CN108123789B - Method and device for analyzing security attack - Google Patents

Method and device for analyzing security attack Download PDF

Info

Publication number
CN108123789B
CN108123789B CN201611063393.6A CN201611063393A CN108123789B CN 108123789 B CN108123789 B CN 108123789B CN 201611063393 A CN201611063393 A CN 201611063393A CN 108123789 B CN108123789 B CN 108123789B
Authority
CN
China
Prior art keywords
file
signaling data
request
data
signaling
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611063393.6A
Other languages
Chinese (zh)
Other versions
CN108123789A (en
Inventor
王峰生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Ltd Research Institute filed Critical China Mobile Communications Group Co Ltd
Priority to CN201611063393.6A priority Critical patent/CN108123789B/en
Publication of CN108123789A publication Critical patent/CN108123789A/en
Application granted granted Critical
Publication of CN108123789B publication Critical patent/CN108123789B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a method and equipment for analyzing security attack, wherein the method comprises the following steps: acquiring signaling data, and extracting key cell field information of the signaling data from each protocol layer corresponding to the signaling data; and carrying out security attack analysis on the signaling data according to the key cell field information to obtain a security attack analysis result, and solving the problem that whether attack exists or not or whether attack succeeds or not is judged in a corresponding mode for attack without a protection means in the prior art.

