CN106453421B - The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service - Google Patents
The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service Download PDFInfo
- Publication number
- CN106453421B CN106453421B CN201611122590.0A CN201611122590A CN106453421B CN 106453421 B CN106453421 B CN 106453421B CN 201611122590 A CN201611122590 A CN 201611122590A CN 106453421 B CN106453421 B CN 106453421B
- Authority
- CN
- China
- Prior art keywords
- sid
- data packet
- network
- pgw
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The wisdom that the present invention discloses a kind of fusion LTE identifies the composite defense method for distorting DoS attack in network to service, comprising: maintains exception SID Prestige Management table on PGW, and adds verification probability corresponding with the SID in data packet in the data packet that GSR is returned;With the presence or absence of the SID in data packet in judgement table when PGW receives data packet, if the SID for then being set as storing in table by the verification probability in data packet is corresponding, if otherwise keeping the verification probability in data packet;Decided whether to carry out signature authentication to data packet according to the verification probability in data packet when eNodeB receives the data packet of PGW return, if carry out and success if data cached packet and send data packet, if failure packet discard and sending the abnormal alarm information for carrying the SID to PGW;Its corresponding verification probability is improved again if otherwise SID is added in table if then improving the corresponding verification probability of SID in table with the presence or absence of the SID in judgement table when PGW receives information.The probability for detecting to be tampered data packet can be improved in the present invention.
Description
Technical field
The present invention relates to network communication technology fields.More particularly, to a kind of fusion LTE (Long Term
Evolution, long term evolution) wisdom mark network DoS (Denial of Service, refusal service) distorted to service attack
The composite defense method hit.
Background technique
Internet is in its long-term development process, and especially in recent years, scale sharply expands, main " triple to tie up
The original design thought of cover half type " causes operating mode with respect to " static state " and " rigid ", leads to many insoluble problems.Such as
" resource and binding positions " cause existing internet to be difficult to realize the cloud computing of the whole network scale;" control and data binding " is difficult to reality
The energy conservation of existing network;" identity and position binding " is difficult to effectively solve scalability, mobility and the safety issue of network.Again
Support wretched insufficiency of such as conventional internet in terms of intelligence, perception, cognition, dynamic wisdom mechanism, when user or net
When network behavior changes, network is difficult to perceive and realize resource dynamic adaptation, causes Internet resources unreasonable distribution, utilization rate
It is low, energy consumption is high.
It in order to solve problems existing for existing internet, and casts aside and continues to repair thought as patch installing, in recent years
Countries in the world and each network research organisations and institutions have carried out the new architecture of the network system one after another.Wherein, wisdom identifies network
It is that Next Generation Internet interconnection equipment national engineering laboratory, Beijing Jiaotong University relies on state key basic research development plan
(973 plan) " wisdom identifies network theory basic research " project, further investigation and exploration support that (intelligence perceives, recognizes wisdom
Know, dynamic etc.) service and the future network system basic theory of network, the Future Internet framework of proposition.It is advantageous that its
It is in conjunction with the advantages of internet and conventional telecommunications net, the ambiguity of IP address is decoupling, using identity and position separation, resource with
Position isolation technics improves network scalability, safety, mobility.Wisdom identifies network and network is divided into entity domains and row
For domain, introducing meets network identification AID (Access Identifier) and Intranet identifies RID (Routing Identifier), and one
Aspect improves network service quality, on the other hand improves the security performance of network, and can be with existing internet and net
Network framework is merged.
The important component that wisdom mark network is studied as Next Generation Internet, within the network architecture is same
Centered on appearance, routing and cache way are different from traditional IP network.The framework by distributed content cache mechanism, realize with
Content is that the data of core are transmitted, and changes traditional host-based network communication pattern.
With flourishing for mobile Internet, the high speed development of various new network applications, data service flow is
More than voice service flow, become most important traffic overhead.People are explosive while enjoying the service of various completely new networks
Flow increase the rise constantly aggravated to the traffic requirement of mobile Internet with smart machine, the downloading content quantity of people
Unprecedented huge, this brings very big pressure to network.Global radio operator therefore the face in terms of high-speed mobile broadband service
Face growing demand, more and more users tend to the application of pole consumption bandwidth, such as Video Applications, operator have to
It finds new technology and carrys out these leading increasing needs.For 3G, LTE can provide high-speed mobile network broadband clothes
Business.Its theoretical speed of download is about 100MB/ seconds, is approximately equal to 2000 times to dial up on the telephone.According to this speed, one is downloaded
The file of 600MB only needs 6 seconds.But in practical applications, all bandwidth are all by transmission range and online user number simultaneously
It influences.International Telecommunication Association's technical requirements basic to 4G are to reach 100 mbit of rate under moving condition at present, it is static and
Reach 1G bps of rate under slow moving condition.Compared with existing mobile communication technology, the transmission speed of 4G can be improved 1000
Times.
