured to set up and maintain at least a wireless connection with the first node 111, any of the other one or more second nodes 112, the third node 113, the fourth node 114, the radio network node 140, the one or more devices 130, another node or device and/or another structure in the communications system 100.

Hence, embodiments herein also relate to the second node 112 operative for handling access to content, the second node 112 being operative to operate in the communications system 100. The second node 112 may comprise the processing circuitry 1004 and the memory 1005, said memory 1005 containing instructions executable by said processing circuitry 1004, whereby the second node 112 is further operative to perform the actions described herein in relation to the second node 112, e.g., in Figure 5, Figure 6 and/or Figure 7. When using the word "comprise" or “comprising”, it shall be interpreted as non- limiting, i.e. meaning "consist at least of".

The embodiments herein are not limited to the above described preferred embodiments. Various alternatives, modifications and equivalents may be used. Therefore, the above embodiments should not be taken as limiting the scope of the invention.

Generally, all terms used herein are to be interpreted according to their ordinary meaning in the relevant technical field, unless a different meaning is clearly given and/or is implied from the context in which it is used. All references to a/an/the element, apparatus, component, means, step, etc. are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated otherwise. The steps of any methods disclosed herein do not have to be performed in the exact order disclosed, unless a step is explicitly described as following or preceding another step and/or where it is implicit that a step must follow or precede another step. Any feature of any of the embodiments disclosed herein may be applied to any other embodiment, wherever appropriate. Likewise, any advantage of any of the embodiments may apply to any other embodiments, and vice versa. Other objectives, features and advantages of the enclosed embodiments will be apparent from the following description.

As used herein, the expression “at least one of:” followed by a list of alternatives separated by commas, and wherein the last alternative is preceded by the “and” term, may be understood to mean that only one of the list of alternatives may apply, more than one of the list of alternatives may apply or all of the list of alternatives may apply. This expression may be understood to be equivalent to the expression “at least one of:” followed by a list of alternatives separated by commas, and wherein the last alternative is preceded by the “or” term.

Any of the terms processor and circuitry may be understood herein as a hardware component.

As used herein, the expression “in some embodiments” has been used to indicate that the features of the embodiment described may be combined with any other embodiment or example disclosed herein.

As used herein, the expression “in some examples” has been used to indicate that the features of the example described may be combined with any other embodiment or example disclosed herein.

REFERENCES

1. 3GPP TS 23.288 v17.2.0 (Sept 2021): Architecture enhancements for 5G System (5GS) to support network data analytics services.

Claims

CLAIMS:

1 . A method, performed by a first node (111), for handling access to content, the first node (111) operating in a communications system (100), the method comprising:

- obtaining (303), from one or more second nodes (112) operating in the communications system (100), a respective message, the respective message comprising a respective type of information, the respective type of information indicating that one or more devices (130) operating in the communications system (100) have exchanged traffic with one or more applications that are to be subject to content filtering, and

- initiating (305) sending another message to a third node (113) operating in the communications system (100), the another message being based on the received respective message, the another message comprising analytic information generated by the first node (111), about the one or more devices (130) having exchanged traffic with the one or more applications.

2. The method according to claim 1 , the method further comprising:

- receiving (301) a first message from the third node (113), the first message requesting that the first node (111) provide the analytic information,

- generating (304) the analytic information based on the received respective message, by checking whether traffic in the communications system (100) matches one or more options indicated in the first message, and wherein the generated analytic information is based on the received first message.

3. The method according to claim 2, wherein at least one of the first message and the another message indicates at least one of the one or more options: a. a first identifier of the analytic information, b. a first indication indicating a type of the analytic, c. a respective second identifier of the one or more applications, d. a respective third identifier of the one or more devices (130), e. first information indicating how the content is to be filtered, f. a second indication indicating a time period for which the analytic information is to apply, g. a third indication indicating a confidence level the analytic information is to have, and h. a fourth indication of traffic subject to the content filtering. 4. The method according to claim 3, wherein the another message indicates how the content is to be filtered, and wherein how the content is to be filtered indicates at least one action to apply to the traffic of the content.