Description

Method and device for analyzing security attack
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and a device for analyzing security attacks.
Background
In recent years, as the technologies of the conventional GSM communication system are gradually matured, there are increasing reports and incidents of attacks on the security of SS7 signaling in the GSM system, and the security threats frequently mentioned in these large number of relevant reports include location tracking, call forwarding, denial of service, and the like.
Aiming at the existing protection means related to SS7 signaling security threat, a signaling firewall mainly judges according to a signaling GT code and a carried user identification code (MDN or IMSI) and a single signaling instruction behavior characteristic, if the signaling GT code and the carried user identification code accord with a certain abnormal behavior characteristic, the signaling GT code belongs to the security threat, and corresponding protection action is carried out.
The existing SS7 signaling security protection means can be seen in table 1:
TABLE 1SS7 Signaling Security means
Figure BDA0001163807870000011
Figure BDA0001163807870000021
For positioning and tracking, partial protection means exist, and for call hijacking and denial of service, no specific protection means exists; for attacks with protection means, no specific auditing mode, method or system, equipment and the like are used for checking implemented protection means, and similarly, for attacks without protection means, no corresponding auditing is used, so that whether attacks exist or not or whether attacks succeed or not is judged.
Disclosure of Invention
In view of the above technical problems, embodiments of the present invention provide a method and an apparatus for analyzing a security attack, which solve the problem in the prior art that for an attack without a protection means, there is no corresponding way to determine whether there is an attack or not or whether the attack is successful or not.
In a first aspect of the embodiments of the present invention, a method for analyzing a security attack is provided, including:
acquiring signaling data, and extracting key cell field information of the signaling data from each protocol layer corresponding to the signaling data;
and carrying out security attack analysis on the signaling data according to the key cell field information to obtain a security attack analysis result.
Optionally, the acquiring signaling data includes:
and acquiring offline signaling data from the international gateway, wherein the offline signaling data are data packets generated according to a preset time interval.
Optionally, performing security attack analysis on the signaling data according to the key cell field information to obtain a security attack analysis result, including:
classifying the signaling data according to an operation code type field and a message direction field in the key cell field information to generate classified retrieval cell data files of the signaling data, wherein each type of classified retrieval cell data file comprises a request direction file of the type and a response direction file of the type;
and carrying out security attack analysis on the signaling data according to the request direction file and the response direction file to obtain a confirmed attack set and a suspected attack set.
Optionally, the performing security attack analysis according to the request direction file and the response direction file to obtain a confirmation attack set and a suspected attack set includes:
according to the principle of inward request, filtering the request direction file in the classified retrieval cell data file;
performing correlation check on the original source transaction ID in the request direction file and the target transaction ID in the response direction file which meet the filtering condition;
if the original source transaction ID in the request message in the request direction file is the same as the target transaction ID in the response message in the response direction file, and the position information field carried in the response message in the response direction file is displayed as the home position information, combining and outputting the request message and the response message to a confirmation attack set corresponding to the classified retrieval cell data file;
and if no response message corresponding to the request message exists, outputting the request message to a suspected attack set corresponding to the classified retrieval cell data file.
Optionally, the filtering the request direction file in the sorted retrieval cell data file according to the inward request principle includes:
the request direction file in the classified search cell data file is filtered by taking the destination signaling point code DPC as the home country, the original source signaling point code OPC as the non-home country, and the international mobile subscriber identity IMSI or mobile subscriber directory number MDN as the filtering condition of the home country.
According to a second aspect of the embodiments of the present invention, there is also provided an apparatus for analyzing a security attack, including:
the acquisition module is used for acquiring signaling data and extracting key cell field information of the signaling data from each protocol layer corresponding to the signaling data;
and the analysis module is used for carrying out security attack analysis on the signaling data according to the key cell field information to obtain a security attack analysis result.
Optionally, the obtaining module includes:
an obtaining unit, configured to obtain offline signaling data from an international gateway, where the offline signaling data is a data packet generated according to a predetermined time interval;
and the extracting unit is used for extracting the key cell field information of the off-line signaling data from each protocol layer corresponding to the off-line signaling data.
Optionally, the analysis module comprises:
a classifying unit, configured to classify the signaling data according to an operation code type field and a message direction field in the key cell field information, and generate a classified retrieval cell data file of the signaling data, where each type of classified retrieval cell data file includes a request direction file of the type and a response direction file of the type;
and the analysis unit is used for carrying out security attack analysis on the signaling data according to the request direction file and the response direction file to obtain a confirmation attack set and a suspected attack set.
Optionally, the analysis unit comprises:
a filtering subunit, configured to filter the request direction file in the classified retrieval cell data file according to an inward request principle;
the checking subunit is used for performing association check on the original source transaction ID in the request direction file meeting the filtering condition and the target transaction ID in the response direction file;
if the original source transaction ID in the request message in the request direction file is the same as the target transaction ID in the response message in the response direction file, and the position information field carried in the response message in the response direction file is displayed as the home position information, combining and outputting the request message and the response message to a confirmation attack set corresponding to the classified retrieval cell data file;
