CN110621019A

CN110621019A - Method and device for preventing flow fraud

Info

Publication number: CN110621019A
Application number: CN201810638701.6A
Authority: CN
Inventors: 李华; 何承东
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2018-06-20
Filing date: 2018-06-20
Publication date: 2019-12-27
Also published as: WO2019242467A1

Abstract

The application provides a method and a device for preventing traffic fraud, wherein the method comprises the following steps: the visited network reports the network use condition, and the user equipment also reports the network use condition, the home network compares the network use condition reported by the visited network and the network use condition reported by the home network to judge whether possible flow fraud exists, and if the possible flow fraud exists, the flow fraud is processed according to a preset strategy. Through the technical scheme provided by the invention, measures can be taken for traffic fraud, so that the charging dispute between the user and the operator is reduced as much as possible.

Description

Method and device for preventing flow fraud

Technical Field

The present application relates to the field of communications, and in particular, to a method and an apparatus for preventing traffic fraud in the field of communications.

Background

With the continuous development of communication systems, service based network architectures (SBAs) are widely used, in which network functions can be provided in a service manner according to network entities capable of providing specific network functions, which are called Network Function (NF) modules.

As shown in fig. 1, in a service-based network architecture, any two network function modules may interact through a servitization interface in the form of a network function service call. When a User roams, for a home network routing scene, the flow of the User is sent to the hUPF of the home network through a User Plane Function (vUPF) of the visited network, and then the hUPF of the visited network reports to the hSMF of the visited network, and the hSMF sends the flow to a network element related to charging. (hereinafter the prefix v denotes the visited network and h denotes the home network).

In a roaming scenario, if the visited network is divided into modes according to the income of use, the visited network may perform some traffic fraud (such as how much traffic is misreported to the home network), thereby causing billing disputes.

Disclosure of Invention

The application provides a method and equipment for preventing flow fraud, wherein when a visited network reports the use condition of a network, UE also reports the use condition of the network, a home network compares the use conditions of the network reported by the visited network and the reported network to judge whether possible flow fraud exists, and if the possible flow fraud exists, the flow fraud is processed according to a preset strategy. Through the technical scheme provided by the invention, measures can be taken for traffic fraud, so that the charging dispute between the user and the operator is reduced as much as possible.

In a first aspect, the present application provides a method for preventing traffic fraud, the method comprising: a first network element receives a first network use condition sent by user equipment, wherein the first network element is a network element in a home network; the first network element acquires a second network use condition sent by a second network element, wherein the second network element is a network element in a visited network for providing service for the user equipment; and if the first network use condition is not matched with the second network use condition, processing according to a preset strategy.

For example, the first network element may be an Access and Mobility Management Function (AMF) in a home network, a Session Management element (SMF), a Security Edge Protection Proxy (SEPP), an Authentication Server (AUSF), or a Unified data Management element (UDM). The first network element may be an AMF in the visited network.

In addition, it should be noted that the first network usage is traffic that is counted by the UE side and used by the UE within a preset time period, or the number of packets to be sent and received within the preset time period, or service usage information of a certain slice, or service usage information of a certain session. Correspondingly, the second network usage is traffic used by the UE counted by the network side in a preset time period, or the number of the received and transmitted data packets in the preset time period, or service usage information of a certain slice (such as traffic used by a certain slice or the number of the received and transmitted data packets), or service usage information of a certain session (such as traffic used by a certain session or the number of the received and transmitted data packets). For example, the first network usage is the user equipment or a first slice or a first session of network usage counted by the user equipment; the second network usage is the network usage of the user equipment, the first slice, or the first session counted by the second network element, where the network usage is traffic information, or a duration of network usage, or a number of transceiving packets; wherein the first slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.

With reference to the first aspect, it should be noted that, in order to ensure the integrity of the information reported by the UE in the transmission process, the UE sends a first message authentication code to the first network element, where the message authentication code is generated according to a shared key and the use condition of the first network. Correspondingly, the first network element receives a first message authentication code sent by the user equipment; the first network element acquires a second message authentication code, wherein the second message authentication code is also generated according to the shared secret key and the use condition of the second network; and if the first message authentication code is the same as the second message authentication code, judging whether the first network service condition is matched with the second network service condition.

It can be understood that, if the first message authentication code is the same as the second message authentication code, it indicates that the message reported by the UE has not been tampered during transmission. Wherein the determining whether the first network usage matches the second network usage comprises: judging whether the first network use condition is the same as the second network use condition; or if the first network use condition and the second network use condition are both numerical values, judging whether the two numerical values are smaller than a preset threshold value.

Further, if the first network usage is not matched with the second network usage, processing according to a preset strategy. The preset policy may have one or more policies, for example, the session may be released, or the server may be reported. For example, the processing according to the preset policy includes: terminating the session, or reporting to the server, or recording the detailed log of the user network usage.

With reference to the first aspect, it is further noted that there are many mechanisms for causing the UE and the visited network to report the network usage respectively, for example, the mechanisms may be triggered by a network element in the home network, may also be triggered by a vmamf, may also be triggered by a vUPF, and may also be triggered by a hfpf, which is not limited herein. For example, before the first network element receives the first network usage sent by the user equipment, the method further includes: the first network element sends a service use inquiry request to the second network element; the service use query request is used for indicating the second network element to feed back the network use condition used by the user equipment.

The second aspect of the invention discloses a method for preventing flow fraud, which comprises the following steps: a second network element receives a first network use condition sent by user equipment, wherein the second network element is a network element in a visited network; the second network element acquires the service condition of the second network counted by the visiting network; and if the first network use condition is not matched with the second network use condition, processing according to a preset strategy.

It is noted that the second network element may be a vmamf. The first network usage is traffic used by the UE within a preset time period, or the number of packets received and sent within the preset time period, or service usage information of a certain slice, or service usage information of a certain session, which is counted by the UE side. Correspondingly, the second network usage is traffic used by the UE counted by the network side in a preset time period, or the number of packets received and sent in the preset time period, or service usage information of a certain slice, or service usage information of a certain session. For example, the first network usage is the user equipment or a first slice or a first session of network usage counted by the user equipment; the second network usage is the network usage of the user equipment, the first slice, or the first session counted by the second network element, where the network usage is traffic information, or a duration of network usage, or a number of transceiving packets; wherein the first slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.

Wherein the determining whether the first network usage matches the second network usage comprises: judging whether the first network use condition is the same as the second network use condition; or if the first network use condition and the second network use condition are both numerical values, judging whether the two numerical values are smaller than a preset threshold value. Further, if the first network usage is not matched with the second network usage, processing according to a preset strategy. The preset policy may have one or more policies, for example, the session may be selected to be released, and a message for releasing the session carries a reason value for terminating the session; for another example, the vAMF can continue to serve and record the specific service usage record of the UE, so as to provide evidence when disputes occur later; for another example, the vmamf may report inconsistent traffic information to the operation and maintenance system; for example, the vmamf may report traffic information inconsistency information to the home network. It should be noted that the vmamf may select one or more of the above predetermined policies for operation. For example, the processing according to the preset policy includes: terminating the session, or reporting to the server, or recording the detailed log of the user network usage.