In recent years, internet security problem becomes increasingly conspicuous.Online working, e-commerce or even E-Government are all flown
The development of speed.At the beginning of internet designs, it is assumed that all nodes are all believable, and are all freedom and equalities.This leads to tradition
Internet lacks user identity authentication mechanism, lacks safe administrative mechanism, this makes it possible the falsely using and deception of identity.
Because being flooded with various hackers on network, they obtain illegal interests using technological means (virus or network attack).People
Also in the solution for constantly seeking internet security, firewall is such as developed, safety auditing system, intruding detection system etc., but
The verifying to subscriber authentication credibility is not all solved fundamentally.
It includes three levels: networking component layer, resource adaption layer and smart service layer that wisdom, which identifies network,.Wherein, wisdom
The Uniform Name that service layer is responsible for various services is matched with the dynamic wisdom of description, service behavior description, service, these services packages
Include the various network services by operator or third party value-added service provider offer, mainly voice, data, Streaming Media etc..Wisdom
Service layer introduce service identifiers SID (Service Identifier) carry out intelligence s ervice of label, realize service " resource and
Position separation " is not only completed Uniform Name and the description of service, and realizes " resource and the position separation " of service;Service mark
It is dynamic between certain service and the network group (networking component of bottom combines) of resource adaption layer for completing to know wisdom mapping
State matching realizes the wisdom coupling between service and network infrastructure, keeps the realization of service relatively reliable.
Wisdom mark network is framework, user's no longer attentinal contents storage location network using content as center, and is only closed
It is intracardiac to hold itself.Message uses the name for servicing itself to be referred to as identifying no longer using similar IP address as mark.In the net
In network communication process, two kinds of type of data packet are transmitted, it is (or slow with service identifiers interest packet and server including user's request
Deposit node) return data packet.User requestor sends the interest packet for having service identifiers, which will identify network by wisdom
Node is transmitted to the neighbouring node for being able to respond the request content;Then the data packet comprising service identifiers and content will be along
The repercussion path of interest packet sends requestor to, and the transmission of primary information is completed with this.
Fig. 1 is shown in existing LTE network and wisdom mark network integration network, and main network element device includes: LTE
Basic network element LTE base station eNodeB (Evolved Node B), the network section of core net EPC (Evolved Packet Core)
Point MME (Mobility Management Entity) and gateway SGW (Serving GateWay);Wisdom identifies network
Private network SID server, private network router GSR (Gigabit Switch Router, kilomegabit Switch Router) and mapping clothes
Business device;And PDN Gateway PGW (PDN GateWay) is merged and the mobile private network security gateway of private network couple in router ASR is set
It is standby.
In the network environment, the request that user terminal UE (User Equipment) is issued can be SID request, should
SID request needs the network element device in LTE network to support that processing includes the data packet of SID.Not using the communication mode based on SID
With traditional communication mode based on IP/AID: first, the data packet format that user terminal issues is different --- institute in data packet
The field for including mainly includes SID, AID, UID and other are every;Second, communication process has differences --- the SID that UE is issued
Request, needs to first pass through SID resolution server, to parse the SID field in data packet, and by the corresponding AID or AID group of SID
Conjunction returns to UE, and then UE requests to communicate with corresponding AID again;Third, when data packet is transferred to mobile private network security gateway,
AID field in data packet will be replaced by RID, and it is that corresponding AID is distributed which, which is by mapping server,.
In the network environment, as shown in Fig. 2, user terminal access LTE network and the process requested to private network transmission SID
It altogether include 14 steps, wherein step 1 to step 11 is the step of user terminal accesses LTE network, and step 12 to step 14 is
User terminal sends the step of SID is requested in access LTE network and after starting normal communication, to private network, above-mentioned to send to private network
SID request is directed to private network router GSR and sends SID request.