and if no response message corresponding to the request message exists, outputting the request message to a suspected attack set corresponding to the classified retrieval cell data file.
Optionally, the filtering subunit is further configured to:
the request direction file in the classified search cell data file is filtered by taking the destination signaling point code DPC as the home country, the original source signaling point code OPC as the non-home country, and the international mobile subscriber identity IMSI or mobile subscriber directory number MDN as the filtering condition of the home country.
One of the above technical solutions has the following advantages or beneficial effects: acquiring signaling data, and extracting key cell field information of the signaling data from each protocol layer corresponding to the signaling data; and then, carrying out security attack analysis on the signaling data according to the key cell field information to obtain a security attack analysis result, and solving the problem that whether attack exists or not or whether attack succeeds or not is judged in the prior art for attack without a protection means in a non-corresponding mode. The existing scheme focuses on interception and protection, and lacks a means for confirming the after-event effect, but the embodiment can obtain the security attack analysis result of the signaling data, and provides a means for confirming the after-event effect; furthermore, the embodiment realizes data capture based on the current network, can be obtained from the signaling monitoring data of the current international gateway bureau, and does not increase the signaling obtaining cost; moreover, the embodiment can output the audit report without immediately influencing the current network; the existing network may be operated at a later time as appropriate for the security attack analysis results.
Drawings
FIG. 1 is a flowchart illustrating a method for analyzing a security attack according to an embodiment of the present invention;
fig. 2 is a schematic diagram of protocol layers involved in signaling No. 7 in an attack according to an embodiment of the present invention;
FIG. 3 is a flowchart of step 102 according to an embodiment of the present invention;
FIG. 4 is a flowchart of step 1022 in one embodiment of the present invention;
FIG. 5 is a block diagram of a device for analyzing a security attack according to a second embodiment of the present invention;
fig. 6 is a second block diagram of an apparatus for analyzing a security attack in the second embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As will be appreciated by one skilled in the art, embodiments of the present invention may be embodied as a system, apparatus, device, method, or computer program product. Thus, embodiments of the invention may be embodied in the form of: entirely hardware, entirely software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
Example one
Referring to fig. 1, a method for analyzing security attacks is shown, which includes the following specific steps:
step 101, acquiring signaling data, and extracting key cell field information of the signaling data from each protocol layer corresponding to the signaling data;
in this embodiment, optionally, offline signaling data is obtained from the international gateway, where the offline signaling data is a data packet generated at a predetermined time interval. The bidirectional off-line signaling data is acquired from the signaling related system established by the current network international gateway bureau, the current network is not required to be modified, and the network is not influenced. The off-line signaling data may be bidirectional data obtained from the international gateway, the off-line signaling data may be stored in a PCAP file, the off-line signaling data file may be stored for a predetermined time interval (for example, 2 minutes) to generate a data packet, and the off-line signaling data file may be stored in a cvt _ yymmddhhmis.
Data files are for example: cvt _20150207194922.pcap
Description of the file format:
cvt-file prefix
' separator character
yyyy-4 position, representing year
mm-2 position, representing month
dd-2 position, for day
hh-2 position, when represents
mi-2 position, representing part of
ss-2 bit, representing seconds
Taking signaling No. 7 as an example, each protocol layer corresponding to the signaling No. 7 is shown in fig. 2.
Similarly, taking signaling No. 7 as an example, the key cell field information extracted at each layer is shown in the following table:
Figure BDA0001163807870000061
and 102, carrying out security attack analysis on the signaling data according to the key cell field information to obtain a security attack analysis result.
Referring to fig. 3, the flow of step 102 is shown, and the specific steps are as follows:
step 1021, classifying the signaling data according to the operation code type field and the message direction field in the key cell field information, and generating a classified retrieval cell data file of the signaling data, wherein each type of classified retrieval cell data file comprises a request direction file of the type and a response direction file of the type;
the operation code type field may be represented as an OperationCode, and includes: ati, sri, psi, psl, isd, cl, dsd.
The above message direction field may be represented as ComponentTypeTag, including: invoke stands for inbound request and rr/rrnl for outbound response.
And 1022, performing security attack analysis on the signaling data according to the request direction file and the response direction file to obtain a confirmation attack set and a suspected attack set.
Further, the confirmation attack list and the suspected attack list which are distinguished according to the attack types are integrated and output.
The sorting and retrieving the cell data file may include: a location tracking classification retrieval cell data table, a call hijacking classification retrieval cell data table and a denial of service classification retrieval cell data table,
1) the file name format of the location tracking classification retrieval information data table is as follows:
OperationCode _ ComponentTypeTag _ offline signaling data filename txt
The location tracking classification retrieval information data table file names are as follows:
ati_invoke_cvt_20150207194922.txt
ati_rr_cvt_20150207194922.txt
sri_invoke_cvt_20150207194922.txt
sri_rr_cvt_20150207194922.txt
sri_rrnl_cvt_20150207194922.txt
psi_invoke_cvt_20150207194922.txt
psi_rr_cvt_20150207194922.txt
psl_invoke_cvt_20150207194922.txt
psl_rr_cvt_20150207194922.txt
the sri message location information not only exists in the return result (last) message, but also exists in the case that the LocationInformation and the Ext-GeographicalInformation fields return through the return result (notlast) message, and sri _ rrnl _ cvt _ 20157194922. txt needs to be additionally output to the message with the OperationCode sri.
2) The file name format of the call hijacking classified retrieval information data table is as follows:
OperationCode _ ComponentTypeTag _ si _ offline signaling data filename txt
OperationCode _ ComponentTypeTag _ si _ gsmSCF _ offline signaling data filename txt
OperationCode _ ComponentTypeTag _ gsmSCF _ offline signaling data filename txt
OperationCode _ ComponentTypeTag _ offline signaling data filename txt
The file names of the call hijacking classified retrieval information data table are as follows:
isd_invoke_si_cvt_20150207194922.txt
isd_invoke_si_gsmSCF_cvt_20150207194922.txt
isd_invoke_gsmSCF_cvt_20150207194922.txt
isd_rr_cvt_20150207194922.txt
since there is an invoke direction message for isd:
providing subsscribersistity only
Providing only gsmSCF-Address
In three cases, a subscripteridentity and a gsmSCF-Address are provided, and a data table file needs to be searched in the generation of a class 3 classification.
3) The file name format of the denial of service classification search information data table is as follows:
OperationCode _ ComponentTypeTag _ offline signaling data filename txt
The denial of service classification retrieval information element data table file names are as follows:
cl_invoke_cvt_20150207194922.txt
cl_rr_cvt_20150207194922.txt
dsd_invoke_cvt_20150207194922.txt
dsd_rr_cvt_20150207194922.txt
further, in this embodiment, the messages in the location tracking classification retrieval cell data table, the call hijack classification retrieval cell data table, and the denial of service classification retrieval cell data table may be deduplicated, specifically, the same type of messages and the same direction files in the location tracking classification retrieval cell data table, the call hijack classification retrieval cell data table, and the denial of service classification retrieval cell data table are merged, and the same retransmitted message is subjected to deduplication check, so that completely the same retransmitted message data is rejected, and only one corresponding piece of data is retained.
After the above processing, the signaling data is classified, merged and de-duplicated and output according to the message type and the message direction, and the classified, merged and de-duplicated signaling data is used as the input of the subsequent characteristic analysis processing. The file names after processing are as follows:
ati_invoke.txt/ati_rr.txt
sri_invoke.txt/sri_rr.txt/sri_rrnl.txt
psi_invoke.txt/psi_rr.txt
psl_invoke.txt/psl_rr.txt
isd_invoke_si.txt/isd_invoke_si_gsmSCF.txt/isd_invoke_gsmSCF.txt/isd_rr.txt
cl_invoke.txt/cl_rr.txt
dsd_invoke.txt/dsd_rr.txt
referring to fig. 4, the flow of step 1022 is shown, and the specific steps are as follows:
step 10221, according to the principle of inward request, filtering the request direction file in the classified search cell data file;
specifically, the request direction file in the classified search cell data file is filtered by using a destination signaling point code (DPC) as a filtering condition of the home country, an originating signaling point code (OPC) as a filtering condition of the non-home country, an International Mobile Subscriber Identity (IMSI) or a mobile subscriber directory number (MDN).
Step 10222, checking the correlation between the original source transaction id (originationtransactionid) in the request direction file meeting the filter condition and the destination transaction id (destinationtransactionid) in the response direction file;
step 10223, if the original transaction ID in the request message in the request direction file is the same as the destination transaction ID in the response message in the response direction file, and the location information field (LocationInformation or Ext-GeographicalInformation) carried in the response message in the response direction file is displayed as the home location information, merging and outputting the request message and the response message to the confirmation attack set corresponding to the sorted retrieval cell data file;
step 10224, if there is no response message corresponding to the request message, then the request message is output to the suspected attack set corresponding to the sorted retrieved cell data file.
How to obtain the security analysis result is described below for three security threats of location tracking, call hijacking and denial of service.
1) Location tracking feature analysis
In a positioning, tracking and classifying retrieval information data table, from a request direction invoke file, filtering conditions of the country are determined according to that DPC is the country, OPC is the non-country, IMSI or MDN is the country; performing correlation check on the originationTransactionID meeting the filtering condition and the DestinationTransactionID in the rrl file or the response direction rr, if the originationTransactionID in the request message is the same as the DestinationTransactionID in the response message, and the LocatetionInformationfield carried in the response message is displayed as the position information of the country, or the Ext-GeogrAN _ SNhical Info carried in the response message is displayed as the position information of the country, merging and outputting the request message and the response message to a positioning and tracking attack confirmation list; and outputting the request message and the non-corresponding response message to a suspected location tracking attack list.
2) Call hijacking feature analysis
In the data table of the call hijacking classified retrieval message, two data tables which only provide subscriberIdentity and only provide gsmSCF-Address are firstly subjected to correlation check according to an originationTransaction ID field in a request direction invoke file, and if data with the same originationTransaction ID field exists in the two tables, the two data with the same field are merged and added into the data table file which provides subscriberIdentity and gsmSCF-Address.
Requesting a direction invoke message in an integrated data table file providing the subscripteridentity and the gsmSCF-Address, and taking DPC as a home country, OPC as a non-home country, and IMSI or MDN as a filtering condition of the home country; making correlation check between originationTransactionID meeting the filter condition and DestinationTransactionID in the response direction rr file, and combining and outputting the request message and the response message to a confirmed call hijacking attack list if the originationTransactionID in the request message is the same as the DestinationTransactionID in the response message; and outputting the request message but no corresponding response message to a suspected call hijacking attack list.
3) Denial of service feature analysis
In the denial of service classification retrieval information data table, from the request direction invoke file, filtering conditions of the country are determined according to that DPC is the country, OPC is the non-country, IMSI or MDN is the country; performing correlation check on the originationTransactionID meeting the filter condition and the DestinationTransactionID in the response direction rr file, and merging and outputting the request message and the response message to a confirmed denial of service attack list if the originationTransactionID in the request message is the same as the DestinationTransactionID in the response message; and outputting the request message but no corresponding response message to a suspected denial of service attack list.