It can be understood that, comparing the network usage reported by the UE on the visiting network side with the network usage of the UE counted by the network side is to determine whether the UE has tampered with the data of the network usage of the UE. The visiting network can record for later checking. Of course, the comparison result may be sent to the home network, and the home network may also record the comparison result.

It can be understood that, in order to make the home network know whether the network usage of the UE is normal, the first network usage and the second network usage are also sent to the first network element; wherein the first network element is a network element in a home network. And then the home network judges whether the abnormal flow statistics exists according to the use condition of the first network and the use condition of the second network.

It is further noted that, if the home network subscribes to the message for querying the network usage of the UE, the second network element periodically sends a traffic query request to the user equipment according to the subscription information of the first network element. So that the UE feeds back the network use condition of the UE counted by the UE according to the flow query request.

The third aspect of the invention discloses a method for preventing flow fraud, which comprises the following steps: the user equipment generates a first message authentication code according to the network use condition and the shared secret key; and the user equipment sends the network use condition and the first message authentication code to a visited network.

It can be understood that, in order to avoid the visited network from tampering the network usage of the UE at will, the UE also sends the network usage of the UE and the message authentication code to the visited network, and then the visited network forwards the message authentication code to the home network, and finally the home network determines whether the network usage reported by the UE is consistent with the network usage reported by the visited network.

It will be appreciated that the UE generation of the first message authentication code requires the use of a shared key. I.e. the shared key needs to be generated before the first message authentication code is generated. The shared key is a key shared between the UE and the home network, so the UE and the home network know how to generate or obtain the shared key. For example, the user equipment generates the shared key according to the identifier of the visited network and the intermediate key; the intermediate key is a key generated when the user equipment accesses authentication, and the identifier of the visiting network comprises the name of the visiting network. Wherein, the first message authentication code can be one or more; the network usage comprises at least one of the following parameters: the network use condition of the user equipment, the network use condition of the first slice and the network use condition corresponding to the first session; correspondingly, the first message authentication code corresponds to parameters in the network use condition one by one; the network use condition is flow information, or network use duration, or the number of the receiving and sending data packets; wherein the first slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.

It should be further noted that after the home network compares the network usage reported by the UE with the network usage reported by the visited network, the home network may feed back the comparison result to the UE, and may also feed back the message authentication code in order to ensure the integrity of the message in the transmission process. So that the UE takes measures according to the comparison result of the feedback. Specifically, the user equipment receives a comparison result fed back by the visited network and a second message authentication code; the user equipment verifies the second message authentication code; and if the second message authentication code is successfully verified, processing according to the comparison result and a preset strategy. Wherein the user equipment can verify the message authentication code according to the shared secret key.

A fourth aspect of the present invention discloses an apparatus (the apparatus is a network element in a home network) operable to perform the method of the first aspect. Specifically, the apparatus comprises:

a receiving unit, configured to receive a first network usage sent by a user equipment, where the apparatus is a network element in a home network; an obtaining unit, configured to obtain a second network usage sent by a second network element, where the second network element is a network element in a visited network that provides a service for the user equipment;

and the processing unit is used for processing according to a preset strategy if the first network use condition is not matched with the second network use condition.

Optionally, the apparatus further includes a determining unit;

the receiving unit is further configured to receive a first message authentication code sent by the user equipment; wherein the message authentication code is generated based on a shared key and the first network usage; the obtaining unit is further configured to obtain a second message authentication code, where the second message authentication code is generated according to the shared secret key and the second network usage; the judging unit is configured to judge whether the first network usage is matched with the second network usage if the first message authentication code is the same as the second message authentication code.

Optionally, the apparatus further comprises a sending unit;

the sending unit is configured to send a service use query request to the second network element;

the receiving unit is configured to receive a second network usage sent by the second network element.

A fifth aspect of the invention discloses an apparatus (the apparatus is a network element in a visited network, such as an AMF), which is operable to perform the method described in the second aspect. Specifically, the device comprises a receiving unit, an acquiring unit and a processing unit;

the receiving unit is configured to receive a first network usage condition sent by user equipment, where the device is a network element in a visited network; the obtaining unit is used for obtaining the second network use condition counted by the visiting network; and the processing unit is used for processing according to a preset strategy if the first network use condition is not matched with the second network use condition.

Optionally, the apparatus further comprises a sending unit;

the sending unit is configured to send the first network usage and the second network usage to a first network element; wherein the first network element is a network element in a home network.

Further, the sending unit is further configured to send a traffic query request to the user equipment periodically according to the subscription information of the first network element; the receiving unit is configured to receive a first network usage condition sent by the user equipment, where the device is a network element in a visited network.

A sixth aspect of the present invention discloses a user equipment configured to perform the method of the third aspect. Specifically, the user equipment includes a generating unit and a transmitting unit;

the generating unit is used for generating a first message authentication code according to the network use condition and the shared key;

the sending unit is used for sending the network use condition and the first message authentication code to the visiting network.

Optionally, the generating unit is further configured to generate the shared key according to the identifier of the visited network and the intermediate key; the intermediate key is a key generated when the user equipment accesses authentication, and the identifier of the visiting network comprises the name of the visiting network.

Optionally, the user equipment further includes a receiving unit, a verifying unit and a processing unit;

the receiving unit is used for receiving the comparison result fed back by the visiting network and a second message authentication code; the verification unit is used for verifying the second message authentication code; and the processing unit is used for processing according to the comparison result and a preset strategy if the second message authentication code is successfully verified.

In a seventh aspect, the present application provides a network element comprising a memory, a processor, a transceiver, and a computer program stored on the memory and executable on the processor, wherein when the computer program in the memory is executed, the transceiver and the processor perform the method of the first aspect or any possible implementation manner of the first aspect.

In an eighth aspect, the present application provides a network element comprising a memory, a processor, a transceiver, and a computer program stored on the memory and executable on the processor, wherein when the computer program in the memory is executed, the transceiver and the processor perform the method of the second aspect or any possible implementation manner of the second aspect.

In a ninth aspect, the present application provides a user equipment (such as a mobile phone, a tablet computer, a wearable device, etc. having an electronic device for sending and receiving information), the network element comprising a memory, a processor, a transceiver and a computer program stored on the memory and executable on the processor, wherein when the computer program in the memory is executed, the transceiver and the processor perform the method of the third aspect or any possible implementation manner of the third aspect.

In a tenth aspect, the present application provides a computer readable medium for storing a computer program comprising instructions for performing the method of the first aspect or any possible implementation manner of the first aspect.

In an eleventh aspect, the present application provides a computer readable medium for storing a computer program comprising instructions for performing the method of the second aspect or any possible implementation of the second aspect.