5. The method according to any of claims 3-4, wherein the another message indicates: a. the first identifier of the analytic information, b. the first indication indicating the type of the analytic, and c. for every device of the one or more devices (130) having exchanged unfiltered traffic for the indicated type of analytic with the one or more applications that are to be subject to content filtering: i. the respective third identifier, ii. the fourth indication, and iii. the third indication indicating the confidence level that the device has exchanged unfiltered traffic for the indicated type of analytic with the one or more applications that are to be subject to content filtering.

6. The method according to any of claims 2-5, wherein the first message is a Nnwdaf_AnalyticsSubscription_Subscribe request message and wherein the another message is a Nnwdaf_AnalyticsSubscription_Notify request message.

7. The method according to any of claims 2-6, wherein the method further comprises:

- sending (302), based on the received first message, a respective second message to the one or more second nodes (112), the respective second message requesting the provision of the respective message, wherein the respective message is a respective third message, and wherein the obtaining (303) of the respective third message is based on the sent respective second message.

8. The method according to claim 7, wherein the one or more second nodes (112) comprise a first second node (121), and wherein at least one of: i) the respective second message requests to indicate, and ii) the respective third message indicates at least one of: a. whether or not one or more subscribers associated to the one or more devices (130) are subject to content filtering, b. historical exchange of traffic of the one or more devices (130) with the one or more applications. 9. The method according to claim 8, wherein the first second node (121) is a Unified Data Repository, UDR, the first node (111) is a Network Data Analytics Function, NWDAF, and wherein the respective second message is a Nudr_Query Request message.

10. The method according to claim 9, wherein the one or more second nodes (112) comprise a second second node (122), and wherein at least one of: i) the respective second message requests to indicate, and ii) the respective third message indicates at least one of: a. one or more second applications providing traffic of content corresponding to one or more types of content, and b. a fifth indication indicating the one or more types of content.

11 . The method according to claim 10, wherein the second second node (122) is an Internet Content Adaptation Protocol, ICAP, server, or another node, the first node

(111) is an NWDAF, and wherein the respective second message is a Query request message.

12. The method according to claim 7, wherein the one or more second nodes (112) comprise a third second node (123), and wherein at least one of: i) the respective second message requests to indicate, and ii) the respective third message indicates at least one of: a. a fourth identifier of an event indicating collection of the analytic information, b. a respective third identifier of the one or more devices (130), and c. second information of user plane traffic analysis and classification or mirrored traffic data.

13. The method according to claim 12, wherein the third second node (123) is a User Plane Function, UPF, the first node (111) is an NWDAF, the respective second message is a Nupf_EventExposure_Subscribe request and the respective third message is a Nupf_EventExposure_Notify.

14. The method according to claim 7, wherein the one or more second nodes (112) comprise a fourth second node (124), or a fifth second node (125), and wherein at least one of: i) the respective second message requests to indicate, and ii) the respective third message indicates at least one of: a. a fifth identifier of an event indicating collection of the analytic information, b. a sixth indication indicating a type of the event, c. a respective second identifier of the one or more applications, d. a respective third identifier of the one or more devices (130), and e. third information of application layer content. The method according to claim 14, wherein the fourth second node (124) is a Network Exposure Function, NEF, the first node (111) is an NWDAF, the respective second message is a Nnef_EventExposure_Subscribe and the respective third message is a Nnef_EventExposure_Notify request. The method according to claim 7, wherein the one or more second nodes (112) comprise at least one of the one or more devices (130), and wherein at least one of: i) the respective second message requests to indicate, and ii) the respective third message indicates at least one of: a. a sixth identifier indicating a type of the event, b. a respective third identifier of the one or more devices (130), and c. a respective seventh identifier of one or more of the one or more applications installed in the at least one of the one or more devices (130). The method according to claim 16, wherein the at least one of the one or more devices (130) is a user equipment, UE, the first node (111) is an NWDAF, the respective second message is a Nue_EventExposure_Subscribe request and the respective third message is a Nue_EventExposure_Notify. A method, performed by a third node (113), for handling access to content, the third node (113) operating in a communications system (100), the method comprising:

- receiving (402) another message from a first node (111) operating in the communications system (100), the another message comprising analytic information generated by the first node (111), about one or more devices (130) operating in the communications system (100) having exchanged traffic with one or more applications that are to be subject to content filtering, and

- initiating performing (403), based on the received another message, one or more actions to apply content filtering to the one or more applications for the one or more devices (130). The method according to claim 18, the method further comprising:

- sending (401) a first message to the first node (111), the first message requesting that the first node (111) provide the analytic information, wherein the generated analytic information is based on the received first message. The method according to claim 19, wherein at least one of the first message and the another message indicates at least one of the one or more options: a. a first identifier of the analytic information, b. a first indication indicating a type of the analytic, c. a respective second identifier of the one or more applications, d. a respective third identifier of the one or more devices (130), e. first information indicating how the content is to be filtered, f. a second indication indicating a time period for which the analytic information is to apply, g. a third indication indicating a confidence level the analytic information is to have, and h. a fourth indication of traffic subject to the content filtering. The method according to claim 20, wherein the another message indicates how the content is to be filtered, and wherein how the content is to be filtered indicates at least one action to apply to the traffic of the content. The method according to any of claims 20-21 , wherein the another message indicates: a. the first identifier of the analytic information, b. the first indication indicating the type of the analytic, and c. for every device of the one or more devices (130) having exchanged unfiltered traffic for the indicated type of analytic with the one or more applications that are to be subject to content filtering: i. the respective third identifier, ii. the fourth indication, and iii. the third indication indicating the confidence level that the device has exchanged unfiltered traffic for the indicated type of analytic with the one or more applications that are to be subject to content filtering. The method according to any of claims 18-22, wherein the first message is a Nnwdaf_AnalyticsSubscription_Subscribe request message and wherein the another message is a Nnwdaf_AnalyticsSubscription_Notify request message. The method according to any of claims 18-23, wherein the one or more actions comprise sending, directly or indirectly, a fourth message to at least one of: a. one or more second nodes (112) operating in the communications system (100), the fourth message indicating to store subscriber information indicating the exchange of traffic, and b. a fourth node (114) or the one or more second nodes (112) operating in the communications system (100), the fourth message indicating to block further traffic with one or more of the one or more applications. A method, performed by a second node (112), for handling access to content, the second node (112) operating in a communications system (100), the method comprising:

- sending (502), to a first node (111) operating in the communications system (100), a respective message, the respective message comprising a respective type of information, the respective type of information indicating that one or more devices (130) operating in the communications system (100) have exchanged traffic with one or more applications that are to be subject to content filtering. The method according to claim 25, wherein the method further comprises:

- receiving (501) a respective second message from the first node (111), the respective second message requesting the provision of the respective message, wherein the respective message is a respective third message, and wherein the sending (502) of the respective third message is based on the received respective second message. The method according to claim 26, wherein the second node (112) is a first second node (121), and wherein at least one of: i) the respective second message requests to indicate, and ii) the respective third message indicates at least one of: a. whether or not one or more subscribers associated to the one or more devices (130) are subject to content filtering, b. historical exchange of traffic of the one or more devices (130) with the one or more applications. The method according to claim 27, wherein the first second node (121) is a Unified Data Repository, UDR, the first node (111) is a Network Data Analytics Function, NWDAF, and wherein the respective second message is a Nudr_Query Request message. 29. The method according to claim 26, wherein the second node (112) is a second second node (122), and wherein at least one of: i) the respective second message requests to indicate, and ii) the respective third message indicates at least one of: a. one or more second applications providing traffic of content corresponding to one or more types of content, and b. a fifth indication indicating the one or more types of content.