As described above, each node includes content memorizer CS in LTE network and wisdom mark network integration network
(content storage) is used to data cached packet --- storage is just emptied after the completion of data forwarding different from ip router
Content, the node in the network request identical data for convenience of different user, need to cache completed data as far as possible.And it is every
The memory space of a node is limited, and each node is unable to all data packets of infinite buffer.When the data packet of caching reaches
The maximum value that node space can bear, then receive new data packet, it is necessary to carry out caching replacement, i.e., it is tactful with certain,
Old data packet is abandoned, to guarantee that node storage space is not occupied full, reduces the probability of content requests failure.
But it is utilized by attacker by way of obtaining data packet when this caching, as attacker controls some node
Router, thus the content for the data packet distorted, but do not change its SID, in this way after normal interest packet reaches, because of matching
SID will return to the data packet being tampered, which is found not being in its is desired until reaching user Shi Caihui
Hold, simultaneously, in the downlink entirely returned, the data packet for the SID for all having been tampered with caching, when other use
When the SID is requested at family again, it equally cannot get desired content.At this point, when legitimate user carries out normal request, because of middle node
Point can no longer provide it normal service, and user has to go request data to farther cache node even content source, thus
Greatly reduce the request efficiency of user.If routing node also select carry out signature authentication, expense be it is very big, have reality
Testing the router for showing to possess multiple gigabit network interfaces is ten to calculated performance required for each data packet progress signature authentication
Divide unpractical.
As described above, for the communication process based on nodal cache of the wisdom mark network architecture centered on content,
Attacker uses attack means such as:
(1) by controlling some router, the content of the data packet received to it is distorted, then the road of its downlink
The content of the data packet cached by device is also all tampered with.
(2) by the prediction to some specific SID, the machine simulation requestor that attacker is controlled by oneself mentions with service
The still content for meeting the SID is not that the data packet of the desired content of normal users pre-deposits router by donor
In caching.
And the interest packet that both the above attack all causes user to issue normal service request can not receive correct clothes
Business content-data packet.In existing content center network, solve content tampering to compare the technology of mainstream to be SCIC (Self-
Certifying Interests/Content).It mainly include S-SCIC (Static-Self-Certifying
Interests/Content) with D-SCIC (Dynamic-Self-Certifying Interests/Content) S-SCIC master
If automatically generating a cryptographic Hash according to the content of each data packet, once the content of data packet in this way changes, breathe out
Uncommon value also can be with change.D-SCIC is mainly that a field is added in requestor in interest packet
What PublisherPublicKeyDigest was stored is the cryptographic Hash of the public key of ISP, once requestor uses this word
Whether the data packet that verification returns is met public key identical with interest packet by section, each router.
In the above method, S-SCIC can be very good to solve the problems, such as that content is tampered, while be directed to continuous data
(content1, content2 ...), solution are to be stored in the cryptographic Hash hash2 of content2 in content1 together,
Therefore it is only necessary to know that the cryptographic Hash hash1 of content1 is the accuracy that can guarantee one section of continuous data.But it acts on
Range is only limitted to static data, such as a film or an e-book, and ISP can in advance will be in each section
The cryptographic Hash of appearance is calculated and hash1 is sent to requestor.And in real network, it is the presence of many dynamic contents
, the content that perhaps will be returned is not existing before request is initiated (such as result of web search).In this case
S-SCIC not can guarantee the integrality and accuracy of content.Meanwhile although D-SCIC can solve some services controlled and mention
Caused by donor the problem of content tampering.Once but attacker is directly to modify the ISP that it is trusted to be buffered in routing
The content of data packet on device rather than when public key, public key match still can be correct, but returns to the data packet returned on the way
Content is still mistake.Moreover, any at present can not all accomplish to support static and dynamic simultaneously based on Self-certified naming system
Self-certified content naming method.
Accordingly, it is desirable to provide a kind of improve the data for detecting the content that is maliciously tampered within the scope of reasonable calculated performance
To service in the wisdom mark network of the fusion LTE for the probability that the probability of packet is buffered to the data packet that reduction is tampered content
Distort the composite defense method of DoS attack.
Summary of the invention
The purpose of the present invention is to provide the associations for distorting DoS attack in a kind of wisdom mark network for merging LTE to service
Same defence method, to realize:
1, it is cached or received normal when attacker has seized some private network router GSR in private network on both sides by the arms and distorts it
When the content of the data packet comprising SID, composite defense will be carried out when data packet is transferred in LTE network, reduce being tampered
The probability that data packet is cached by eNodeB, while increasing the probability that mobile subscriber normally obtains correct service content;
2, since the PGW volume of transmitted data carried is huge, PGW and without signature authentication itself, but
The eNodeB that private network is linked by the PGW is collectively constituted into composite defense mechanism as authentication unit, while PGW is as one
A center control, Lai Tigao eNodeB detect the probability for being tampered data packet, effectively guarantee to imitate while taking into account performance
Rate.