In a twelfth aspect, the present application provides a computer readable medium for storing a computer program comprising instructions for performing the method of the third aspect or any possible implementation manner of the third aspect.

In a thirteenth aspect, the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of the first aspect or any possible implementation manner of the first aspect.

In a fourteenth aspect, the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of the second aspect described above or any possible implementation of the second aspect.

In a fifteenth aspect, the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of the third aspect or any possible implementation of the third aspect.

In a sixteenth aspect, the present application provides a chip comprising: the system comprises an input interface, an output interface, at least one processor and a memory, wherein the input interface, the output interface, the processor and the memory are connected through a bus, the processor is configured to execute codes in the memory, and when the codes are executed, the processor is configured to execute the method in the first aspect or any possible implementation manner of the first aspect.

In a seventeenth aspect, the present application provides a chip comprising: an input interface, an output interface, at least one processor, and a memory, which are connected via a bus, wherein the processor is configured to execute codes in the memory, and when the codes are executed, the processor is configured to execute the method in the second aspect or any possible implementation manner of the second aspect.

In an eighteenth aspect, the present application provides a chip comprising: the system comprises an input interface, an output interface, at least one processor and a memory, wherein the input interface, the output interface, the processor and the memory are connected through a bus, the processor is used for executing codes in the memory, and when the codes are executed, the processor is used for executing the method in the third aspect or any possible implementation manner of the third aspect.

Drawings

Fig. 1 is a 5G roaming architecture diagram provided in an embodiment of the present application;

fig. 2 is a schematic flow chart of a method for preventing traffic fraud according to an embodiment of the present application;

fig. 3 is a schematic flow chart of another method for preventing traffic fraud according to an embodiment of the present application;

fig. 4 is a logic structure diagram of a network element of a home network according to an embodiment of the present application;

fig. 5 is a logic structure diagram of a network element of a visited network according to an embodiment of the present application;

fig. 6 is a logic structure diagram of a user equipment according to an embodiment of the present application;

fig. 7 is a physical structure diagram of an apparatus according to an embodiment of the present application.

Detailed Description

The technical solution in the present application will be described below with reference to the accompanying drawings.

Fig. 1 shows a schematic block diagram of a 5G roaming architecture provided by an embodiment of the present application. The network architecture is based on services, a plurality of different types of network function modules are obtained, and the network function modules are interacted in a network function service calling mode through a service interface.

It should be understood that the network function module in the embodiment of the present application has specific functions and network interfaces, and may be a network element on dedicated hardware, a software instance running on the dedicated hardware, or a virtual function instance on a related platform (e.g., on a cloud infrastructure), which is not limited in the embodiment of the present application.

The various modules in the service-based network architecture are described below in conjunction with fig. 1:

radio Access Network (RAN): is responsible for access of User Equipment (UE). It is to be understood that in the actual formulation, RAN may also be abbreviated as AN.

Alternatively, the UE in the embodiments of the present application may be mobile or stationary, and may refer to an access terminal, terminal device, mobile terminal, subscriber unit, subscriber station, mobile station, remote terminal, mobile device, user terminal, wireless communication device, user agent, or user equipment, etc. An access terminal may be a cellular telephone, a cordless telephone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), a handheld device having wireless communication capabilities, a computing device or other processing device connected to a wireless modem, a vehicle mounted device, a wearable device, a future fifth generation (5G) system, or a user equipment in a New Radio (NR) system.

An access and mobility management function (AMF) module: is responsible for functions similar to mobility management in existing Mobility Management Entities (MMEs) for controlling access of UEs to network resources and managing mobility of UEs. The AMF module and the RAN module communicate with each other to handle the access network control plane, where N2 is not a serving interface.

An authentication service function (AUSF) module: responsible for the generation of keys and the bidirectional authentication with the UE.

Session Management Function (SMF) module: and is responsible for managing the session of the UE, including the establishment, modification and release of the session.

Network open function (NEF) module: and the system is responsible for providing network function services in the core network to external network entity services safely, converting internal and external network information and the like.

A network function (network function) module: refers to a network element capable of providing network services, such as AUSF, AMF, or UDM.

A Network function database function (NRF) module: and is responsible for service discovery and other functions. Of course, the full name of the network function database in English can also be NF retrieval function.

Policy Control Function (PCF) module: a unified policy framework responsible for managing network behavior; and providing policy rules to the control plane for execution and the like.

Unified Data Management (UDM) module: including the Front End (FE) and the User Database (UDR). The FE is responsible for credit rating processing, location management, subscription management, and the like, and can access user subscription data stored in the UDR, which is a user subscription data storage server and is responsible for providing user subscription data to the front end.

Application Function (AF) module: providing application services.

User Plane Function (UPF) module: the functions of data packet detection, forwarding, flow use report and the like can be provided.

Wherein, the above modules may also be interpreted as various network elements or functional network elements. For example, UDM may be understood as a UDM network element or a UDM-capable network element, and NRF may be understood as an NRF network element or an NRF-capable network element.

As shown in fig. 1, the AMF module has a servicing interface NAMF, the SMF module has a servicing interface NSMF, the AUSF module has a servicing interface NAUSF, the NEF module has a servicing interface NNEF, the NRF module has a servicing interface NNRF, the PCF module has a servicing interface NPCF, the UDM module has a servicing interface NUDM, and the AF module has a servicing interface NAF.

It should be understood that the service interface of each network function module in the embodiment of the present application may also be named by other names, which is not limited by the embodiment of the present application.

It should be noted that in a roaming scenario, the visited network may perform some traffic fraud if the visited network uses a pattern of revenue sharing (e.g., the visited network settles charges to the home network based on traffic used by the user). For example, when the vUPF forwards the traffic to the hUPF (the network element with the v prefix is a network element in the visited network, and the network element with the h prefix is a network element in the home network), some spam traffic is added, which may cause a situation that the traffic actually used by the user is inconsistent with the traffic reported by the visited network, thereby causing charging disputes.

In view of the above problems, the present invention provides a solution: when the visited network reports the network usage (such as traffic data, duration data, and message counts) to the home network, the UE also reports the network usage, and the home network compares the network usage reported by the visited network and the home network to determine whether there is a possible traffic fraud. Optionally, the home network may feed back a determination result to the visited network. Further, in order to protect the network use condition reported by the UE from being tampered by the visited network, the UE can perform integrity protection on the network use condition to be reported; if the home network verifies that the integrity protection of the data sent by the UE is not problematic, the network use conditions reported by the UE and the visited network are compared. In addition, it should be noted that the home network may actively query or subscribe to network usage data when the UE roams.

In addition, the visited network may also perform traffic consistency detection: the vAMF in the home network actively inquires the network use condition counted by the UE and the network use condition counted by the vSMF, if the data of the two are inconsistent or the difference value of the data of the two is larger than a preset threshold value, the visited network considers that the UE is possible to report the traffic information maliciously, the vAMF can process according to a preset strategy, such as selecting and releasing a session, or refusing to provide service for the UE, or continuing the service, and recording a specific service use record of the UE, so that evidence is provided or the traffic information inconsistent information is reported to an operation maintenance system when disputes are generated later. In addition, the vmamf may report traffic information inconsistency information to the home network.