30. The method according to claim 29, wherein the second second node (122) is an Internet Content Adaptation Protocol, ICAP, server, or another node, the first node

(111) is an NWDAF, and the respective second message is a Query request message.

31. The method according to claim 26, wherein the second node (112) is a third second node (123), and wherein at least one of: i) the respective second message requests to indicate, and ii) the respective third message indicates at least one of: a. a fourth identifier of an event indicating collection of the analytic information, b. a respective third identifier of the one or more devices (130), and c. second information of user plane traffic analysis and classification or mirrored traffic data.

32. The method according to claim 31 , wherein the third second node (123) is a User Plane Function, UPF, the first node (111) is an NWDAF, the respective second message is a Nupf_EventExposure_Subscribe request and the respective third message is a Nupf_EventExposure_Notify.

33. The method according to claim 26, wherein the second node (112) is a fourth second node (124), or a fifth second node (125), and wherein at least one of: i) the respective second message requests to indicate, and ii) the respective third message indicates at least one of: a. a fifth identifier of an event indicating collection of the analytic information, b. a sixth indication indicating a type of the event, c. a respective second identifier of the one or more applications, d. a respective third identifier of the one or more devices (130), and e. third information of application layer content.

34. The method according to claim 33, wherein the fourth second node (124) is a Network Exposure Function, NEF, the first node (111) is an NWDAF, the respective second message is a Nnef_EventExposure_Subscribe and the respective third message is a Nnef_EventExposure_Notify request. The method according to claim 26, wherein the second node (112) is at least one of the one or more devices (130), and wherein at least one of: i) the respective second message requests to indicate, and ii) the respective third message indicates at least one of: a. a sixth identifier indicating a type of the event, b. a respective third identifier of the one or more devices (130), and c. a respective seventh identifier of one or more of the one or more applications installed in the at least one of the one or more devices (130). The method according to claim 35, wherein the at least one of the one or more devices (130) is a user equipment, UE, the first node (111) is an NWDAF, the respective second message is a Nue_EventExposure_Subscribe request and the respective third message is a Nue_EventExposure_Notify. The method according to any of claims 25-36, wherein the method further comprises:

- receiving (503), directly or indirectly, a fourth message from a third node (113) operating in the communications network (100), the fourth message indicating to perform one or more actions, wherein the one or more actions comprise one of: to store subscriber information indicating the exchange of traffic, and to block further traffic with one or more of the one or more applications, and

- initiate (504) performing the indicated one or more actions. A first node (111), for handling access to content, the first node (111) being configured to operate in a communications system (100), the first node (111) being further configured to:

- obtain, from one or more second nodes (112) configured to operate in the communications system (100), a respective message, the respective message being configured to comprise a respective type of information, the respective type of information being configured to indicate that one or more devices (130) configured to operate in the communications system (100) have exchanged traffic with one or more applications that are to be configured to be subject to content filtering, and

- initiate sending another message to a third node (113) configured to operate in the communications system (100), the another message being configured to be based on the respective message configured to be received, the another message being configured to comprise analytic information configured to be generated by the first node (111), about the one or more devices (130) having exchanged traffic with the one or more applications. The first node (111) according to claim 38, the first node (111) being further configured to:

- receive a first message from the third node (113), the first message being configured to request that the first node (111) provide the analytic information,

- generate the analytic information based on the respective message configured to be received, by checking whether traffic in the communications system (100) matches one or more options configured to be indicated in the first message, and wherein the analytic information configured to be generated is based on the first message configured to be received. The first node (111) according to claim 39, wherein at least one of the first message and the another message is configured to indicate at least one of the one or more options: a. a first identifier of the analytic information, b. a first indication indicating a type of the analytic, c. a respective second identifier of the one or more applications, d. a respective third identifier of the one or more devices (130), e. first information configured to indicate how the content is to be filtered, f. a second indication configured to indicate a time period for which the analytic information is configured to apply, g. a third indication configured to indicate a confidence level the analytic information is to have, and h. a fourth indication of traffic configured to be subject to the content filtering. The first node (111) according to claim 40, wherein the another message is configured to indicate how the content is to be filtered, and wherein how the content is to be filtered is configured to indicate at least one action to apply to the traffic of the content. The first node (111) according to any of claims 40-41 , wherein the another message is configured to indicate: a. the first identifier of the analytic information, b. the first indication configured to indicate the type of the analytic, and c. for every device of the one or more devices (130) having exchanged unfiltered traffic for the indicated type of analytic with the one or more applications that are to be configured to be subject to content filtering: i. the respective third identifier, ii. the fourth indication, and iii. the third indication configured to indicate the confidence level that the device has exchanged unfiltered traffic for the indicated type of analytic with the one or more applications that are to be configured to be subject to content filtering. The first node (111) according to any of claims 39-42, wherein the first message is configured to be a Nnwdaf_AnalyticsSubscription_Subscribe request message and wherein the another message is configured to be a Nnwdaf_AnalyticsSubscription_Notify request message. The first node (111) according to any of claims 39-43, wherein the first node (111) is further configured to:

- send, based on the first message configured to be received, a respective second message to the one or more second nodes (112), the respective second message being configured to request the provision of the respective message, wherein the respective message is configured to be a respective third message, and wherein the obtaining of the respective third message is configured to be based on the respective second message configured to be sent. The first node (111) according to claim 44, wherein the one or more second nodes

(112) are configured to comprise a first second node (121), and wherein at least one of: i) the respective second message is configured to request to indicate, and ii) the respective third message is configured to indicate at least one of: a. whether or not one or more subscribers associated to the one or more devices (130) are subject to content filtering, and b. historical exchange of traffic of the one or more devices (130) with the one or more applications. The first node (111) according to claim 45, wherein the first second node (121) is configured to be a Unified Data Repository, UDR, the first node (111) is configured to be a Network Data Analytics Function, NWDAF, and wherein the respective second message is configured to be a Nudr_Query Request message. The first node (111) according to claim 46, wherein the one or more second nodes

(112) are configured to comprise a second second node (122), and wherein at least one of: i) the respective second message is configured to request to indicate, and ii) the respective third message is configured to indicate at least one of: a. one or more second applications configured to provide traffic of content corresponding to one or more types of content, and b. a fifth indication configured to indicate the one or more types of content. The first node (111) according to claim 47, wherein the second second node (122) is configured to be an Internet Content Adaptation Protocol, ICAP, server, or another node, the first node (111) is configured to be an NWDAF, and wherein the respective second message is configured to be a Query request message. The first node (111) according to claim 44, wherein the one or more second nodes

(112) are configured to comprise a third second node (123), and wherein at least one of: i) the respective second message is configured to request to indicate, and ii) the respective third message is configured to indicate at least one of: a. a fourth identifier of an event configured to indicate collection of the analytic information, b. a respective third identifier of the one or more devices (130), and c. second information of user plane traffic analysis and classification or mirrored traffic data. The first node (111) according to claim 49, wherein the third second node (123) is configured to be a User Plane Function, UPF, the first node (111) is configured to be an NWDAF, the respective second message is configured to be a Nupf_EventExposure_Subscribe request and the respective third message is configured to be a Nupf_EventExposure_Notify. The first node (111) according to claim 44, wherein the one or more second nodes (112) are configured to comprise a fourth second node (124), or a fifth second node (125), and wherein at least one of: i) the respective second message is configured to request to indicate, and ii) the respective third message is configured to indicate at least one of: a. a fifth identifier of an event configured to indicate collection of the analytic information, b. a sixth indication configured to indicate a type of the event, c. a respective second identifier of the one or more applications, d. a respective third identifier of the one or more devices (130), and e. third information of application layer content. The first node (111) according to claim 51 , wherein the fourth second node (124) is configured to be a Network Exposure Function, NEF, the first node (111) is configured to be an NWDAF, the respective second message is configured to be a Nnef_EventExposure_Subscribe and the respective third message is configured to be a Nnef_EventExposure_Notify request. The first node (111) according to claim 44, wherein the one or more second nodes (112) are configured to comprise at least one of the one or more devices (130), and wherein at least one of: i) the respective second message is configured to request to indicate, and ii) the respective third message is configured to indicate at least one of: a. a sixth identifier configured to indicate a type of the event, b. a respective third identifier of the one or more devices (130), and c. a respective seventh identifier of one or more of the one or more applications configured to be installed in the at least one of the one or more devices (130). The first node (111) according to claim 53, wherein the at least one of the one or more devices (130) is configured to be a user equipment, UE, the first node (111) is configured to be an NWDAF, the respective second message is configured to be a Nue_EventExposure_Subscribe request and the respective third message is configured to be a Nue_EventExposure_Notify. A third node (113), for handling access to content, the third node (113) being configured to operate in a communications system (100), the third node (113) being further configured to:

- receive another message from a first node (111) configured to operate in the communications system (100), the another message being configured to comprise analytic information configured to be generated by the first node (111), about one or more devices (130) configured to operate in the communications system (100) having exchanged traffic with one or more applications that are to be configured to be subject to content filtering, and

- initiate performing, based on the another message configured to be received, one or more actions to apply content filtering to the one or more applications for the one or more devices (130). The third node (113) according to claim 55, the third node (113) being further configured to: - send a first message to the first node (111), the first message being configured to request that the first node (111) provide the analytic information, wherein the analytic information configured to be generated is configured to be based on the first message configured to be received.

57. The third node (113) according to claim 56, wherein at least one of the first message and the another message is configured to indicate at least one of the one or more options: a. a first identifier of the analytic information, b. a first indication configured to be indicating a type of the analytic, c. a respective second identifier of the one or more applications, d. a respective third identifier of the one or more devices (130), e. first information configured to indicate how the content is to be filtered, f. a second indication configured to indicate a time period for which the analytic information is to apply, g. a third indication configured to indicate a confidence level the analytic information is to have, and h. a fourth indication of traffic subject to the content filtering.

58. The third node (113) according to claim 57, wherein the another message is configured to indicate how the content is to be filtered, and wherein how the content is to be filtered is configured to indicate at least one action to apply to the traffic of the content.

59. The third node (113) according to any of claims 57-58, wherein the another message is configured to indicate: a. the first identifier of the analytic information, b. the first indication configured to indicate the type of the analytic, and c. for every device of the one or more devices (130) having exchanged unfiltered traffic for the indicated type of analytic with the one or more applications that are to be configured to be subject to content filtering: i. the respective third identifier, ii. the fourth indication, and iii. the third indication configured to indicate the confidence level that the device has exchanged unfiltered traffic for the indicated type of analytic with the one or more applications that are to be configured to be subject to content filtering. 60. The third node (113) according to any of claims 55-59, wherein the first message is configured to be a Nnwdaf_AnalyticsSubscription_Subscribe request message and wherein the another message is configured to be a Nnwdaf_AnalyticsSubscription_Notify request message.

61. The third node (113) according to any of claims 55-60, wherein the one or more actions are configured to comprise sending, directly or indirectly, a fourth message to at least one of: a. one or more second nodes (112) configured to operate in the communications system (100), the fourth message being configured to indicate to store subscriber information configured to indicate the exchange of traffic, and b. a fourth node (114) or the one or more second nodes (112) configured to operate in the communications system (100), the fourth message being configured to indicate to block further traffic with one or more of the one or more applications.

62. A second node (112), for handling access to content, the second node (112) being configured to operate in a communications system (100), the second node (112) being further configured to:

- send, to a first node (111) configured to operate in the communications system (100), a respective message, the respective message being configured to comprise a respective type of information, the respective type of information being configured to indicate that one or more devices (130) configured to operate in the communications system (100) have exchanged traffic with one or more applications that are to be configured to be subject to content filtering.

63. The second node (112) according to claim 62, wherein the second node (112) is further configured to:

- receive a respective second message from the first node (111), the respective second message being further configured to request the provision of the respective message, wherein the respective message is configured to be a respective third message, and wherein the sending of the respective third message is configured to be based on the respective second message configured to be received.

64. The second node (112) according to claim 63, wherein the second node (112) is configured to be a first second node (121), and wherein at least one of: i) the respective second message is configured to request to indicate, and ii) the respective third message is configured to indicate at least one of: a. whether or not one or more subscribers associated to the one or more devices (130) are subject to content filtering, and b. historical exchange of traffic of the one or more devices (130) with the one or more applications. The second node (112) according to claim 64, wherein the first second node (121) is configured to be a Unified Data Repository, UDR, the first node (111) is configured to be a Network Data Analytics Function, NWDAF, and wherein the respective second message is configured to be a Nudr_Query Request message. The second node (112) according to claim 62, wherein the second node (112) is configured to be a second second node (122), and wherein at least one of: i) the respective second message is configured to request to indicate, and ii) the respective third message is configured to indicate at least one of: a. one or more second applications providing traffic of content corresponding to one or more types of content, and b. a fifth indication configured to indicate the one or more types of content. The second node (112) according to claim 66, wherein the second second node (122) is configured to be an Internet Content Adaptation Protocol, ICAP, server, or another node, the first node (111) is configured to be an NWDAF, and the respective second message is configured to be a Query request message. The second node (112) according to claim 62, wherein the second node (112) is configured to be a third second node (123), and wherein at least one of: i) the respective second message is configured to request to indicate, and ii) the respective third message is configured to indicate at least one of: a. a fourth identifier of an event configured to indicate collection of the analytic information, b. a respective third identifier of the one or more devices (130), and c. second information of user plane traffic analysis and classification or mirrored traffic data. The second node (112) according to claim 68, wherein the third second node (123) is configured to be a User Plane Function, UPF, the first node (111) is configured to be an NWDAF, the respective second message is configured to be a Nupf_EventExposure_Subscribe request and the respective third message is configured to be a Nupf_EventExposure_Notify.

70. The second node (112) according to claim 63, wherein the second node (112) is configured to be a fourth second node (124), or a fifth second node (125), and wherein at least one of: i) the respective second message is configured to request to indicate, and ii) the respective third message is configured to indicate at least one of: a. a fifth identifier of an event configured to indicate collection of the analytic information, b. a sixth indication configured to indicate a type of the event, c. a respective second identifier of the one or more applications, d. a respective third identifier of the one or more devices (130), and e. third information of application layer content.

71. The second node (112) according to claim 70, wherein the fourth second node (124) is configured to be a Network Exposure Function, NEF, the first node (111) is configured to be an NWDAF, the respective second message is configured to be a Nnef_EventExposure_Subscribe and the respective third message is configured to be a Nnef_EventExposure_Notify request.

72. The second node (112) according to claim 63, wherein the second node (112) is configured to be at least one of the one or more devices (130), and wherein at least one of: i) the respective second message is configured to request to indicate, and ii) the respective third message is configured to indicate at least one of: a. a sixth identifier configured to indicate a type of the event, b. a respective third identifier of the one or more devices (130), and c. a respective seventh identifier of one or more of the one or more applications configured to be installed in the at least one of the one or more devices (130).

73. The second node (112) according to claim 72, wherein the at least one of the one or more devices (130) is configured to be a user equipment, UE, the first node (111) is configured to be an NWDAF, the respective second message is configured to be a Nue_EventExposure_Subscribe request and the respective third message is configured to be a Nue_EventExposure_Notify.

74. The second node (112) according to any of claims 62-73, wherein the second node (112) is further configured to: - receive, directly or indirectly, a fourth message from a third node (113) configured to operate in the communications network (100), the fourth message being configured to indicate to perform one or more actions, wherein the one or more actions are configured to comprise one of: to store subscriber information indicating the exchange of traffic, and to block further traffic with one or more of the one or more applications, and

- initiate (504) performing the one or more actions configured to be indicated.