In this embodiment, first, signaling data is obtained, and key cell field information of the signaling data is extracted from each protocol layer corresponding to the signaling data; and then, carrying out security attack analysis on the signaling data according to the key cell field information to obtain a security attack analysis result, and solving the problem that whether attack exists or not or whether attack succeeds or not is judged in the prior art for attack without a protection means in a non-corresponding mode. The existing scheme focuses on interception and protection, and lacks a means for confirming the after-event effect, but the embodiment can obtain the security attack analysis result of the signaling data, and provides a means for confirming the after-event effect; furthermore, the embodiment realizes data capture based on the current network, can be obtained from the signaling monitoring data of the current international gateway bureau, and does not increase the signaling obtaining cost; moreover, the embodiment can output the audit report without immediately influencing the current network; the existing network may be operated at a later time as appropriate for the security attack analysis results.
Example two
Referring to fig. 5, an apparatus for analyzing a security attack is shown, the apparatus 500 comprising:
an obtaining module 501, configured to obtain signaling data, and extract key cell field information of the signaling data from each protocol layer corresponding to the signaling data;
in this embodiment, optionally, the obtaining module 501 obtains offline signaling data from the international gateway, where the offline signaling data is a data packet generated according to a predetermined time interval. The bidirectional off-line signaling data is acquired from the signaling related system established by the current network international gateway bureau, the current network is not required to be modified, and the network is not influenced.
An analysis module 502, configured to perform security attack analysis on the signaling data according to the key cell field information, to obtain a security attack analysis result.
The analysis result may include: confirming a positioning tracking attack list, a suspected positioning tracking attack list, a confirmed call hijacking attack list, a suspected call hijacking attack list, a confirmed denial of service attack list and a suspected denial of service attack list.
In this embodiment, optionally, the obtaining module 501 includes: the acquisition unit 5011 and the extraction unit 5012 are seen in fig. 6, in which,
an obtaining unit 5011, configured to obtain offline signaling data from an international gateway, where the offline signaling data is a data packet generated according to a predetermined time interval;
the extracting unit 5012 is configured to extract the key cell field information of the offline signaling data from each protocol layer corresponding to the offline signaling data.
In this embodiment, optionally, the analysis module 502 includes:
a classifying unit 5021, configured to classify the signaling data according to the operation code type field and the message direction field in the key cell field information, and generate a classified retrieval cell data file of the signaling data, where each type of classified retrieval cell data file includes a request direction file of the type and a response direction file of the type;
an analyzing unit 5022, configured to perform security attack analysis on the signaling data according to the request direction file and the response direction file, to obtain a confirmation attack set and a suspected attack set.
In this embodiment, optionally, the analyzing unit 5022 includes:
a filter subunit 50221, configured to filter the request direction file in the sorted and retrieved cell data file according to the inward request principle;
a checking subunit 50222, configured to perform association checking on the original transaction ID in the request direction file and the destination transaction ID in the response direction file that meet the filtering condition;
if the original source transaction ID in the request message in the request direction file is the same as the target transaction ID in the response message in the response direction file, and the position information field carried in the response message in the response direction file is displayed as the home position information, combining and outputting the request message and the response message to a confirmation attack set corresponding to the classified retrieval cell data file;
and if no response message corresponding to the request message exists, outputting the request message to a suspected attack set corresponding to the classified retrieval cell data file.
In this embodiment, optionally, the filtering subunit 50221 is further configured to:
the request direction file in the classified search cell data file is filtered by taking the destination signaling point code DPC as the home country, the original source signaling point code OPC as the non-home country, and the international mobile subscriber identity IMSI or mobile subscriber directory number MDN as the filtering condition of the home country.
In this embodiment, first, signaling data is obtained, and key cell field information of the signaling data is extracted from each protocol layer corresponding to the signaling data; and then, carrying out security attack analysis on the signaling data according to the key cell field information to obtain a security attack analysis result, and solving the problem that whether attack exists or not or whether attack succeeds or not is judged in the prior art for attack without a protection means in a non-corresponding mode. The existing scheme focuses on interception and protection, and lacks a means for confirming the after-event effect, but the embodiment can obtain the security attack analysis result of the signaling data, and provides a means for confirming the after-event effect; furthermore, the embodiment realizes data capture based on the current network, can be obtained from the signaling monitoring data of the current international gateway bureau, and does not increase the signaling obtaining cost; moreover, the embodiment can output the audit report without immediately influencing the current network; the existing network may be operated at a later time as appropriate for the security attack analysis results.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
In various embodiments of the present invention, it should be understood that the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention
In addition, the terms "system" and "network" are often used interchangeably herein.
It should be understood that the term "and/or" herein is merely one type of association relationship that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
In the embodiments provided herein, it should be understood that "B corresponding to a" means that B is associated with a from which B can be determined. It should also be understood that determining B from a does not mean determining B from a alone, but may be determined from a and/or other information.
In the several embodiments provided in the present application, it should be understood that the disclosed method and apparatus may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be physically included alone, or two or more units may be integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a server, or a network device) to execute some steps of the transceiving method according to various embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
While the preferred embodiments of the present invention have been described, it should be understood that modifications and adaptations to those embodiments may occur to one skilled in the art without departing from the principles of the present invention and are within the scope of the present invention.