In order to achieve the above objectives, the present invention adopts the following technical solutions:
The composite defense method of DoS attack is distorted to service in a kind of wisdom mark network merging LTE, including is walked as follows
It is rapid:
Exception SID Prestige Management table is maintained on PGW, and is added and the SID in data packet in the data packet that GSR is returned
Corresponding verification probability;
When PGW receives the data packet, judge to whether there is the SID in the data packet in abnormal SID Prestige Management table,
If then setting the verification probability in the data packet to SID pairs in the data packet stored in abnormal SID Prestige Management table
The verification probability answered, if otherwise keeping the verification probability in the data packet;
When eNodeB receives the data packet of PGW return, decided whether according to the verification probability in data packet to the number
Signature authentication is carried out according to packet, cache the data packet if progress signature authentication and if authenticating successfully and sends user for the data packet
Terminal abandons the data packet if carrying out signature authentication and authentification failure and sends the different of the SID in the carrying data packet to PGW
Normal warning message;
When PGW receives the abnormal alarm information for carrying the SID in the data packet, judge in abnormal SID Prestige Management table
With the presence or absence of the SID in the data packet, if it is general then to improve the corresponding verification of the SID stored in abnormal SID Prestige Management table
Rate, if otherwise the SID is added in abnormal SID Prestige Management table and improves the SID stored in abnormal SID Prestige Management table
Corresponding verification probability.
Preferably, the verification initial value of probability corresponding with SID added in the data packet that GSR is returned is identical.
Preferably, the data packet further includes digital signature and provided service content.
Beneficial effects of the present invention are as follows:
Technical solution of the present invention is asked while keeping original system certification, access, communication function to based on SID
The attacker's control node router being likely to occur in the network environment asked carries out content tampering attack, causes eNodeB storage big
Amount mistake caching reduces the behavior that user requests the efficiency of correct content, is analyzed in private network, on PGW and eNodeB
The malice tampering of composite defense mechanism from mobile network core network edge limitation SID is added, effectively protects mobile network
The service acquisition quality of the content safety of base station and user in network.
Detailed description of the invention
Specific embodiments of the present invention will be described in further detail with reference to the accompanying drawing;
Fig. 1 shows the network environment topological diagram of LTE network in the prior art and wisdom mark network integration network.
Fig. 2 shows in the prior art LTE network and wisdom mark network integration network network environment in, user terminal
It accesses LTE network and sends the basic communication flow chart that SID is requested to private network.
The wisdom that Fig. 3 shows fusion LTE identifies the specific letter for distorting the composite defense method of DoS attack in network to service
Enable flow chart.
Specific embodiment
In order to illustrate more clearly of the present invention, the present invention is done further below with reference to preferred embodiments and drawings
It is bright.Similar component is indicated in attached drawing with identical appended drawing reference.It will be appreciated by those skilled in the art that institute is specific below
The content of description is illustrative and be not restrictive, and should not be limited the scope of the invention with this.
The composite defense method packet of DoS attack is distorted in the wisdom mark network of fusion LTE disclosed by the invention to service
Include following steps:
Exception SID Prestige Management table is maintained on PGW, and in the data packet that the SID request that GSR is sent according to UE returns
Verification probability corresponding with the SID in data packet is added, the verification probability corresponding with SID added in each data packet in network
Initial value is identical;
When PGW receives the data packet of GSR return, judge in abnormal SID Prestige Management table with the presence or absence of the data packet
In SID, if it is corresponding then to set the SID stored in abnormal SID Prestige Management table for the verification probability in the data packet
Verification probability, if otherwise keeping the verification probability in the data packet;
Because the volume of transmitted data that PGW is carried is huge, PGW and without signature authentication itself, but will
The eNodeB of private network is linked into as authentication unit by the PGW to collectively constitute composite defense mechanism;So when eNodeB connects
When receiving the data packet of PGW return, decided whether to carry out signature authentication to the data packet according to the verification probability in data packet, if
It carries out signature authentication and authenticates successfully then directly caching the data packet and sending next-hop eNodeB or use for the data packet
Family terminal abandons the data packet if carrying out signature authentication and authentification failure and sends the SID's in the carrying data packet to PGW
Abnormal alarm information;
When PGW receives the abnormal alarm information for carrying the SID in the data packet, it is meant that the corresponding data packet of the SID
There is the possibility being tampered in content, then judge with the presence or absence of the SID in abnormal SID Prestige Management table, if then to the SID's
Degrees of comparison degrades, and improves the corresponding verification probability of the SID stored in exception SID Prestige Management table;If otherwise
SID is added in abnormal SID Prestige Management table, and is degraded to the degrees of comparison of the SID, exception SID prestige pipe is improved
The corresponding verification probability of the SID stored in reason table.Wherein, if PGW judgement the result is that not deposited in exception SID Prestige Management table
In the SID, then illustrate that the corresponding verification probability of the SID was never improved by PGW, the corresponding verification probability of the SID is still
Verification probability initial value when verification probability corresponding with SID is added in the data packet that GSR is returned, then PGW is in initial value
On the basis of improve the corresponding verification probability of the SID that stores in exception SID Prestige Management table.
When PGW receives the data packet containing identical SID of GSR return again, the verification probability of the data packet will
It is improved by PGW, to improve the probability that the data packet being tampered is detected by eNodeB, and then improves nodal cache and correctly count
According to the probability of packet content.
As shown in figure 3, the collaboration of DoS attack is distorted in the wisdom mark network of fusion LTE disclosed by the invention to service
The specific signaling process of defence method is exemplified below:
Firstly, the composite defense method for distorting DoS attack to service in the wisdom mark network of fusion LTE starts to execute
Before, user terminal first has to access LTE network and sends SID request, the access LTE network and transmission SID request to private network
Process is access request process commonly used in the prior art, is briefly described as follows: SGW initiates PDP Context request to PGW;PGW
PDP Context response is sent to SGW;User opens webpage using user terminal, opens WEB verification process, user's debarkation authentication
The page inputs user name password;Authentication service inquires user's user name password, and return authentication is then reset as a result, as certification passes through
To ASR authentication management address is arrived, ASR module allows its networking, and distributes Intranet mark for it, and mapping table is added.User sends
Data packet, PGW/ASR give the access mark for using family instead to distribute corresponding Intranet mark;Later, user terminal is in access LTE network
And after starting normal communication, SID request is sent to private network;
Later, the specific signaling for distorting the composite defense method of DoS attack in the wisdom mark network of LTE to service is merged
The citing of process are as follows:
Exception SID Prestige Management table is maintained on PGW, and in the data packet that the SID request that GSR is sent according to UE returns
Add verification probability corresponding with the SID in data packet, wherein add and the SID in data packet in the data packet that GSR is returned
The initial value of corresponding verification probability is identical;
The SID request that UE1 is sent to private network reaches on the GSR controlled by attacker, and attacker, which has distorted, is buffered in this
The packet content containing identical SID on GSR, the data packet after being tampered returns, while GSR on the way is equally also cached
Data packet after being tampered;
When the data packet that the GSR controlled by attacker is returned reaches PGW, PGW judge in exception SID Prestige Management table whether
There are the SID in the data packet, if not having the SID in the data packet in the abnormal SID Prestige Management table in PGW, keeping should
Verification probability P 1 in data packet, when the data packet reach base station eNodeB 1 when, eNodeB1 will according to the verification probability P 1 come
Decide whether to carry out signature authentication to the data packet;
If eNodeB1 carries out signature authentication and discovery authentification failure, illustrate that the data packet has been tampered with, eNodeB1
The data packet is directly abandoned, while the abnormal alarm information for carrying the SID in the data packet being fed back to PGW;
When PGW receives abnormal alarm information, SID is added in abnormal SID Prestige Management table, and to the prestige of the SID
Grade degrades, and the corresponding verification probability of the SID stored in exception SID Prestige Management table is improved, by abnormal SID prestige pipe
The corresponding verification probability P 1 of the SID stored in reason table is improved to P2.
Later, the UE2 in another 2 range of base station eNodeB to private network have sent SID request, the SID request SID with
The SID for the SID request that UE1 is sent before is identical, i.e. UE22 has initiated the SID request to identical SID, equally obtains in private network
The data packet being tampered and return;
When the data packet being tampered reaches PGW, because of abnormal SID Prestige Management table of the SID in the data packet in PGW
There is record, therefore the verification probability in the data packet is set to P2, when the data packet reaches base station eNodeB 2, eNodeB2 will
Based on new probability P 2 (P2 > P1) to determine whether carrying out signature authentication to the data packet, thus, detect that the data packet is usurped
The probability changed is bigger.
In the present solution, defining the signaling format of data in LTE network and wisdom mark network integration network, it is specifically defined
It is as follows:
1) format of the data packet for SID request (can be described as interest packet) that GSR was provided or returned meet is as follows:
SID | CheckProbability | Signature | Content |
Wherein:
SID: service identifiers;
CheckProbability: verification probability;
Signature: digital signature;
Content: provided service content.
2) exception SID Prestige Management table storage format is as follows:
Wherein:
SID`: exception service mark;
Level: the current degrees of comparison of the service identifiers;
CheckProbability: according to the verification probability for the service identifiers that degrees of comparison is evaluated.
3) eNodeB is as follows: to the message format of PGW feedback exception SID information
SID` | CheckProbability | Option |
Wherein:
SID`: exception service mark;
CheckProbability: according to the verification probability for the service identifiers that degrees of comparison is evaluated;
Option: option.
The composite defense method for distorting DoS attack to service in the wisdom mark network of fusion LTE disclosed by the invention has
There are following features:
(1) exception SID Prestige Management table is established on PGW, can determine that its is verified general according to SID degrees of comparison in real time
Rate;
(2) eNodeB then feeds back the SID information of the data packet extremely once carrying out signature authentication failure to data packet at once
PGW generates gain effects to the data acquisition of next user for requesting identical SID by other eNodeB, realizes eNodeB
And the composite defense mechanism that PGW is collectively formed;
(3) method of verification probability is determined --- including the variation by SID degrees of comparison and according to each in the current field
The non-load balanced case constructor relationship of eNodeB determines the verification probability of specific exception SID.
Obviously, the above embodiment of the present invention be only to clearly illustrate example of the present invention, and not be pair
The restriction of embodiments of the present invention may be used also on the basis of the above description for those of ordinary skill in the art
To make other variations or changes in different ways, all embodiments can not be exhaustive here, it is all to belong to this hair
The obvious changes or variations that bright technical solution is extended out are still in the scope of protection of the present invention.
Claims (3)
1. the composite defense method of DoS attack is distorted in a kind of wisdom mark network for merging LTE to service, which is characterized in that
This method comprises the following steps:
Exception service is maintained to identify SID Prestige Management table, and the data packet returned in kilomegabit Switch Router GSR on PGW
In add verification probability corresponding with the SID in data packet;
When PGW receives the data packet, judge with the presence or absence of the SID in the data packet in abnormal SID Prestige Management table, if
The SID for then setting the verification probability in the data packet in the data packet stored in abnormal SID Prestige Management table is corresponding
Probability is verified, if otherwise keeping the verification probability in the data packet;
When eNodeB receives the data packet of PGW return, decided whether according to the verification probability in data packet to the data packet
Signature authentication is carried out, the data packet is cached if progress signature authentication and if authenticating successfully and sends user's end for the data packet
End abandons the data packet if carrying out signature authentication and authentification failure and sends the exception for carrying the SID in the data packet to PGW
Warning message;
When PGW receives the abnormal alarm information for carrying the SID in the data packet, judge in abnormal SID Prestige Management table whether
There are the SID in the data packet, if then improving the corresponding verification probability of the SID stored in abnormal SID Prestige Management table, if
Otherwise the SID is added in abnormal SID Prestige Management table and improves the SID stored in abnormal SID Prestige Management table and corresponded to
Verification probability.
2. the composite defense side of DoS attack is distorted in the wisdom mark network of fusion LTE according to claim 1 to service
Method, which is characterized in that the verification initial value of probability corresponding with SID added in the data packet that GSR is returned is identical.
3. the composite defense side of DoS attack is distorted in the wisdom mark network of fusion LTE according to claim 1 to service
Method, which is characterized in that the data packet further includes digital signature and provided service content.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611122590.0A CN106453421B (en) | 2016-12-08 | 2016-12-08 | The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611122590.0A CN106453421B (en) | 2016-12-08 | 2016-12-08 | The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106453421A CN106453421A (en) | 2017-02-22 |
CN106453421B true CN106453421B (en) | 2019-08-16 |
Family
ID=58216250
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611122590.0A Expired - Fee Related CN106453421B (en) | 2016-12-08 | 2016-12-08 | The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106453421B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109462498B (en) * | 2018-10-24 | 2020-09-15 | 北京交通大学 | Intelligent network system and communication method thereof |
CN113316152A (en) * | 2021-05-21 | 2021-08-27 | 重庆邮电大学 | DoS attack detection method and defense method for terminal in LTE system |
CN117278993A (en) * | 2022-06-15 | 2023-12-22 | 中兴通讯股份有限公司 | Method for regulating and controlling network connection request, controller, base station and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
JP2011150663A (en) * | 2010-01-25 | 2011-08-04 | Sony Corp | Power management apparatus, and display method |
CN104506459A (en) * | 2014-12-10 | 2015-04-08 | 北京交通大学 | Data packet transmission method, device and system in intelligent cooperative network |
CN104580165A (en) * | 2014-12-19 | 2015-04-29 | 北京交通大学 | Cooperative caching method in intelligence cooperative network |
CN105991557A (en) * | 2015-02-05 | 2016-10-05 | 精硕世纪科技(北京)有限公司 | Network attack defense method based on DNS intelligent analysis system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2011155711A (en) * | 2010-01-25 | 2011-08-11 | Sony Corp | Power management apparatus and method of providing game contents |
-
2016
- 2016-12-08 CN CN201611122590.0A patent/CN106453421B/en not_active Expired - Fee Related
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
JP2011150663A (en) * | 2010-01-25 | 2011-08-04 | Sony Corp | Power management apparatus, and display method |
CN104506459A (en) * | 2014-12-10 | 2015-04-08 | 北京交通大学 | Data packet transmission method, device and system in intelligent cooperative network |
CN104580165A (en) * | 2014-12-19 | 2015-04-29 | 北京交通大学 | Cooperative caching method in intelligence cooperative network |
CN105991557A (en) * | 2015-02-05 | 2016-10-05 | 精硕世纪科技(北京)有限公司 | Network attack defense method based on DNS intelligent analysis system |
Also Published As
Publication number | Publication date |
---|---|
CN106453421A (en) | 2017-02-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109039436B (en) | Method and system for satellite security access authentication | |
Ni et al. | Security and privacy for mobile edge caching: Challenges and solutions | |
CN109842906B (en) | Communication method, device and system | |
EP2959632B1 (en) | Augmenting name/prefix based routing protocols with trust anchor in information-centric networks | |
Nour et al. | Security and privacy challenges in information-centric wireless internet of things networks | |
Nour et al. | Information-centric networking in wireless environments: Security risks and challenges | |
CN103023856B (en) | Method, system and the information processing method of single-sign-on, system | |
US11570689B2 (en) | Methods, systems, and computer readable media for hiding network function instance identifiers | |
Ma et al. | An architecture for accountable anonymous access in the internet-of-things network | |
CN106453421B (en) | The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service | |
CN112332901B (en) | Heaven and earth integrated mobile access authentication method and device | |
WO2023065969A1 (en) | Access control method, apparatus, and system | |
CN109951482A (en) | User terminal and its block chain domain name analytic method | |
CN116546491A (en) | Method, device and system for anchor key generation and management for encrypted communication with a service application in a communication network | |
Rao et al. | Privacy in LTE networks | |
Yu et al. | An effective and feasible traceback scheme in mobile internet environment | |
Bani Hani et al. | Energy-efficient service-oriented architecture for mobile cloud handover | |
US20230209345A1 (en) | Device-specific selection between peer-to-peer connections and core-based hybrid peer-to-peer connections in a secure data network | |
Lokulwar et al. | Threat analysis and attacks modelling in routing towards IoT | |
WO2019093932A1 (en) | Lawful interception security | |
KR20220100669A (en) | Method, device and system for generating and managing application keys in a communication network for encrypted communication with service applications | |
Holtmanns et al. | Subscriber profile extraction and modification via diameter interconnection | |
US11582201B1 (en) | Establishing and maintaining trusted relationship between secure network devices in secure peer-to-peer data network based on obtaining secure device identity containers | |
Li et al. | A survey on smart collaborative identifier networks | |
Krishnamoorthy et al. | Security enhancement of handover key management based on media access control address in 4G LTE networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20190816 Termination date: 20191208 |
|
CF01 | Termination of patent right due to non-payment of annual fee |