CN106453421B - The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service - Google Patents

The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service Download PDF

Info

Publication number
CN106453421B
CN106453421B CN201611122590.0A CN201611122590A CN106453421B CN 106453421 B CN106453421 B CN 106453421B CN 201611122590 A CN201611122590 A CN 201611122590A CN 106453421 B CN106453421 B CN 106453421B
Authority
CN
China
Prior art keywords
sid
data packet
network
pgw
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201611122590.0A
Other languages
Chinese (zh)
Other versions
CN106453421A (en
Inventor
陈佳
童博
张宏科
左元钧
寸怡鹏
贾海宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiaotong University
Original Assignee
Beijing Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiaotong University filed Critical Beijing Jiaotong University
Priority to CN201611122590.0A priority Critical patent/CN106453421B/en
Publication of CN106453421A publication Critical patent/CN106453421A/en
Application granted granted Critical
Publication of CN106453421B publication Critical patent/CN106453421B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The wisdom that the present invention discloses a kind of fusion LTE identifies the composite defense method for distorting DoS attack in network to service, comprising: maintains exception SID Prestige Management table on PGW, and adds verification probability corresponding with the SID in data packet in the data packet that GSR is returned;With the presence or absence of the SID in data packet in judgement table when PGW receives data packet, if the SID for then being set as storing in table by the verification probability in data packet is corresponding, if otherwise keeping the verification probability in data packet;Decided whether to carry out signature authentication to data packet according to the verification probability in data packet when eNodeB receives the data packet of PGW return, if carry out and success if data cached packet and send data packet, if failure packet discard and sending the abnormal alarm information for carrying the SID to PGW;Its corresponding verification probability is improved again if otherwise SID is added in table if then improving the corresponding verification probability of SID in table with the presence or absence of the SID in judgement table when PGW receives information.The probability for detecting to be tampered data packet can be improved in the present invention.