Claims (6)

1. A method of analyzing security attacks, comprising:
acquiring signaling data, and extracting key cell field information of the signaling data from each protocol layer corresponding to the signaling data;
performing security attack analysis on the signaling data according to the key cell field information to obtain a security attack analysis result, including:
classifying the signaling data according to an operation code type field and a message direction field in the key cell field information to generate classified retrieval cell data files of the signaling data, wherein each type of classified retrieval cell data file comprises a request direction file of the type and a response direction file of the type;
performing security attack analysis on the signaling data according to the request direction file and the response direction file to obtain a confirmation attack set and a suspected attack set, including: according to the principle of inward request, filtering the request direction file in the classified retrieval cell data file;
performing correlation check on the original source transaction ID in the request direction file and the target transaction ID in the response direction file which meet the filtering condition;
if the original source transaction ID in the request message in the request direction file is the same as the target transaction ID in the response message in the response direction file, and the position information field carried in the response message in the response direction file is displayed as the home position information, combining and outputting the request message and the response message to a confirmation attack set corresponding to the classified retrieval cell data file;
and if no response message corresponding to the request message exists, outputting the request message to a suspected attack set corresponding to the classified retrieval cell data file.
2. The method of claim 1, wherein the obtaining signaling data comprises:
and acquiring offline signaling data from the international gateway, wherein the offline signaling data are data packets generated according to a preset time interval.
3. The method of claim 1, wherein filtering the request direction file in the sorted retrieval cell data file on an inward request basis comprises:
the request direction file in the classified search cell data file is filtered by taking the destination signaling point code DPC as the home country, the original source signaling point code OPC as the non-home country, and the international mobile subscriber identity IMSI or mobile subscriber directory number MDN as the filtering condition of the home country.
4. An apparatus for analyzing security attacks, comprising:
the acquisition module is used for acquiring signaling data and extracting key cell field information of the signaling data from each protocol layer corresponding to the signaling data;
the analysis module is used for carrying out security attack analysis on the signaling data according to the key cell field information to obtain a security attack analysis result;
the analysis module includes:
a classifying unit, configured to classify the signaling data according to an operation code type field and a message direction field in the key cell field information, and generate a classified retrieval cell data file of the signaling data, where each type of classified retrieval cell data file includes a request direction file of the type and a response direction file of the type;
the analysis unit is used for carrying out security attack analysis on the signaling data according to the request direction file and the response direction file to obtain a confirmation attack set and a suspected attack set;
the analysis unit includes:
a filtering subunit, configured to filter the request direction file in the classified retrieval cell data file according to an inward request principle;
the checking subunit is used for performing association check on the original source transaction ID in the request direction file meeting the filtering condition and the target transaction ID in the response direction file;
if the original source transaction ID in the request message in the request direction file is the same as the target transaction ID in the response message in the response direction file, and the position information field carried in the response message in the response direction file is displayed as the home position information, combining and outputting the request message and the response message to a confirmation attack set corresponding to the classified retrieval cell data file;
and if no response message corresponding to the request message exists, outputting the request message to a suspected attack set corresponding to the classified retrieval cell data file.
5. The apparatus of claim 4, wherein the obtaining module comprises:
an obtaining unit, configured to obtain offline signaling data from an international gateway, where the offline signaling data is a data packet generated according to a predetermined time interval;
and the extracting unit is used for extracting the key cell field information of the off-line signaling data from each protocol layer corresponding to the off-line signaling data.
6. The apparatus of claim 4, wherein the filtering subunit is further configured to:
the request direction file in the classified search cell data file is filtered by taking the destination signaling point code DPC as the home country, the original source signaling point code OPC as the non-home country, and the international mobile subscriber identity IMSI or mobile subscriber directory number MDN as the filtering condition of the home country.
CN201611063393.6A 2016-11-28 2016-11-28 Method and device for analyzing security attack Active CN108123789B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611063393.6A CN108123789B (en) 2016-11-28 2016-11-28 Method and device for analyzing security attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611063393.6A CN108123789B (en) 2016-11-28 2016-11-28 Method and device for analyzing security attack