Fig. 2 shows a schematic flow chart of a method for preventing traffic fraud according to an embodiment of the present application, which may be applied to a network architecture as shown in fig. 1. The method comprises the following steps:

s101, UE sends network use conditions to vAMF;

it should be noted that the UE may send the network usage to the vmamf at preset time intervals; the preset time interval may be issued by the vmamf or by a network element in the home network.

Optionally, the UE may send the network usage to the vmamf according to the indication of the vmamf. For example, the UE receives an inquiry request sent by the AMF; and responding to the query request, and sending the network use condition to the vAMF by the UE.

In addition, it should be noted that the network usage may be the traffic used by the UE in the preset time interval. For example, the UE needs to send the network usage to the vmamf every 10 minutes, and the sent network usage is the traffic used by the UE in the 10 minutes. In addition, 10 minutes is only an example, and may be a half hour, an hour, or the like, and the preset time interval is not limited thereto.

Alternatively, the network usage may be service usage information of a slice (e.g., traffic usage of a slice).

Alternatively, the network usage may be service usage information of a certain type of slice (for example, traffic usage of a certain type of handover within a preset time period). Common types include eMBB (Enhanced Mobile Broadband), URLLC (Ultra-Reliable and Low-Latency Communication), and mMTC (massive Internet of things Communication).

Optionally, the network usage may also be traffic usage of a session.

In addition, it should be noted that in a possible implementation manner of the present invention, a network element (such as AMF, AUSF, or hSEEP) in a home network may subscribe to service usage information of a certain user or service of a certain slice of the user or service usage information of a certain APN (access point name), and then the network element in the home network invokes a service interface of the vmamf to query a network usage of the UE. Specifically, if a network element in the home network subscribes to service use information of a certain user, or service of a certain slice of the user, or service use information of a certain APN, the subscription information will be stored in the vmamf, and the vmamf will subsequently send a network use condition acquisition request to the UE according to the subscription information; correspondingly, if the UE receives the network usage obtaining request, the UE feeds back the network usage to the vmamf.

In one possible implementation manner of the present invention, the UE sends a first message to the vmamf, where the first message includes a network usage situation. For example, the network usage may be a total traffic used by the UE in a preset time period, or may be the number of data packets received and sent by the UE in the preset time period; of course, it may also be a count value of a certain slice or session, and it is understood that if the network usage is a count value of a certain slice or traffic of a certain slice usage, then the identification of the slice should be included in the first message. Accordingly, if the network usage is a count value for a session or traffic for use of a session, then the identification of the session should be included in the first message. In addition, in order to ensure that data sent by the UE is not tampered, integrity protection needs to be performed, specifically, the UE may include a message authentication code in the first message, so that the network usage condition sent by the UE and the network usage condition of the UE counted by the visited network are further compared after the network element of the home network successfully verifies the message authentication code.

In combination with the above possible implementation manners, it should be noted that there are many ways for generating the message authentication code, for example, the UE may generate the message authentication code according to a Serving Network Identity (SNID); for example, the UE may generate the message authentication code according to Kausf and the SNID; for example, the UE may generate a message authentication code according to the session identifier; for another example, the UE may generate a message authentication code according to the slice identifier, which is not listed here.

Wherein the Kausf is a key generated in the process that the UE is authenticated by the home network. Wherein the Kausf generation process comprises: in the process of accessing a network, the UE sends an identifier of the UE to the AMF, then the AMF sends the identifier of the UE and a service network identifier (the service network identifier may be a name of a service network) to the AUSF, then the AUSF sends the identifier of the UE and the service network identifier to the UDM, and the UDM generates Kausf based on the service network identifier and sends the Kausf to the AUSF. Specifically, the generation process of Kausf can refer to section a.2 in TS 33.501.

In addition, the N1Message needs to carry an Identifier of the UE, such as a user Permanent Identifier (SUPI) or a user hidden Identifier (SUCI).

S102, the vAMF acquires the network use condition of the UE counted by the network side;

specifically, the vmamf may invoke a service interface of the vSMF or use an interface message to query the network usage of the UE counted by the network side, and if there are multiple vsmfs serving the UE, invoke a service interface of each SMF to query the network usage of the UE counted by the network side. Specifically, after receiving a first query message sent by a vAMF, the vSMF queries user service use information from a vUPF, and if a scene that the vSMF corresponds to a plurality of vUPFs exists, the vSMF sends second query messages to the plurality of vUPFs respectively; responding to the second query message, and returning user service use information of the network side to the vSMF by the vUPF; and responding to the first query message, and returning the user service use information of the network side to the vAMF by the vSMF.

Optionally, when calling the services of the vSMF, the vmamf may also carry slice information and/or session information.

Optionally, the vmamf may compare the network usage reported by the UE with the network usage counted by the network side. And if the network use condition sent by the UE is not matched with the network use condition of the UE counted by the network side, the vAMF carries out processing according to the configured strategy. Specifically, if the network usage reported by the UE does not match the network usage of the UE counted by the network side, the vmamf has many optional operations, such as selecting a release session, and optionally carrying a session termination in a message of the release session; for another example, the vAMF can continue to serve and record the specific service usage record of the UE, so as to provide evidence when disputes occur later; for another example, the vmamf may report inconsistent traffic information to the operation and maintenance system; for example, the vmamf may report traffic information inconsistency information to the home network. It should be noted that, for the optional operations, the vmamf may select one operation, and may select multiple operations, such as continuing to provide services to the UE, recording network usage information of the UE, and sending an alarm prompt indicating that traffic information is inconsistent to a network element of a home network.

S103, the vAMF sends the network use condition reported by the UE and the network use condition of the UE counted by the visited network to a home network;

it is to be understood that the vmamf sends the second message to a network element of the home network (e.g., hAUSF, hAMF, or hSEPP); the second message comprises network use conditions reported by the UE, network use conditions of the UE counted by the visited network and a message verification code; in addition, the second message further includes an identifier of the UE and an identifier of a visited network.

In addition, it can be understood that the parameters of the network usage reported by the UE, the network usage counted by the visited network, the message authentication code, the UE identifier, and the visited network may be sent through one message or may be sent separately.

In addition, it can be understood that the data reported by the UE and the data of the network side statistics obtained by the vmamf may be sent to the home network respectively. For example, the vmamf sends a UE report message to the home network, where the UE report message includes a network use condition of the UE, a message authentication code, a UE identifier, and an identifier of a visited network; the vAMF may also send a message reported by the visited network to the home network, where the message reported by the visited network includes the network usage of the UE, the identifier of the UE, and the identifier of the visited network, which are counted by the visited network.

S104, the home network determines a treatment measure according to the network use condition reported by the UE and the network use condition of the UE counted by the visited network.

It should be noted that before determining whether the data reported by the UE matches the data reported by the visited network, it is also necessary to verify whether the data reported by the UE is modified, and therefore, it is necessary to verify whether the message verification codes match.

Specifically, after receiving the second message, the network element of the home network (e.g., hAUSF, hAMF, or hSEPP) first generates a message authentication code according to a method negotiated with the UE (that is, a method for generating the message authentication code by the network element of the home network is the same as a method for generating the message authentication code by the UE), then compares the generated message authentication code with the message authentication code in the second message, and if the two message authentication codes are not matched, it is determined that the message reported by the UE is modified, and at this time, the home network may terminate the session or report the session to the server according to a preset policy;

if the two message verification codes are matched, comparing the network use condition reported by the UE with the network use condition counted by the visited network, and if the network use condition reported by the UE is not matched with the network use condition counted by the visited network, the home network can release the session or report the session to the server according to configuration selection.

Optionally, the home network returns the comparison result to the visited network vmamf, so that the vmamf operates according to the comparison result and a preset policy. For example, if the comparison result indicates that the network usage reported by the UE does not match the network usage of the UE counted by the visited network, the vmamf may select to release the session; of course, the vmamf could also continue to service, but the match result exception would be recorded.

Optionally, the home network may generate a message authentication code MAC-result of the comparison result using the integrity encryption key; and sending the comparison result and the message authentication code MAC-result of the comparison result to the UE. Correspondingly, after receiving the comparison result and the message authentication code MAC-result of the comparison result, the UE verifies whether the message authentication code is modified, and performs subsequent processing according to the verification result.

Therefore, by the technical scheme provided by the embodiment of the invention, the network element in the visited network can acquire the network use condition reported by the UE and the network use condition of the UE counted by the visited network, and then the network use condition and the network use condition are matched and processed according to the matching result and the preset strategy; further, since the UE also feeds back a message authentication code of the network usage of the UE, the home network can verify whether the data fed back by the UE is tampered with by the message authentication code, thereby determining the authenticity of the data fed back by the UE; moreover, whether the data fed back by the visiting network is true can be verified through the network use condition fed back by the UE, and the possibility of charging dispute is further reduced.

Based on the idea of preventing traffic fraud as described in fig. 2, fig. 3 shows a specific method of preventing traffic fraud, which can be applied to the network architecture as shown in fig. 1. The method comprises the following steps:

1. when a preset strategy is met, the UE sends an N1 interface Message (N1Message) to the vAMF;

it should be noted that the preset policy may be that the traffic used by the UE reaches a preset threshold, or the time period for the UE to use the network reaches a preset use time period, and the preset policy may also be that the current time meets the requirement of a preset period (for example, reporting every 1 hour, or reporting every 5 minutes, where the preset period is not limited).

Optionally, before step 1, the method further includes: the vAMF sends a flow query request to the UE; then the implementation of step 1 may be: and responding to the flow inquiry request sent by the vAMF, and sending an N1 interface Message (N1Message) to the vAMF by the UE. It should be noted that if a network element of the home network, such as (AUSF, hSEEP, UDM), invokes a service interface of the vmamf, the vmamf sends a traffic query request to the UE; in addition, if the network element of the home network subscribes to the service usage information of a certain user, the vmamf stores the subscription information, and initiates a traffic query request to the UE according to the subscription information. In another scenario, if a network element of a home network queries service usage information of a certain user, a service of a certain slice of the user, or service usage information of a certain APN, a vmamf may also be triggered to send a service usage query request to a UE, and accordingly, the UE reports the network traffic usage of the UE, or the service usage information of a certain slice or an APN. The service usage information may be a network traffic usage of a certain UE, or a number of packets received and sent by a certain UE within a preset time period, or a network traffic usage of a certain slice, or a network traffic usage of a certain APN, where the service usage information is not limited herein.

It is further noted that the N1Message carries a UE-counter and a Message Authentication Code (MAC). The message authentication code is UE generated and therefore may be labeled as MAC-UE. The UE-counter may be a total traffic or a number of transceiving packets used by the UE, or a sum of a traffic or a number of transceiving packets of a certain slice or a number of transceiving packets of a certain session, or a sum of a traffic or a number of transceiving packets of a certain session, and if the UE-counter is a slice or a number of transceiving packets of a certain session, the UE may simultaneously carry slice information or session information (e.g., a session identifier) in a message sent to the vmamf.

In one possible implementation of the present invention, the UE may generate the UE-MAC according to the preset key and the UE-counter. The preset Key is derived according to Kausf (related explanation may refer to an embodiment corresponding to fig. 2) and a service network name SNID, for example, Key ═ KDF (Kausf, SNID), and correspondingly, the UE-MAC may be obtained according to the preset Key and the UE-counter, for example, MAC-UE ═ KDF (Key, UE-counter); among them, KDF is a deduction function.

After receiving the N1message reported by the UE, the vAMF sends a flow query request to the vSMF;

specifically, the vmamf may call a service interface of the vSMF or use an interface message to query the service usage amount counted by the network side, and if there are a plurality of vsmfs serving the UE, call the service interface of each SMF respectively to obtain the service usage amount counted by the query network side.

Optionally, when calling the services of the vSMF, the vSMF may also carry slice information and/or session information related to the SMF.

3. After receiving the flow query request, the vSMF sends the flow query request to the vUPF;

specifically, the vSMF sends a traffic query request to the vUPF through an N4 interface (N4 Message); if a scene that one vSMF corresponds to a plurality of vUPFs exists, the vSMF sends query requests to the plurality of vUPFs respectively;

4. the vUPF returns the flow query result of the network side to the vSMF;

5. the vSMF returns a flow query result of the network side to the vAMF;

specifically, the vSMF may perform feedback through an Nsmf message response message.

It should be noted that if the vSMF sends a query request to the multiple vUPF respectively, data fed back by the multiple vUPF will be received, and the vSMF will summarize the received data, for example, the value vUPF-counter of the vUPF statistic is equal to the sum of the values fed back by the multiple vUPF. Optionally, the vSMF may directly forward the received data to the vmamf, and the vmamf summarizes the received data to obtain a value vUPF-counter of the vUPF statistic.

6. And the vAMF compares the UE-counter reported by the UE with the vUPF-counter counted by the network side, if the difference value between the UE-counter and the vUPF-counter is greater than a preset threshold value, the visited network considers that the UE is possible to report the traffic information maliciously, and the vAMF can process according to the configuration information.

Optionally, the vmamf may select to release the session, where a message of releasing the session carries a reason for terminating the session;

optionally, the vmamf may continue to serve and record the specific service usage record of the UE, so as to provide evidence at a later time when a dispute occurs;

optionally, the vmamf may report traffic information inconsistency information to the operation and maintenance system;

optionally, the vmamf may report traffic information inconsistency information to the home network.

It should be noted that the vmamf may select one or more of the above-described processing modes.

In addition, it is understood that the sixth step is an optional step, because the home network may also compare the two data subsequently and feed the comparison result back to the vmamf, and the vmamf may perform subsequent processing according to the comparison result fed back by the home network.

7, the vAMF sends the UE-counter reported by the UE and the vUPF-counter counted by the network side to the home network;

it will be appreciated that the sending of the two values by the vmamf to the home network is done in order to verify by the home network whether the two values match.

Optionally, the vmamf may send the message through an N32Nausf message.

Optionally, the message further includes a user identifier, a visited network ID, and a UE-MAC.

8. After receiving the message, the network element of the home network verifies the UE-MAC;

specifically, a network element (such as an hAUSF or hSEPP or an hmf or an hdum) of the home network generates a NET-MAC according to a preset Key (the same as a preset Key of the UE side) and the UE-counter, and compares the NET-MAC with the UE-MAC, if the NET-MAC is inconsistent with the UE-MAC or a difference value between the NET-MAC and the UE-MAC is greater than a preset threshold, it indicates that a message reported by the UE is modified, and at this time, the home network may terminate a session according to a preset policy or report to a server;

if NET-MAC and UE-MAC are consistent or the difference between the NET-MAC and the UE-MAC is less than or equal to a preset threshold, comparing the UE-counter reported by the UE with the vUPF-counter counted by the network side, if the UE-counter reported by the UE is not matched with the vUPF-counter counted by the network side (not equal or the difference between the UE-counter and the vUPF-counter is greater than a preset count value), the home network can select to release the session according to the configuration, wherein the message for releasing the session carries the reason for terminating the session.

9. The home network returns a comparison result to the visited network vAMF;

it should be noted that the comparison result may be returned through an N32Nausf Message.

Wherein the comparison result may be a string of characters (e.g., true indicates a match and false indicates a mismatch); it may also be a numerical value, such as 1 indicating a match and 0 indicating a mismatch, and there are many ways to characterize the comparison result, which is not limited herein.

Optionally, the comparison result may also be a vUPF-counter counted by the network side, and the message may also include a message authentication code MAC-result (generated according to the preset key and the comparison result) of the comparison result;

it should be noted that, in step 6, the vmamf compares the two values, and the vmamf may be processed based on the comparison result, or, of course, the vmamf may not be processed first, and may wait for the result fed back by the home network to be processed. If the comparison result is inconsistent (after the threshold is exceeded), the vmamf may choose to release the session according to local policy.

The vAMF sends the comparison result to the UE.

Note that the vmamf may feed back the comparison result to the UE through the N1message response.

Optionally, the feedback message may further include a MAC-result.

In addition, it is understood that if the vmamf is not processed according to the configuration information or the preset policy in the sixth step, the processing may be performed according to the comparison result. If the comparison indicates that the two values do not match, then the vmamf can be processed according to the configuration information.

11. And performing subsequent treatment according to the result of result.

Optionally, if the feedback message includes the MAC-result, the UE may use the preset KEY to perform integrity verification on the MAC-result, and if the verification is passed, continue to perform subsequent processing according to a result of the result. If a matching failure is returned, the UE terminates the session, or sets the access priority of the PLMN (Public Land Mobile Network) to be lowered or prohibits the access.

In addition, it should be noted that, if result is the network-side counted vUPF-counter, the UE is required to compare the UE-counter with the network-side counted vUPF-counter; it is further noted that comparing the UE-counter with the network-side statistical vUPF-counter requires integrity verification of the MAC-result. It is understood that the MAC-UE and the MAC-result are compared to see if they are consistent, and if so, the verification is passed.

With the above embodiments, it can be known that, according to the technical scheme provided by this embodiment, the visited network can compare the data reported by the UE with the data acquired by the network side to determine whether the UE has tampered with the network traffic usage, and if it is determined that the UE has tampered with the network traffic usage, the visited network can take timely measures, thereby reducing the loss of the service network; further, the home network may verify the message authentication code of the UE-counter to determine whether the reported information of the UE is tampered, and if the reported information of the UE is not tampered, the UE-counter reported by the UE may be further compared with the vUPF-counter counted by the network side, and if the two pieces of data are inconsistent, effective measures may be immediately taken to reduce or avoid subsequent charging disputes.

In connection with the embodiment shown in fig. 3, the present invention provides another possible implementation. In contrast to the embodiment described in fig. 3, this embodiment is a UPF triggered traffic query. Specifically, the method comprises the following steps:

1. the vUPF sends a traffic query request to the vmamf.

Optionally, the traffic query request may carry an identifier of the UE.

Optionally, the traffic query request may carry an identifier of the UE and a session identifier.

Optionally, the traffic query request may carry an identifier of the UE and an APN.

Optionally, the traffic query request may also carry a vUPF-counter.

2. The vAMF sends a traffic query request to the UE.

Accordingly, if the traffic query request includes the UE identity, the UE feeds back the network usage of the UE, such as the traffic or the number of transceiving packets within a preset time period. If the traffic query request includes the UE identity and the session identity, the UE feeds back the network traffic usage corresponding to the session, such as traffic used within a preset time period or a received and transmitted data packet.

3. And the UE feeds back the network use information counted by the UE to the vAMF.

It should be noted that if there is no vUPF-counter in the traffic query request sent by the vUPF to the vmamf, the embodiment further executes steps 2-5 shown in fig. 3 to obtain the vUPF-counter through the vSMF. If the traffic query request sent by the vUPF to the vmamf contains vUPF-counter, the present embodiment skips steps 2-5 shown in fig. 3.

The subsequent steps can refer to steps 6-11 in the embodiment of fig. 3.

The method for preventing traffic fraud according to the embodiment of the present application is described in detail above with reference to fig. 2 to 3, and the apparatus for preventing traffic fraud according to the embodiment of the present application will be described below with reference to fig. 4 to 6, and the apparatus shown in fig. 4 to 6 can perform the method described in the above method embodiment. Fig. 4 shows a network element in the home network (which has been illustrated in the above embodiment), fig. 5 shows a network element in the visited network (such as an AMF), and fig. 6 shows a user terminal.

Specifically, as shown in fig. 4, the apparatus 400 includes:

a receiving unit 401, configured to receive a first network usage sent by a user equipment, where the apparatus is a network element in a home network;

an obtaining unit 402, configured to obtain a second network usage sent by a second network element, where the second network element is a network element in a visited network that provides a service for the user equipment;

a processing unit 403, configured to, if the first network usage does not match the second network usage, perform processing according to a preset policy.

Optionally, the apparatus 400 further includes a determining unit 404;

a receiving unit 401, further configured to receive a first message authentication code sent by the ue; wherein the message authentication code is generated based on a shared key and the first network usage;

an obtaining unit 402, configured to obtain a second message authentication code, where the second message authentication code is generated according to the shared key and the second network usage;

a determining unit 404, configured to determine whether the first network usage matches the second network usage if the first message authentication code is the same as the second message authentication code.

Optionally, the apparatus 400 further includes a sending unit 405;

a sending unit 405, configured to send a service usage query request to the second network element;

a receiving unit 401, configured to receive the second network usage sent by the second network element.

Specifically, as shown in fig. 5, the apparatus 500 includes a receiving unit 501, an obtaining unit 502, and a processing unit 503;

a receiving unit 501, configured to receive a first network usage sent by a user equipment, where the apparatus is a network element in a visited network;

an obtaining unit 502, configured to obtain a second network usage counted by the visited network;

a processing unit 503, configured to, if the first network usage does not match the second network usage, perform processing according to a preset policy.

Optionally, the apparatus 500 further includes a sending unit 504;

a sending unit 504, configured to send the first network usage and the second network usage to a first network element; wherein the first network element is a network element in a home network.

Optionally, the sending unit 504 is further configured to periodically send a traffic query request to the user equipment according to the subscription information of the first network element; a receiving unit 501, configured to receive a first network usage sent by a user equipment, where the apparatus is a network element in a visited network.

As shown in fig. 6, the user equipment 600 includes a generating unit 601 and a transmitting unit 602;

a generating unit 601, configured to generate a first message authentication code according to a network usage and a shared key;

a sending unit 602, configured to send the network usage and the first message authentication code to the visited network.

Optionally, the generating unit 601 is further configured to generate the shared key according to the identifier of the visited network and the intermediate key; the intermediate key is a key generated when the user equipment accesses authentication, and the identifier of the visiting network comprises the name of the visiting network.

Optionally, the user equipment 600 further includes a receiving unit 603, an authenticating unit 604 and a processing unit 605;

a receiving unit 603, configured to receive a comparison result fed back by the visited network and a second message authentication code;

a verification unit 604, configured to verify the second message authentication code;

and the processing unit 605 is configured to, if the second message authentication code is successfully verified, perform processing according to the comparison result and a preset policy.

It should be understood that the apparatuses 400, 500, and 600 herein are embodied in the form of functional units. The term "unit" herein may refer to an Application Specific Integrated Circuit (ASIC), an electronic circuit, a processor (e.g., a shared, dedicated, or group processor) and memory that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable components that support the described functionality. In an alternative example, as can be understood by those skilled in the art, the apparatus 400 may be specifically a network element in the home network shown in fig. 3, and the apparatus 400 may be configured to execute the procedure and/or step executed by the home network element in fig. 3 as a main body, which is not described herein again to avoid repetition. In an alternative example, it can be understood by those skilled in the art that the apparatus 500 may be specifically the AMF in the visited network shown in fig. 3, and the apparatus 500 may be configured to perform the procedure and/or step performed by the AMF in fig. 3 as a main body, which is not described herein again to avoid repetition. In an optional example, it may be understood by those skilled in the art that the user equipment 600 may be specifically the UE shown in fig. 3, and the user equipment 600 may be configured to execute the procedure and/or step that is executed by the UE in fig. 3 as a main body, and details are not repeated herein in order to avoid repetition.

In addition, it should be noted that the logic units shown in fig. 4 to 6 can be implemented according to the hardware architecture shown in fig. 7. The hardware device shown in fig. 7 may include a processor 710, a transceiver 720, and a memory 730, and the processor 710, the transceiver 720, and the memory 730 communicate with each other through an internal connection path.

Specifically, the relevant functions implemented by the processing unit, the obtaining unit, and the determining unit in fig. 4 may be implemented by the processor 710, and the relevant functions implemented by the receiving unit and the sending unit may be implemented by the processor 710 controlling the transceiver 720.

In particular, the related functions implemented by the processing unit and the obtaining unit in fig. 5 may be implemented by the processor 710, and the related functions implemented by the receiving unit and the sending unit may be implemented by the processor 710 controlling the transceiver 720.

In particular, the related functions implemented by the processing unit, the generating unit and the verifying unit in fig. 6 may be implemented by the processor 710, and the related functions implemented by the receiving unit and the transmitting unit may be implemented by the processor 710 controlling the transceiver 720.

The processor 710 may include one or more processors, such as one or more Central Processing Units (CPUs), and in the case of one CPU, the CPU may be a single-core CPU or a multi-core CPU.

The transceiver 720 is used for transmitting and receiving data and/or signals, as well as receiving data and/or signals. The transceiver may include a transmitter for transmitting data and/or signals and a receiver for receiving data and/or signals.

The memory 730 includes, but is not limited to, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable memory (EPROM), and a compact disc read-only memory (CD-ROM), and the memory 730 is used for storing relevant instructions and data.

The memory 730 is used to store program codes and data for the authorization module, and may be a separate device or integrated into the processor 710.

It will be appreciated that fig. 7 only shows a simplified design of the authorisation module. In practical applications, the authorization modules may also respectively include other necessary elements, including but not limited to any number of transceivers, processors, controllers, memories, etc., and all authorization modules that can implement the present application are within the scope of the present application.

In one possible design, the apparatus 700 may be a chip, such as a communication chip that may be used in an authorization module, for implementing the related functions of the processor 710 in the authorization module. The chip can be a field programmable gate array, a special integrated chip, a system chip, a central processing unit, a network processor, a digital signal processing circuit and a microcontroller which realize related functions, and can also adopt a programmable controller or other integrated chips. The chip may optionally include one or more memories for storing program code that, when executed, causes the processor to implement corresponding functions.

It should be noted that the network elements shown in fig. 4 to 6 may be configured as shown in fig. 7, and include a processor, a transceiver, a memory, and other components, where program codes are stored, and when the program codes are executed, each network element performs the functions shown in fig. 2 or fig. 3.

It should be understood that, in the embodiment of the present application, network elements in the home network and network elements in the visited network both have specific functions and network interfaces, and may be different network elements on the same dedicated hardware, or different software instances running on the same dedicated hardware, or different virtual function instances on the same related platform (e.g., on a cloud infrastructure), which is not limited in this embodiment of the present application.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in or transmitted over a computer-readable storage medium. The computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)), or wirelessly (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., Digital Versatile Disk (DVD)), or a semiconductor medium (e.g., SSD), among others.

One of ordinary skill in the art will appreciate that all or part of the processes in the methods of the above embodiments may be implemented by hardware related to instructions of a computer program, which may be stored in a computer-readable storage medium, and when executed, may include the processes of the above method embodiments. And the aforementioned storage medium includes: various media that can store program codes, such as ROM or RAM, magnetic or optical disks, etc.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A method of preventing traffic fraud, the method comprising:

a first network element receives a first network use condition sent by user equipment, wherein the first network element is a network element in a home network;

the first network element acquires a second network use condition sent by a second network element, wherein the second network element is a network element in a visited network for providing service for the user equipment;

and if the first network use condition is not matched with the second network use condition, processing according to a preset strategy.

2. The method of claim 1, further comprising:

the first network element receives a first message authentication code sent by the user equipment; wherein the message authentication code is generated based on a shared key and the first network usage;

the first network element acquires a second message authentication code, wherein the second message authentication code is generated according to the shared secret key and the use condition of the second network;

and if the first message authentication code is the same as the second message authentication code, judging whether the first network service condition is matched with the second network service condition.

3. The method according to claim 1 or 2, wherein before the first network element receives the first network usage sent by the user equipment, the method further comprises:

the first network element sends a service use inquiry request to the second network element; the service use query request is used for indicating the second network element to feed back the network use condition used by the user equipment.

4. The method according to any one of claims 1 to 3, wherein the processing according to the preset strategy comprises: terminating the session, or reporting to the server, or recording the detailed log of the user network usage.

5. The method according to any of claims 1 to 4, wherein the first network usage is the network usage of the user equipment or a first slice or a first session counted by the user equipment; the second network usage is the network usage of the user equipment, the first slice, or the first session counted by the second network element, where the network usage is traffic information, or a duration of network usage, or a number of transceiving packets; wherein the first slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.

6. A method of preventing traffic fraud, the method comprising:

a second network element receives a first network use condition sent by user equipment, wherein the second network element is a network element in a visited network;

the second network element acquires the service condition of the second network counted by the visiting network;

7. The method of claim 6, further comprising:

the second network element sends the first network use condition and the second network use condition to a first network element; wherein the first network element is a network element in a home network.

8. The method of claim 7, wherein before the second network element receives the first network usage sent by the user equipment, the method further comprises:

and the second network element periodically sends a flow query request to the user equipment according to the subscription information of the first network element.

9. The method according to any one of claims 6 to 8, wherein the processing according to the preset strategy comprises: terminating the session, or reporting to the server, or recording the detailed log of the user network usage.

10. The method according to any of claims 6 to 9, wherein the first network usage is the network usage of the user equipment or a first slice or a first session counted by the user equipment; the second network usage is the network usage of the user equipment, the first slice, or the first session counted by the second network element, where the network usage is traffic information, or a duration of network usage, or a number of transceiving packets; wherein the first slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.

11. A method of preventing traffic fraud, the method comprising:

the user equipment generates a first message authentication code according to the network use condition and the shared secret key;

and the user equipment sends the network use condition and the first message authentication code to a visited network.

12. The method of claim 11, wherein before the ue generates the message authentication code according to the network usage and the shared secret key, the method further comprises:

the user equipment generates the shared key according to the identifier of the visited network and the intermediate key; the intermediate key is a key generated when the user equipment accesses authentication, and the identifier of the visiting network comprises the name of the visiting network.

13. The method according to claim 11 or 12, characterized in that the method further comprises:

the user equipment receives a comparison result fed back by the visiting network and a second message authentication code;

the user equipment verifies the second message authentication code;

and if the second message authentication code is successfully verified, processing according to the comparison result and a preset strategy.

14. The method according to any one of claims 11 to 13, wherein the first message authentication code may be one or more; the network usage comprises at least one of the following parameters: the network use condition of the user equipment, the network use condition of the first slice and the network use condition corresponding to the first session; correspondingly, the first message authentication code corresponds to parameters in the network use condition one by one; the network use condition is flow information, or network use duration, or the number of the receiving and sending data packets; wherein the first slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.

15. An apparatus, characterized in that the apparatus comprises:

a receiving unit, configured to receive a first network usage sent by a user equipment, where the apparatus is a network element in a home network;

an obtaining unit, configured to obtain a second network usage sent by a second network element, where the second network element is a network element in a visited network that provides a service for the user equipment;

16. The apparatus according to claim 15, further comprising a judging unit;

the receiving unit is further configured to receive a first message authentication code sent by the user equipment; wherein the message authentication code is generated based on a shared key and the first network usage;

the obtaining unit is further configured to obtain a second message authentication code, where the second message authentication code is generated according to the shared secret key and the second network usage;

the judging unit is configured to judge whether the first network usage is matched with the second network usage if the first message authentication code is the same as the second message authentication code.

17. The apparatus according to claim 15 or 16, characterized in that the apparatus further comprises a transmitting unit;

18. The apparatus according to any one of claims 15 to 17, wherein the processing unit is configured to terminate a session, or report to a server, or record a detailed log of user network usage if the first network usage does not match the second network usage.

19. The apparatus according to any of claims 15 to 18, wherein the first network usage is the network usage of the user equipment or a first slice or a first session counted by the user equipment; the second network usage is the network usage of the user equipment, the first slice, or the first session counted by the second network element, where the network usage is traffic information, or a duration of network usage, or a number of transceiving packets; wherein the first slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.

20. An apparatus, characterized in that the apparatus comprises a receiving unit, an obtaining unit and a processing unit;

the receiving unit is configured to receive a first network usage condition sent by user equipment, where the device is a network element in a visited network;

the obtaining unit is used for obtaining the second network use condition counted by the visiting network;

21. The apparatus of claim 20, further comprising a transmitting unit;

22. The apparatus of claim 21,

the sending unit is further configured to periodically send a traffic query request to the user equipment according to the subscription information of the first network element;

the receiving unit is configured to receive a first network usage condition sent by the user equipment, where the device is a network element in a visited network.

23. The apparatus according to any one of claims 20 to 22, wherein said processing according to a predetermined policy comprises: terminating the session, or reporting to the server, or recording the detailed log of the user network usage.

24. The apparatus according to any of claims 20 to 23, wherein the first network usage is the network usage of the user equipment or a first slice or a first session counted by the user equipment; the second network usage is the network usage of the user equipment, the first slice, or the first session counted by the second network element, where the network usage is traffic information, or a duration of network usage, or a number of transceiving packets; wherein the first slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.

25. User equipment, characterized in that the user equipment comprises a generating unit and a transmitting unit;

26. The user equipment of claim 15,

the generating unit is further configured to generate the shared key according to the identifier of the visited network and the intermediate key; the intermediate key is a key generated when the user equipment accesses authentication, and the identifier of the visiting network comprises the name of the visiting network.

27. The user equipment according to claim 25 or 26, wherein the user equipment further comprises a receiving unit, an authentication unit and a processing unit;

the receiving unit is used for receiving the comparison result fed back by the visiting network and a second message authentication code;

the verification unit is used for verifying the second message authentication code;

and the processing unit is used for processing according to the comparison result and a preset strategy if the second message authentication code is successfully verified.

28. The UE of any one of claims 25 to 27, wherein the first message authentication code may be one or more; the network usage comprises at least one of the following parameters: the network use condition of the user equipment, the network use condition of the first slice and the network use condition corresponding to the first session; correspondingly, the first message authentication code corresponds to parameters in the network use condition one by one; the network use condition is flow information, or network use duration, or the number of the receiving and sending data packets; wherein the first slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.