Description

The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service
Technical field
The present invention relates to network communication technology fields.More particularly, to a kind of fusion LTE (Long Term Evolution, long term evolution) wisdom mark network DoS (Denial of Service, refusal service) distorted to service attack The composite defense method hit.
Background technique
Internet is in its long-term development process, and especially in recent years, scale sharply expands, main " triple to tie up The original design thought of cover half type " causes operating mode with respect to " static state " and " rigid ", leads to many insoluble problems.Such as " resource and binding positions " cause existing internet to be difficult to realize the cloud computing of the whole network scale;" control and data binding " is difficult to reality The energy conservation of existing network;" identity and position binding " is difficult to effectively solve scalability, mobility and the safety issue of network.Again Support wretched insufficiency of such as conventional internet in terms of intelligence, perception, cognition, dynamic wisdom mechanism, when user or net When network behavior changes, network is difficult to perceive and realize resource dynamic adaptation, causes Internet resources unreasonable distribution, utilization rate It is low, energy consumption is high.
It in order to solve problems existing for existing internet, and casts aside and continues to repair thought as patch installing, in recent years Countries in the world and each network research organisations and institutions have carried out the new architecture of the network system one after another.Wherein, wisdom identifies network It is that Next Generation Internet interconnection equipment national engineering laboratory, Beijing Jiaotong University relies on state key basic research development plan (973 plan) " wisdom identifies network theory basic research " project, further investigation and exploration support that (intelligence perceives, recognizes wisdom Know, dynamic etc.) service and the future network system basic theory of network, the Future Internet framework of proposition.It is advantageous that its It is in conjunction with the advantages of internet and conventional telecommunications net, the ambiguity of IP address is decoupling, using identity and position separation, resource with Position isolation technics improves network scalability, safety, mobility.Wisdom identifies network and network is divided into entity domains and row For domain, introducing meets network identification AID (Access Identifier) and Intranet identifies RID (Routing Identifier), and one Aspect improves network service quality, on the other hand improves the security performance of network, and can be with existing internet and net Network framework is merged.
The important component that wisdom mark network is studied as Next Generation Internet, within the network architecture is same Centered on appearance, routing and cache way are different from traditional IP network.The framework by distributed content cache mechanism, realize with Content is that the data of core are transmitted, and changes traditional host-based network communication pattern.
With flourishing for mobile Internet, the high speed development of various new network applications, data service flow is More than voice service flow, become most important traffic overhead.People are explosive while enjoying the service of various completely new networks Flow increase the rise constantly aggravated to the traffic requirement of mobile Internet with smart machine, the downloading content quantity of people Unprecedented huge, this brings very big pressure to network.Global radio operator therefore the face in terms of high-speed mobile broadband service Face growing demand, more and more users tend to the application of pole consumption bandwidth, such as Video Applications, operator have to It finds new technology and carrys out these leading increasing needs.For 3G, LTE can provide high-speed mobile network broadband clothes Business.Its theoretical speed of download is about 100MB/ seconds, is approximately equal to 2000 times to dial up on the telephone.According to this speed, one is downloaded The file of 600MB only needs 6 seconds.But in practical applications, all bandwidth are all by transmission range and online user number simultaneously It influences.International Telecommunication Association's technical requirements basic to 4G are to reach 100 mbit of rate under moving condition at present, it is static and Reach 1G bps of rate under slow moving condition.Compared with existing mobile communication technology, the transmission speed of 4G can be improved 1000 Times.
In recent years, internet security problem becomes increasingly conspicuous.Online working, e-commerce or even E-Government are all flown The development of speed.At the beginning of internet designs, it is assumed that all nodes are all believable, and are all freedom and equalities.This leads to tradition Internet lacks user identity authentication mechanism, lacks safe administrative mechanism, this makes it possible the falsely using and deception of identity. Because being flooded with various hackers on network, they obtain illegal interests using technological means (virus or network attack).People Also in the solution for constantly seeking internet security, firewall is such as developed, safety auditing system, intruding detection system etc., but The verifying to subscriber authentication credibility is not all solved fundamentally.
It includes three levels: networking component layer, resource adaption layer and smart service layer that wisdom, which identifies network,.Wherein, wisdom The Uniform Name that service layer is responsible for various services is matched with the dynamic wisdom of description, service behavior description, service, these services packages Include the various network services by operator or third party value-added service provider offer, mainly voice, data, Streaming Media etc..Wisdom Service layer introduce service identifiers SID (Service Identifier) carry out intelligence s ervice of label, realize service " resource and Position separation " is not only completed Uniform Name and the description of service, and realizes " resource and the position separation " of service;Service mark It is dynamic between certain service and the network group (networking component of bottom combines) of resource adaption layer for completing to know wisdom mapping State matching realizes the wisdom coupling between service and network infrastructure, keeps the realization of service relatively reliable.
Wisdom mark network is framework, user's no longer attentinal contents storage location network using content as center, and is only closed It is intracardiac to hold itself.Message uses the name for servicing itself to be referred to as identifying no longer using similar IP address as mark.In the net In network communication process, two kinds of type of data packet are transmitted, it is (or slow with service identifiers interest packet and server including user's request Deposit node) return data packet.User requestor sends the interest packet for having service identifiers, which will identify network by wisdom Node is transmitted to the neighbouring node for being able to respond the request content;Then the data packet comprising service identifiers and content will be along The repercussion path of interest packet sends requestor to, and the transmission of primary information is completed with this.
Fig. 1 is shown in existing LTE network and wisdom mark network integration network, and main network element device includes: LTE Basic network element LTE base station eNodeB (Evolved Node B), the network section of core net EPC (Evolved Packet Core) Point MME (Mobility Management Entity) and gateway SGW (Serving GateWay);Wisdom identifies network Private network SID server, private network router GSR (Gigabit Switch Router, kilomegabit Switch Router) and mapping clothes Business device;And PDN Gateway PGW (PDN GateWay) is merged and the mobile private network security gateway of private network couple in router ASR is set It is standby.
In the network environment, the request that user terminal UE (User Equipment) is issued can be SID request, should SID request needs the network element device in LTE network to support that processing includes the data packet of SID.Not using the communication mode based on SID With traditional communication mode based on IP/AID: first, the data packet format that user terminal issues is different --- institute in data packet The field for including mainly includes SID, AID, UID and other are every;Second, communication process has differences --- the SID that UE is issued Request, needs to first pass through SID resolution server, to parse the SID field in data packet, and by the corresponding AID or AID group of SID Conjunction returns to UE, and then UE requests to communicate with corresponding AID again;Third, when data packet is transferred to mobile private network security gateway, AID field in data packet will be replaced by RID, and it is that corresponding AID is distributed which, which is by mapping server,.
In the network environment, as shown in Fig. 2, user terminal access LTE network and the process requested to private network transmission SID It altogether include 14 steps, wherein step 1 to step 11 is the step of user terminal accesses LTE network, and step 12 to step 14 is User terminal sends the step of SID is requested in access LTE network and after starting normal communication, to private network, above-mentioned to send to private network SID request is directed to private network router GSR and sends SID request.
As described above, each node includes content memorizer CS in LTE network and wisdom mark network integration network (content storage) is used to data cached packet --- storage is just emptied after the completion of data forwarding different from ip router Content, the node in the network request identical data for convenience of different user, need to cache completed data as far as possible.And it is every The memory space of a node is limited, and each node is unable to all data packets of infinite buffer.When the data packet of caching reaches The maximum value that node space can bear, then receive new data packet, it is necessary to carry out caching replacement, i.e., it is tactful with certain, Old data packet is abandoned, to guarantee that node storage space is not occupied full, reduces the probability of content requests failure.
But it is utilized by attacker by way of obtaining data packet when this caching, as attacker controls some node Router, thus the content for the data packet distorted, but do not change its SID, in this way after normal interest packet reaches, because of matching SID will return to the data packet being tampered, which is found not being in its is desired until reaching user Shi Caihui Hold, simultaneously, in the downlink entirely returned, the data packet for the SID for all having been tampered with caching, when other use When the SID is requested at family again, it equally cannot get desired content.At this point, when legitimate user carries out normal request, because of middle node Point can no longer provide it normal service, and user has to go request data to farther cache node even content source, thus Greatly reduce the request efficiency of user.If routing node also select carry out signature authentication, expense be it is very big, have reality Testing the router for showing to possess multiple gigabit network interfaces is ten to calculated performance required for each data packet progress signature authentication Divide unpractical.
As described above, for the communication process based on nodal cache of the wisdom mark network architecture centered on content, Attacker uses attack means such as:
(1) by controlling some router, the content of the data packet received to it is distorted, then the road of its downlink The content of the data packet cached by device is also all tampered with.
(2) by the prediction to some specific SID, the machine simulation requestor that attacker is controlled by oneself mentions with service The still content for meeting the SID is not that the data packet of the desired content of normal users pre-deposits router by donor In caching.
And the interest packet that both the above attack all causes user to issue normal service request can not receive correct clothes Business content-data packet.In existing content center network, solve content tampering to compare the technology of mainstream to be SCIC (Self- Certifying Interests/Content).It mainly include S-SCIC (Static-Self-Certifying Interests/Content) with D-SCIC (Dynamic-Self-Certifying Interests/Content) S-SCIC master If automatically generating a cryptographic Hash according to the content of each data packet, once the content of data packet in this way changes, breathe out Uncommon value also can be with change.D-SCIC is mainly that a field is added in requestor in interest packet What PublisherPublicKeyDigest was stored is the cryptographic Hash of the public key of ISP, once requestor uses this word Whether the data packet that verification returns is met public key identical with interest packet by section, each router.
In the above method, S-SCIC can be very good to solve the problems, such as that content is tampered, while be directed to continuous data (content1, content2 ...), solution are to be stored in the cryptographic Hash hash2 of content2 in content1 together, Therefore it is only necessary to know that the cryptographic Hash hash1 of content1 is the accuracy that can guarantee one section of continuous data.But it acts on Range is only limitted to static data, such as a film or an e-book, and ISP can in advance will be in each section The cryptographic Hash of appearance is calculated and hash1 is sent to requestor.And in real network, it is the presence of many dynamic contents , the content that perhaps will be returned is not existing before request is initiated (such as result of web search).In this case S-SCIC not can guarantee the integrality and accuracy of content.Meanwhile although D-SCIC can solve some services controlled and mention Caused by donor the problem of content tampering.Once but attacker is directly to modify the ISP that it is trusted to be buffered in routing The content of data packet on device rather than when public key, public key match still can be correct, but returns to the data packet returned on the way Content is still mistake.Moreover, any at present can not all accomplish to support static and dynamic simultaneously based on Self-certified naming system Self-certified content naming method.
Accordingly, it is desirable to provide a kind of improve the data for detecting the content that is maliciously tampered within the scope of reasonable calculated performance To service in the wisdom mark network of the fusion LTE for the probability that the probability of packet is buffered to the data packet that reduction is tampered content Distort the composite defense method of DoS attack.
Summary of the invention
The purpose of the present invention is to provide the associations for distorting DoS attack in a kind of wisdom mark network for merging LTE to service Same defence method, to realize:
1, it is cached or received normal when attacker has seized some private network router GSR in private network on both sides by the arms and distorts it When the content of the data packet comprising SID, composite defense will be carried out when data packet is transferred in LTE network, reduce being tampered The probability that data packet is cached by eNodeB, while increasing the probability that mobile subscriber normally obtains correct service content;
2, since the PGW volume of transmitted data carried is huge, PGW and without signature authentication itself, but The eNodeB that private network is linked by the PGW is collectively constituted into composite defense mechanism as authentication unit, while PGW is as one A center control, Lai Tigao eNodeB detect the probability for being tampered data packet, effectively guarantee to imitate while taking into account performance Rate.
In order to achieve the above objectives, the present invention adopts the following technical solutions:
The composite defense method of DoS attack is distorted to service in a kind of wisdom mark network merging LTE, including is walked as follows It is rapid:
Exception SID Prestige Management table is maintained on PGW, and is added and the SID in data packet in the data packet that GSR is returned Corresponding verification probability;
When PGW receives the data packet, judge to whether there is the SID in the data packet in abnormal SID Prestige Management table, If then setting the verification probability in the data packet to SID pairs in the data packet stored in abnormal SID Prestige Management table The verification probability answered, if otherwise keeping the verification probability in the data packet;
When eNodeB receives the data packet of PGW return, decided whether according to the verification probability in data packet to the number Signature authentication is carried out according to packet, cache the data packet if progress signature authentication and if authenticating successfully and sends user for the data packet Terminal abandons the data packet if carrying out signature authentication and authentification failure and sends the different of the SID in the carrying data packet to PGW Normal warning message;
When PGW receives the abnormal alarm information for carrying the SID in the data packet, judge in abnormal SID Prestige Management table With the presence or absence of the SID in the data packet, if it is general then to improve the corresponding verification of the SID stored in abnormal SID Prestige Management table Rate, if otherwise the SID is added in abnormal SID Prestige Management table and improves the SID stored in abnormal SID Prestige Management table Corresponding verification probability.
Preferably, the verification initial value of probability corresponding with SID added in the data packet that GSR is returned is identical.
Preferably, the data packet further includes digital signature and provided service content.
Beneficial effects of the present invention are as follows:
Technical solution of the present invention is asked while keeping original system certification, access, communication function to based on SID The attacker's control node router being likely to occur in the network environment asked carries out content tampering attack, causes eNodeB storage big Amount mistake caching reduces the behavior that user requests the efficiency of correct content, is analyzed in private network, on PGW and eNodeB The malice tampering of composite defense mechanism from mobile network core network edge limitation SID is added, effectively protects mobile network The service acquisition quality of the content safety of base station and user in network.
Detailed description of the invention
Specific embodiments of the present invention will be described in further detail with reference to the accompanying drawing;
Fig. 1 shows the network environment topological diagram of LTE network in the prior art and wisdom mark network integration network.
Fig. 2 shows in the prior art LTE network and wisdom mark network integration network network environment in, user terminal It accesses LTE network and sends the basic communication flow chart that SID is requested to private network.
The wisdom that Fig. 3 shows fusion LTE identifies the specific letter for distorting the composite defense method of DoS attack in network to service Enable flow chart.
Specific embodiment
In order to illustrate more clearly of the present invention, the present invention is done further below with reference to preferred embodiments and drawings It is bright.Similar component is indicated in attached drawing with identical appended drawing reference.It will be appreciated by those skilled in the art that institute is specific below The content of description is illustrative and be not restrictive, and should not be limited the scope of the invention with this.
The composite defense method packet of DoS attack is distorted in the wisdom mark network of fusion LTE disclosed by the invention to service Include following steps:
Exception SID Prestige Management table is maintained on PGW, and in the data packet that the SID request that GSR is sent according to UE returns Verification probability corresponding with the SID in data packet is added, the verification probability corresponding with SID added in each data packet in network Initial value is identical;
When PGW receives the data packet of GSR return, judge in abnormal SID Prestige Management table with the presence or absence of the data packet In SID, if it is corresponding then to set the SID stored in abnormal SID Prestige Management table for the verification probability in the data packet Verification probability, if otherwise keeping the verification probability in the data packet;
Because the volume of transmitted data that PGW is carried is huge, PGW and without signature authentication itself, but will The eNodeB of private network is linked into as authentication unit by the PGW to collectively constitute composite defense mechanism;So when eNodeB connects When receiving the data packet of PGW return, decided whether to carry out signature authentication to the data packet according to the verification probability in data packet, if It carries out signature authentication and authenticates successfully then directly caching the data packet and sending next-hop eNodeB or use for the data packet Family terminal abandons the data packet if carrying out signature authentication and authentification failure and sends the SID's in the carrying data packet to PGW Abnormal alarm information;
When PGW receives the abnormal alarm information for carrying the SID in the data packet, it is meant that the corresponding data packet of the SID There is the possibility being tampered in content, then judge with the presence or absence of the SID in abnormal SID Prestige Management table, if then to the SID's Degrees of comparison degrades, and improves the corresponding verification probability of the SID stored in exception SID Prestige Management table;If otherwise SID is added in abnormal SID Prestige Management table, and is degraded to the degrees of comparison of the SID, exception SID prestige pipe is improved The corresponding verification probability of the SID stored in reason table.Wherein, if PGW judgement the result is that not deposited in exception SID Prestige Management table In the SID, then illustrate that the corresponding verification probability of the SID was never improved by PGW, the corresponding verification probability of the SID is still Verification probability initial value when verification probability corresponding with SID is added in the data packet that GSR is returned, then PGW is in initial value On the basis of improve the corresponding verification probability of the SID that stores in exception SID Prestige Management table.
When PGW receives the data packet containing identical SID of GSR return again, the verification probability of the data packet will It is improved by PGW, to improve the probability that the data packet being tampered is detected by eNodeB, and then improves nodal cache and correctly count According to the probability of packet content.
As shown in figure 3, the collaboration of DoS attack is distorted in the wisdom mark network of fusion LTE disclosed by the invention to service The specific signaling process of defence method is exemplified below:
Firstly, the composite defense method for distorting DoS attack to service in the wisdom mark network of fusion LTE starts to execute Before, user terminal first has to access LTE network and sends SID request, the access LTE network and transmission SID request to private network Process is access request process commonly used in the prior art, is briefly described as follows: SGW initiates PDP Context request to PGW;PGW PDP Context response is sent to SGW;User opens webpage using user terminal, opens WEB verification process, user's debarkation authentication The page inputs user name password;Authentication service inquires user's user name password, and return authentication is then reset as a result, as certification passes through To ASR authentication management address is arrived, ASR module allows its networking, and distributes Intranet mark for it, and mapping table is added.User sends Data packet, PGW/ASR give the access mark for using family instead to distribute corresponding Intranet mark;Later, user terminal is in access LTE network And after starting normal communication, SID request is sent to private network;
Later, the specific signaling for distorting the composite defense method of DoS attack in the wisdom mark network of LTE to service is merged The citing of process are as follows:
Exception SID Prestige Management table is maintained on PGW, and in the data packet that the SID request that GSR is sent according to UE returns Add verification probability corresponding with the SID in data packet, wherein add and the SID in data packet in the data packet that GSR is returned The initial value of corresponding verification probability is identical;
The SID request that UE1 is sent to private network reaches on the GSR controlled by attacker, and attacker, which has distorted, is buffered in this The packet content containing identical SID on GSR, the data packet after being tampered returns, while GSR on the way is equally also cached Data packet after being tampered;
When the data packet that the GSR controlled by attacker is returned reaches PGW, PGW judge in exception SID Prestige Management table whether There are the SID in the data packet, if not having the SID in the data packet in the abnormal SID Prestige Management table in PGW, keeping should Verification probability P 1 in data packet, when the data packet reach base station eNodeB 1 when, eNodeB1 will according to the verification probability P 1 come Decide whether to carry out signature authentication to the data packet;
If eNodeB1 carries out signature authentication and discovery authentification failure, illustrate that the data packet has been tampered with, eNodeB1 The data packet is directly abandoned, while the abnormal alarm information for carrying the SID in the data packet being fed back to PGW;
When PGW receives abnormal alarm information, SID is added in abnormal SID Prestige Management table, and to the prestige of the SID Grade degrades, and the corresponding verification probability of the SID stored in exception SID Prestige Management table is improved, by abnormal SID prestige pipe The corresponding verification probability P 1 of the SID stored in reason table is improved to P2.
Later, the UE2 in another 2 range of base station eNodeB to private network have sent SID request, the SID request SID with The SID for the SID request that UE1 is sent before is identical, i.e. UE22 has initiated the SID request to identical SID, equally obtains in private network The data packet being tampered and return;
When the data packet being tampered reaches PGW, because of abnormal SID Prestige Management table of the SID in the data packet in PGW There is record, therefore the verification probability in the data packet is set to P2, when the data packet reaches base station eNodeB 2, eNodeB2 will Based on new probability P 2 (P2 > P1) to determine whether carrying out signature authentication to the data packet, thus, detect that the data packet is usurped The probability changed is bigger.
In the present solution, defining the signaling format of data in LTE network and wisdom mark network integration network, it is specifically defined It is as follows:
1) format of the data packet for SID request (can be described as interest packet) that GSR was provided or returned meet is as follows:
SID CheckProbability Signature Content
Wherein:
SID: service identifiers;
CheckProbability: verification probability;
Signature: digital signature;
Content: provided service content.
2) exception SID Prestige Management table storage format is as follows:
Wherein:
SID`: exception service mark;
Level: the current degrees of comparison of the service identifiers;
CheckProbability: according to the verification probability for the service identifiers that degrees of comparison is evaluated.
3) eNodeB is as follows: to the message format of PGW feedback exception SID information
SID` CheckProbability Option
Wherein:
SID`: exception service mark;
CheckProbability: according to the verification probability for the service identifiers that degrees of comparison is evaluated;
Option: option.
The composite defense method for distorting DoS attack to service in the wisdom mark network of fusion LTE disclosed by the invention has There are following features:
(1) exception SID Prestige Management table is established on PGW, can determine that its is verified general according to SID degrees of comparison in real time Rate;
(2) eNodeB then feeds back the SID information of the data packet extremely once carrying out signature authentication failure to data packet at once PGW generates gain effects to the data acquisition of next user for requesting identical SID by other eNodeB, realizes eNodeB And the composite defense mechanism that PGW is collectively formed;
(3) method of verification probability is determined --- including the variation by SID degrees of comparison and according to each in the current field The non-load balanced case constructor relationship of eNodeB determines the verification probability of specific exception SID.
Obviously, the above embodiment of the present invention be only to clearly illustrate example of the present invention, and not be pair The restriction of embodiments of the present invention may be used also on the basis of the above description for those of ordinary skill in the art To make other variations or changes in different ways, all embodiments can not be exhaustive here, it is all to belong to this hair The obvious changes or variations that bright technical solution is extended out are still in the scope of protection of the present invention.

Claims (3)

1. the composite defense method of DoS attack is distorted in a kind of wisdom mark network for merging LTE to service, which is characterized in that This method comprises the following steps:
Exception service is maintained to identify SID Prestige Management table, and the data packet returned in kilomegabit Switch Router GSR on PGW In add verification probability corresponding with the SID in data packet;
When PGW receives the data packet, judge with the presence or absence of the SID in the data packet in abnormal SID Prestige Management table, if The SID for then setting the verification probability in the data packet in the data packet stored in abnormal SID Prestige Management table is corresponding Probability is verified, if otherwise keeping the verification probability in the data packet;
When eNodeB receives the data packet of PGW return, decided whether according to the verification probability in data packet to the data packet Signature authentication is carried out, the data packet is cached if progress signature authentication and if authenticating successfully and sends user's end for the data packet End abandons the data packet if carrying out signature authentication and authentification failure and sends the exception for carrying the SID in the data packet to PGW Warning message;
When PGW receives the abnormal alarm information for carrying the SID in the data packet, judge in abnormal SID Prestige Management table whether There are the SID in the data packet, if then improving the corresponding verification probability of the SID stored in abnormal SID Prestige Management table, if Otherwise the SID is added in abnormal SID Prestige Management table and improves the SID stored in abnormal SID Prestige Management table and corresponded to Verification probability.
2. the composite defense side of DoS attack is distorted in the wisdom mark network of fusion LTE according to claim 1 to service Method, which is characterized in that the verification initial value of probability corresponding with SID added in the data packet that GSR is returned is identical.
3. the composite defense side of DoS attack is distorted in the wisdom mark network of fusion LTE according to claim 1 to service Method, which is characterized in that the data packet further includes digital signature and provided service content.
CN201611122590.0A 2016-12-08 2016-12-08 The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service Expired - Fee Related CN106453421B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611122590.0A CN106453421B (en) 2016-12-08 2016-12-08 The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611122590.0A CN106453421B (en) 2016-12-08 2016-12-08 The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service

Publications (2)

Publication Number Publication Date
CN106453421A CN106453421A (en) 2017-02-22
CN106453421B true CN106453421B (en) 2019-08-16

Family

ID=58216250

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611122590.0A Expired - Fee Related CN106453421B (en) 2016-12-08 2016-12-08 The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service

Country Status (1)

Country Link
CN (1) CN106453421B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109462498B (en) * 2018-10-24 2020-09-15 北京交通大学 Intelligent network system and communication method thereof
CN113316152A (en) * 2021-05-21 2021-08-27 重庆邮电大学 DoS attack detection method and defense method for terminal in LTE system
CN117278993A (en) * 2022-06-15 2023-12-22 中兴通讯股份有限公司 Method for regulating and controlling network connection request, controller, base station and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101631026A (en) * 2008-07-18 2010-01-20 北京启明星辰信息技术股份有限公司 Method and device for defending against denial-of-service attacks
JP2011150663A (en) * 2010-01-25 2011-08-04 Sony Corp Power management apparatus, and display method
CN104506459A (en) * 2014-12-10 2015-04-08 北京交通大学 Data packet transmission method, device and system in intelligent cooperative network
CN104580165A (en) * 2014-12-19 2015-04-29 北京交通大学 Cooperative caching method in intelligence cooperative network
CN105991557A (en) * 2015-02-05 2016-10-05 精硕世纪科技(北京)有限公司 Network attack defense method based on DNS intelligent analysis system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011155711A (en) * 2010-01-25 2011-08-11 Sony Corp Power management apparatus and method of providing game contents

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101631026A (en) * 2008-07-18 2010-01-20 北京启明星辰信息技术股份有限公司 Method and device for defending against denial-of-service attacks
JP2011150663A (en) * 2010-01-25 2011-08-04 Sony Corp Power management apparatus, and display method
CN104506459A (en) * 2014-12-10 2015-04-08 北京交通大学 Data packet transmission method, device and system in intelligent cooperative network
CN104580165A (en) * 2014-12-19 2015-04-29 北京交通大学 Cooperative caching method in intelligence cooperative network
CN105991557A (en) * 2015-02-05 2016-10-05 精硕世纪科技(北京)有限公司 Network attack defense method based on DNS intelligent analysis system

Also Published As

Publication number Publication date
CN106453421A (en) 2017-02-22

Similar Documents

Publication Publication Date Title
CN109039436B (en) Method and system for satellite security access authentication
Ni et al. Security and privacy for mobile edge caching: Challenges and solutions
CN109842906B (en) Communication method, device and system
EP2959632B1 (en) Augmenting name/prefix based routing protocols with trust anchor in information-centric networks
Nour et al. Security and privacy challenges in information-centric wireless internet of things networks
Nour et al. Information-centric networking in wireless environments: Security risks and challenges
CN103023856B (en) Method, system and the information processing method of single-sign-on, system
US11570689B2 (en) Methods, systems, and computer readable media for hiding network function instance identifiers
Ma et al. An architecture for accountable anonymous access in the internet-of-things network
CN106453421B (en) The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service
CN112332901B (en) Heaven and earth integrated mobile access authentication method and device
WO2023065969A1 (en) Access control method, apparatus, and system
CN109951482A (en) User terminal and its block chain domain name analytic method
CN116546491A (en) Method, device and system for anchor key generation and management for encrypted communication with a service application in a communication network
Rao et al. Privacy in LTE networks
Yu et al. An effective and feasible traceback scheme in mobile internet environment
Bani Hani et al. Energy-efficient service-oriented architecture for mobile cloud handover
US20230209345A1 (en) Device-specific selection between peer-to-peer connections and core-based hybrid peer-to-peer connections in a secure data network
Lokulwar et al. Threat analysis and attacks modelling in routing towards IoT
WO2019093932A1 (en) Lawful interception security
KR20220100669A (en) Method, device and system for generating and managing application keys in a communication network for encrypted communication with service applications
Holtmanns et al. Subscriber profile extraction and modification via diameter interconnection
US11582201B1 (en) Establishing and maintaining trusted relationship between secure network devices in secure peer-to-peer data network based on obtaining secure device identity containers
Li et al. A survey on smart collaborative identifier networks
Krishnamoorthy et al. Security enhancement of handover key management based on media access control address in 4G LTE networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20190816

Termination date: 20191208

CF01 Termination of patent right due to non-payment of annual fee