Publications (2)

Publication Number Publication Date
CN108123789A CN108123789A (en) 2018-06-05
CN108123789B true CN108123789B (en) 2021-01-15

Family

ID=62223677

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611063393.6A Active CN108123789B (en) 2016-11-28 2016-11-28 Method and device for analyzing security attack

Country Status (1)

Country Link
CN (1) CN108123789B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113556741B (en) * 2020-04-21 2023-05-05 中国移动通信有限公司研究院 Security interception method and device
CN111901818A (en) * 2020-06-15 2020-11-06 国家计算机网络与信息安全管理中心 Method for judging abnormal behavior of core network element based on MAP signaling

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101945109A (en) * 2010-09-16 2011-01-12 电子科技大学 Method for carrying out path recording and source tracing on signaling No.7 network transmitting process

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101321173A (en) * 2008-07-21 2008-12-10 华为技术有限公司 Method, system and device for preventing network attack
CN102572753B (en) * 2012-02-07 2014-12-03 北京中创信测信息技术有限公司 Method and system for analyzing signaling of mobile application part
CN103078755B (en) * 2012-12-31 2014-09-17 中国人民解放军总参谋部第五十四研究所 No.7 signaling acquisition and injection system
EP3018876B1 (en) * 2014-11-05 2020-01-01 Vodafone IP Licensing limited Monitoring of signalling traffic

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101945109A (en) * 2010-09-16 2011-01-12 电子科技大学 Method for carrying out path recording and source tracing on signaling No.7 network transmitting process

Also Published As

Publication number Publication date
CN108123789A (en) 2018-06-05

Similar Documents

Publication Publication Date Title
Liu et al. Cloudy with a chance of breach: Forecasting cyber security incidents
US20210211369A1 (en) System and method for extracting identifiers from traffic of an unknown protocol
CN108183888B (en) Social engineering intrusion attack path detection method based on random forest algorithm
CN110313147B (en) Data processing method, device and system
CN108540755B (en) Identity recognition method and device
CN107798541B (en) Monitoring method and system for online service
KR101503701B1 (en) Method and Apparatus for Protecting Information Based on Big Data
CN108449349B (en) Method and device for preventing malicious domain name attack
CN111147489B (en) Link camouflage-oriented fishfork attack mail discovery method and device
CN110809010A (en) Threat information processing method, device, electronic equipment and medium
CN104639770A (en) Telephone reporting method, device and system based on mobile terminal
CN104639391A (en) Method for generating network flow record and corresponding flow detection equipment
US20220141252A1 (en) System and method for data filtering in machine learning model to detect impersonation attacks
CN108123789B (en) Method and device for analyzing security attack
CN104052737A (en) Network data message processing method and device
CN111277788A (en) Monitoring method and monitoring system based on MAC address
Salamh et al. Asynchronous forensic investigative approach to recover deleted data from instant messaging applications
CN114339767B (en) Signaling detection method and device, electronic equipment and storage medium
US20120220271A1 (en) System and method for selective monitoring of mobile communication terminals based on speech key-phrases
CN106446720B (en) The optimization system and optimization method of IDS rule
CN111328067B (en) User information checking method, device, system, equipment and medium
Riadi et al. Examination of digital evidence on android-based line messenger
US10079933B2 (en) System and method for user-privacy-aware communication monitoring and analysis
WO2016037489A1 (en) Method, device and system for monitoring rcs spam messages
Riadi et al. Mobile Forensic Investigation of Fake News Cases on Instagram Applications with Digital Forensics Research Workshop Framework

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant