CN110719302A - Method and device for detecting signaling storm attack of Internet of things - Google Patents
Method and device for detecting signaling storm attack of Internet of things Download PDFInfo
- Publication number
- CN110719302A CN110719302A CN201911273537.4A CN201911273537A CN110719302A CN 110719302 A CN110719302 A CN 110719302A CN 201911273537 A CN201911273537 A CN 201911273537A CN 110719302 A CN110719302 A CN 110719302A
- Authority
- CN
- China
- Prior art keywords
- preset
- threshold value
- success rate
- message
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to the technical field of Internet of things, and provides a method and a device for detecting signaling storm attack of the Internet of things. The method comprises the steps of decrypting the NAS message of the S1-MME interface according to the parameters of the acquired S10, S11 and S6a interfaces; counting total scores of multiple items such as abnormal flow, abnormal attached message amount, abnormal authentication message amount, abnormal activation message amount, abnormal switching message amount, abnormal paging message amount and the like in a preset time interval; and confirming whether the S1-MME interface is attacked by the signaling storm according to the total score. The invention inserts a monitoring probe, collects and analyzes the signaling message with normal interface, establishes an Internet of things signaling storm attack recognition model, and sets a reasonable threshold value by attaching, activating, authenticating and switching the message quantity of the S1-MME interface with the dimensions of area, base station, message type, Internet of things terminal and the like, thereby accurately detecting the signaling storm security event in the Internet of things in real time.
Description
Technical Field
The invention relates to the technical field of Internet of things, in particular to a method and a device for detecting signaling storm attack of the Internet of things.
Background
In the mobile internet of things, a large amount of signaling messages are often generated at an access side due to hacker attacks or internet of things terminal failures, the signaling messages often cause network congestion and delay, and core network elements can be seriously paralyzed, so that the normal operation of the mobile internet of things is influenced.
However, there is no effective means in the prior art to identify and confirm the attacks from signaling storms in the mobile internet of things.
In view of the above, overcoming the drawbacks of the prior art is an urgent problem in the art.
Disclosure of Invention
The invention aims to solve the technical problem that no effective means for identifying and confirming the attack of a signaling storm in the mobile Internet of things exists in the prior art.
The invention further aims to solve the technical problems of improving the identification accuracy and the identification type richness.
The invention adopts the following technical scheme:
in a first aspect, a method for detecting a storm attack of signaling of the internet of things is provided, where optical splitter devices are deployed on interface links of S1-MME, S10, S11, and S6a, data original traffic of each interface is mirrored, a set probe acquires mirrored traffic, and mirrored traffic data acquired by the probe is sent to a processing terminal, and the method includes:
decrypting the NAS message of the S1-MME interface according to the parameters of the acquired S10, S11 and S6a interfaces;
counting the total scores of one or more of abnormal flow, abnormal attachment message amount, abnormal authentication message amount, abnormal activation message amount, abnormal switching message amount, abnormal paging message amount, abnormal attachment success rate amount, abnormal authentication success rate amount, abnormal activation success rate amount, abnormal switching success rate amount and abnormal paging success rate amount of four types of main bodies corresponding to an MME network element, an eNB base station, an area and a terminal in a preset time interval;
and confirming whether the S1-MME interface is attacked by the signaling storm according to the total score.
Preferably, the decrypting the NAS message of the S1-MME interface according to the obtaining of the parameters of the S10, S11, and S6a interfaces specifically includes:
extracting IMSI, AUTN and KASME from the AIR message and AIA message in the Diameter protocol of the S6a interface, and establishing a first association relationship between IMSI and AUTN;
establishing a second association structure required for decryption, the second association structure comprising: AUTN, XRES, RAND, KASME, encryption identification, complete protection algorithm identification, uplink counting and downlink counting;
extracting AUTN from the Authentication request message, and establishing a third association relationship with the MMEID and the ENBID;
extracting EPS integer algorithm information, and updating the encryption identifier with the MMEID, the ENBID and the third association relation;
calculating AUTN through the MMEID, the ENBID and the encrypted NAS message, and finding a corresponding KASME in the second association structure through the calculated AUTN;
and deducing KNASME according to the KASME, and further completing the NAS message decryption.
Preferably, the determining of the abnormal traffic, the abnormal quantity of the number of the attachment messages, the abnormal quantity of the number of the authentication messages, the abnormal quantity of the number of the activation messages, the abnormal quantity of the number of the handover messages, the abnormal quantity of the number of the paging messages, the abnormal quantity of the attachment success rate, the abnormal quantity of the authentication success rate, the abnormal quantity of the activation success rate, the abnormal quantity of the handover success rate, and the abnormal quantity of the paging success rate specifically includes:
counting the flow value of an MME network element/eNB base station/area/terminal in a time interval, judging whether the flow value exceeds a preset I low threshold value, a preset I medium threshold value or a preset I high threshold value, and respectively giving scores of 20, 15 and 10 according to the flow value exceeding the preset I low threshold value, the preset I medium threshold value and the preset I high threshold value; wherein, the abnormal flow is considered to occur when the flow value exceeds a preset I-th low threshold value;
counting the number of Attach messages of the MME network element/eNB base station/region/terminal in a time interval, judging whether the number exceeds a preset II low threshold value, a preset II medium threshold value or a preset II high threshold value, and respectively giving 10, 7 and 4 scores according to the number exceeds the preset II low threshold value, the preset II medium threshold value and the preset II high threshold value; wherein, if the number of Attach messages exceeds a preset II-th low threshold, the abnormal quantity of Attach messages is considered to occur;
counting the number of Authentication messages of MME network elements/eNB base stations/areas/terminals in a time interval, judging whether the number of the Authentication messages exceeds a preset III low threshold value, a preset III medium threshold value or a preset III high threshold value, and respectively giving scores of 10, 7 and 4 according to the number of the Authentication messages exceeding the preset III low threshold value, the preset III medium threshold value and the preset III high threshold value; wherein, the Authentication message abnormal quantity is considered to occur when the number of the Authentication messages exceeds a preset III low threshold value;
counting the number of messages of E-RAB Setup and deleted EPSBearer Context Activation of an MME network element/eNB base station/area/terminal in a time interval, judging whether the number exceeds a preset IV low threshold value, a preset IV middle threshold value or a preset IV high threshold value, and respectively giving 10, 7 and 4 scores according to the number exceeds the preset IV low threshold value, the preset IV middle threshold value and the preset IV high threshold value; wherein, the E-RAB Setup and the deleted EPS Bearer context information message number exceed a preset IV low threshold value and then the abnormal amount of the activation message is considered to occur;
counting the number of messages of S1 switching-out and S1 switching-in of MME network elements/eNB base stations/areas/terminals in a time interval, judging whether the number exceeds a preset Vth low threshold value, a preset Vth middle threshold value or a preset Vth high threshold value, and respectively giving scores of 10, 7 and 4 according to the number exceeds the preset Vth low threshold value, the preset Vth middle threshold value and the preset Vth high threshold value; when the number of the S1 cut-in messages and the number of the S1 cut-in messages exceed a preset Vth low threshold, the switching message abnormal quantity is considered to occur;
counting the number of Paging messages of the MME network element/eNB base station/region/terminal in a time interval, judging whether the number exceeds a preset VI low threshold value, a preset VI middle threshold value or a preset VI high threshold value, and respectively giving 10, 7 and 4 scores according to the number exceeds the preset VI low threshold value, the preset VI middle threshold value and the preset VI high threshold value; wherein, the Paging message abnormal quantity is considered to occur when the number of Paging messages exceeds a preset VI low threshold;
counting the success rate of Attach messages of the MME network element/eNB base station/region/terminal in a time interval, judging whether the success rate exceeds a preset VII-th low threshold, a preset VII-th medium threshold or a preset VII-th high threshold, and respectively giving scores of 6, 4 and 2 according to the fact that the success rate exceeds the preset VII-th low threshold, the preset VII-th medium threshold and the preset VII-th high threshold; wherein, the attachment success rate abnormal quantity is considered to occur when the success rate of the Attach message exceeds a preset VII-th low threshold;
counting the success rate of the Authentication message of the MME network element/eNB base station/area/terminal in the time interval, judging whether the success rate exceeds a preset VIII low threshold value, a preset VIII middle threshold value or a preset VIII high threshold value, and respectively giving scores of 6, 4 and 2 according to the fact that the success rate exceeds the preset VIII low threshold value, the preset VIII middle threshold value and the preset VIII high threshold value; wherein, the success rate of the Authentication message exceeds a preset VIII low threshold value, and then the Authentication success rate is considered to be abnormal;
counting the success rate of E-RAB Setup and differentiated EPSBearer Context Activation messages of an MME network element/eNB base station/area/terminal in a time interval, judging whether the success rate exceeds a preset IX low threshold, a preset IX middle threshold or a preset IX high threshold, and respectively giving scores of 6, 4 and 2 according to the fact that the success rate exceeds the preset IX low threshold, the preset IX middle threshold and the preset IX high threshold; wherein, the success rate of the E-RAB Setup and the Dedicated EPS Bearer context information exceeds a preset IX low threshold value, and then the abnormal amount of the activation success rate is considered to occur;
counting the success rate of S1 cut-out and S1 cut-in messages of an MME network element/eNB base station/area/terminal in a time interval, judging whether the success rate exceeds a preset Xth low threshold value, a preset Xth middle threshold value or a preset Xth high threshold value, and respectively giving scores of 6, 4 and 2 according to the fact that the success rate exceeds the preset Xth low threshold value, the preset Xth middle threshold value and the preset Xth high threshold value; wherein, the success rate of the S1 cut-out and S1 cut-in messages exceeds the preset Xth low threshold value, and then the abnormal amount of the switching success rate is considered to occur;
counting the success rate of the Paging message of the MME network element/eNB base station/region/terminal in the time interval, judging whether the success rate exceeds a preset XI-th low threshold, a preset XI-th middle threshold or a preset XI-th high threshold, and respectively giving scores of 6, 4 and 2 according to the fact that the success rate exceeds the preset XI-th low threshold, the preset XI-th middle threshold and the preset XI-th high threshold; when the success rate of the S1 cut-out and S1 cut-in messages exceeds a preset XI-th low threshold, the abnormal quantity of the paging success rate is considered to occur;
wherein, the total score sum > =80 of each item indicates whether the S1-MME interface is attacked by the signaling storm to a high degree; 65< = sum <80 indicates whether the S1-MME interface is attacked by a signaling storm to a medium degree; sum <65 indicates whether the S1-MME interface is suffering from a low degree of signaling storm attack.
Preferably, the number of Attach messages of MME network elements/eNB base stations/regions/terminals in the statistical time interval, the number of Authentication messages of MME network elements/eNB base stations/regions/terminals in the statistical time interval, the number of E-RAB Setup and rejected EPS Bearer context messages of MME network elements/eNB base stations/regions/terminals in the statistical time interval, the number of S1 cut-out and S1 cut-in messages of MME network elements/eNB base stations/regions/terminals in the statistical time interval, and the Paging messages of MME network elements/eNB base stations/regions/terminals in the statistical time interval specifically include:
the method comprises the steps of generating an XDR log of an S1-MME interface by decrypting an NAS message and obtaining contents according to decryption, and identifying the XDR log according to the parameters of an Attach, Authentication, E-RAB Setup, Dedicated EPS Bearer Context Activation, S1 cut-out, S1 cut-in or Paging contained in a Procedure Type field in the XDR log;
and, the XDR log also carries a service flow start time and a service flow end time, which are used to provide a basis for the counting time interval.
Preferably, the NAS message is decrypted, and an XDR log of the S1-MME interface is generated according to the decrypted content, where the XDR log carries one or more of a Machine IP TYPE field, an MME IP Addr field, an eNB IP Addr field, an eNBID field, a TAI field, an ECGI field, a Cell ID field, an IMSI field, an IMEI field, and an MSISDN field;
the Machine IP TYPE field and/or the MME IP Addr field are/is used for identifying an MME network element; the eNB IP Addr field and/or the eNB ID field is used to identify the eNB base station; a TAI field, an ECGI field, and/or a Cell ID field are used to identify a zone; the IMSI field, IMEI field, or MSISDN field is used to identify the terminal.
Preferably, the attach success rate, the authentication success rate, the activation success rate, the handover success rate, and the paging success rate are determined whether the corresponding message is successful by decrypting the NAS message and determining a Status field carried in an XDR log of the S1-MME interface according to the decrypted content, and the corresponding success rate is obtained by dividing the number of the respective successful messages by the total number of the respective successful messages.
Preferably, the abnormal number of activation messages specifically includes:
one or more of a default bearer activation request signaling storm, a default bearer activation success signaling storm, an NB-IoT default bearer activation failure signaling storm, a dedicated bearer activation request signaling storm, a dedicated bearer activation success signaling storm, a dedicated bearer activation request signaling storm for an APN, and an MS activation session request signaling storm;
the abnormal quantity of the handover message quantity specifically includes: an inter-MME handover-out attempted signaling storm and an inter-MME handover-in attempted signaling storm.
Preferably, the signaling storm type further comprises:
a tracking area update request signaling storm, a tracking area update request signaling storm within an NB-IoT MME, and a tracking area update request signaling storm.
Preferably, the attach signaling storm, the default bearer activation request signaling storm, the default bearer activation success signaling storm, the NB-IoT default bearer activation failure signaling storm, the dedicated bearer activation request signaling storm, the dedicated bearer activation success signaling storm, the dedicated bearer activation request signaling storm for APN, the MS activation session request signaling storm, the paging request signaling storm, the inter-MME handover attempt signaling storm, and the inter-MME handover attempt signaling storm are determined according to the score of each sub-item constituting the total score.
In a second aspect, the present invention further provides a method and an apparatus for detecting a signaling storm attack of an internet of things, which are used to implement the method for detecting a signaling storm attack of an internet of things described in the first aspect, and the apparatus includes:
at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor and programmed to perform the method of internet of things signaling storm attack detection of the first aspect.
In a third aspect, the present invention also provides a non-transitory computer storage medium storing computer-executable instructions for execution by one or more processors to perform the method for detecting a storm attack of signaling in internet of things according to the first aspect.
According to the method, monitoring probes are inserted into interfaces S1-MME, S6a, S11 and S10 on the core side of the Internet of things, signaling messages with normal interfaces are collected and analyzed, an Internet of things signaling storm attack recognition model is established, the algorithm model principle mainly comprises the steps of self-learning network elements, Internet of things enterprise platforms, regions, base stations, message types, Internet of things terminals and other dimensions of attachment, activation, authentication and message quantity switching of the interfaces of the S1-MME to set reasonable threshold values, and signaling storm safety events in the Internet of things are accurately detected in real time.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments of the present invention will be briefly described below. It is obvious that the drawings described below are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
Fig. 1 is a model diagram of a system architecture for detecting a storm attack of signaling in the internet of things according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a method for detecting internet of things signaling storm attack according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of decryption of an NAS message obtained in a method for detecting a storm attack of signaling of the internet of things according to an embodiment of the present invention;
fig. 4 is a schematic flow chart of a method for detecting internet of things signaling storm attack according to an embodiment of the present invention;
fig. 5 is a structural diagram of an apparatus for detecting a storm attack in signaling of the internet of things according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In the description of the present invention, the terms "inner", "outer", "longitudinal", "lateral", "upper", "lower", "top", "bottom", and the like indicate orientations or positional relationships based on those shown in the drawings, and are for convenience only to describe the present invention without requiring the present invention to be necessarily constructed and operated in a specific orientation, and thus should not be construed as limiting the present invention.
As shown in figure 1, monitoring probes are inserted into interfaces S1-MME, S6a, S11 and S10 at the core side of the Internet of things, signaling messages with normal interfaces are collected and analyzed, an Internet of things signaling storm attack recognition model is established, the algorithm model principle mainly comprises the steps of self-learning network elements, an Internet of things enterprise platform, areas, base stations, message types, Internet of things terminals and other dimensions of the S1-MME interface attachment, activation, authentication and message switching quantity to set reasonable thresholds, and signaling storm security events in the Internet of things are accurately detected in real time.
The internet of things signaling storm event mainly occurs in an S1-MME interface on the mobile internet of things side of province.
The key interface for collection and analysis is the signaling message of the S1-MME interface, but since the NAS message of the S1-MME interface is usually encrypted, we have to decrypt the NAS message of the S1-MME interface by obtaining the parameters of the S10, S11, and S6a interfaces.
Based on the above, the device needs to collect a signaling interface: S1-MME, S10, S11 and S6 a.
Since the interfaces of S1-MME, S10, S11 and S6a are all optical links at present, during acquisition, the optical splitter devices are deployed on the interface links to mirror the original data traffic of the interfaces and output the data traffic to the acquisition and analysis probe for processing.
In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
Example 1
The embodiment 1 of the present invention provides a method for detecting an internet of things signaling storm attack, where optical splitter devices are deployed on interface links of S1-MME, S10, S11, and S6a, data original flows of the interfaces are mirrored, a set probe collects mirror flows, and mirror flow data collected by the probe is sent to a processing terminal, where as shown in fig. 2, the method includes:
in step 201, the NAS message of the S1-MME interface is decrypted according to the parameters of the acquired S10, S11 and S6a interfaces.
In step 202, the total score of one or more of abnormal traffic, abnormal amount of attachment message, abnormal amount of authentication message, abnormal amount of activation message, abnormal amount of handover message, abnormal amount of paging message, abnormal amount of attachment success rate, abnormal amount of authentication success rate, abnormal amount of activation success rate, abnormal amount of handover success rate, and abnormal amount of paging success rate corresponding to four types of main bodies including an MME network element, an eNB base station, a region, and a terminal in a preset time interval is counted.
In step 203, it is determined whether the S1-MME interface is attacked by a signaling storm according to the total score.
According to the embodiment of the invention, monitoring probes are inserted into interfaces S1-MME, S6a, S11 and S10 on a core side of the Internet of things, signaling messages with normal interfaces are collected and analyzed, and an Internet of things signaling storm attack recognition model is established.
As shown in fig. 3, for the decryption of the NAS message of the S1-MME interface according to the parameters of the acquired S10, S11, and S6a interfaces in embodiment 1 of the present invention, a specific implementation manner is provided, which includes:
in step 301, the IMSI, AUTN, KASME are extracted from the AIR message and the AIA message in the Diameter protocol of the S6a interface, and a first association relationship between the IMSI and the AUTN is established.
In step 302, a second association structure required for decryption is established, the second association structure comprising: AUTN, XRES, RAND, KASME, encryption identification, integrity protection algorithm identification, up count and down count.
In step 303, AUTN is extracted from the Authentication request message and a third association is established with the MMEID and the ENBID.
In step 304, the EPS integrity algorithm information is extracted, and the encryption identifier is updated in association with the MMEID, the enb id, and the third association relationship.
In step 305, an AUTN is calculated from the MMEID, the ENBID, and the encrypted NAS message, and a corresponding KASME is found in the second association structure from the calculated AUTN.
In step 306, KNASME is derived from KASME, further completing NAS message decryption.
Further, regarding the scoring process in step 202 in embodiment 1 of the present invention, in a preferred implementation scheme of the present invention, a scoring mechanism is provided that comprehensively considers each dimension, and specifically, the determination of the abnormal traffic, the abnormal amount of the attached message quantity, the abnormal amount of the authentication message quantity, the abnormal amount of the activation message quantity, the abnormal amount of the handover message quantity, the abnormal amount of the paging message quantity, the abnormal amount of the attached success rate, the abnormal amount of the authentication success rate, the abnormal amount of the activation success rate, the abnormal amount of the handover success rate, and the abnormal amount of the paging success rate specifically includes:
counting the flow value of an MME network element/eNB base station/area/terminal in a time interval, judging whether the flow value exceeds a preset I low threshold value, a preset I medium threshold value or a preset I high threshold value, and respectively giving scores of 20, 15 and 10 according to the flow value exceeding the preset I low threshold value, the preset I medium threshold value and the preset I high threshold value; wherein, the abnormal flow is considered to occur when the flow value exceeds a preset I-th low threshold value;
counting the number of Attach messages (namely attachment messages) of MME network elements/eNB base stations/areas/terminals in a time interval, judging whether the number exceeds a preset II low threshold value, a preset II middle threshold value or a preset II high threshold value, and respectively giving scores of 10, 7 and 4 according to the number exceeds the preset II low threshold value, the preset II middle threshold value and the preset II high threshold value; wherein, if the number of Attach messages exceeds a preset II-th low threshold, the abnormal quantity of Attach messages is considered to occur;
counting the number of Authentication messages (namely Authentication messages) of MME network elements/eNB base stations/areas/terminals in a time interval, judging whether the number exceeds a preset III low threshold value, a preset III medium threshold value or a preset III high threshold value, and respectively giving scores of 10, 7 and 4 according to the number exceeds the preset III low threshold value, the preset III medium threshold value and the preset III high threshold value; wherein, the Authentication message abnormal quantity is considered to occur when the number of the Authentication messages exceeds a preset III low threshold value;
counting the number of E-RAB Setup and deleted EPSBearer Context Activation messages (corresponding Activation messages) of an MME network element/eNB base station/area/terminal in a time interval, judging whether the number exceeds a preset IV low threshold, a preset IV middle threshold or a preset IV high threshold, and respectively giving 10, 7 and 4 scores according to the number exceeds the preset IV low threshold, the preset IV middle threshold and the preset IV high threshold; wherein, the E-RAB Setup and the deleted EPSBearer Context Activation message number exceed the preset IV low threshold value, and then the abnormal amount of the Activation message is considered to occur;
counting the number of messages (namely switching messages) of S1 switching-out and S1 switching-in of MME network elements/eNB base stations/areas/terminals in a time interval, judging whether the number exceeds a preset Vth low threshold, a preset Vth middle threshold or a preset Vth high threshold, and respectively giving scores of 10, 7 and 4 according to the number exceeds the preset Vth low threshold, the preset Vth middle threshold and the preset Vth high threshold; when the number of the S1 cut-in messages and the number of the S1 cut-in messages exceed a preset Vth low threshold, the switching message abnormal quantity is considered to occur;
counting the number of Paging messages of the MME network element/eNB base station/region/terminal in a time interval, judging whether the number exceeds a preset VI low threshold value, a preset VI middle threshold value or a preset VI high threshold value, and respectively giving 10, 7 and 4 scores according to the number exceeds the preset VI low threshold value, the preset VI middle threshold value and the preset VI high threshold value; wherein, the Paging message abnormal quantity is considered to occur when the number of Paging messages exceeds a preset VI low threshold;
counting the success rate of Attach messages of the MME network element/eNB base station/region/terminal in a time interval, judging whether the success rate exceeds a preset VII-th low threshold, a preset VII-th medium threshold or a preset VII-th high threshold, and respectively giving scores of 6, 4 and 2 according to the fact that the success rate exceeds the preset VII-th low threshold, the preset VII-th medium threshold and the preset VII-th high threshold; wherein, the attachment success rate abnormal quantity is considered to occur when the success rate of the Attach message exceeds a preset VII-th low threshold;
counting the success rate of the Authentication message of the MME network element/eNB base station/area/terminal in the time interval, judging whether the success rate exceeds a preset VIII low threshold value, a preset VIII middle threshold value or a preset VIII high threshold value, and respectively giving scores of 6, 4 and 2 according to the fact that the success rate exceeds the preset VIII low threshold value, the preset VIII middle threshold value and the preset VIII high threshold value; wherein, the success rate of the Authentication message exceeds a preset VIII low threshold value, and then the Authentication success rate is considered to be abnormal;
counting the success rate of E-RAB Setup and differentiated EPSBearer Context Activation messages of an MME network element/eNB base station/area/terminal in a time interval, judging whether the success rate exceeds a preset IX low threshold, a preset IX middle threshold or a preset IX high threshold, and respectively giving scores of 6, 4 and 2 according to the fact that the success rate exceeds the preset IX low threshold, the preset IX middle threshold and the preset IX high threshold; wherein, the success rate of the E-RAB Setup and the Dedicated EPS Bearer context information exceeds a preset IX low threshold value, and then the abnormal amount of the activation success rate is considered to occur;
counting the success rate of S1 cut-out and S1 cut-in messages of an MME network element/eNB base station/area/terminal in a time interval, judging whether the success rate exceeds a preset Xth low threshold value, a preset Xth middle threshold value or a preset Xth high threshold value, and respectively giving scores of 6, 4 and 2 according to the fact that the success rate exceeds the preset Xth low threshold value, the preset Xth middle threshold value and the preset Xth high threshold value; wherein, the success rate of the S1 cut-out and S1 cut-in messages exceeds the preset Xth low threshold value, and then the abnormal amount of the switching success rate is considered to occur;
counting the success rate (namely Paging success rate) of Paging messages of an MME network element/eNB base station/region/terminal in a time interval, judging whether the success rate exceeds a preset XI-th low threshold, a preset XI-th middle threshold or a preset XI-th high threshold, and respectively giving scores of 6, 4 and 2 according to the fact that the success rate exceeds the preset XI-th low threshold, the preset XI-th middle threshold and the preset XI-th high threshold; when the success rate of the S1 cut-out and S1 cut-in messages exceeds a preset XI-th low threshold, the abnormal quantity of the paging success rate is considered to occur;
wherein, the total score sum > =80 of each item indicates whether the S1-MME interface is attacked by the signaling storm to a high degree; 65< = sum <80 indicates whether the S1-MME interface is attacked by a signaling storm to a medium degree; sum <65 indicates whether the S1-MME interface is suffering from a low degree of signaling storm attack.
Wherein, each group of low threshold, middle threshold and high threshold involved is a dynamic value obtained by a machine learning method, and is a relative value. The embodiment of the invention also provides a selectable value matching mode, wherein the high threshold value is as follows: greater than 30% of the dynamic baseline value; and (3) medium threshold: greater than 10% of the dynamic baseline value; low threshold value: equal to the dynamic baseline value. In addition, the determination of the low threshold may also be performed as described in embodiment 2, which is described in detail in the description of the confirmation signaling storm in embodiment 2 of the present invention.
For the scoring mechanism described above, the following table 1 is used to perform the performance visually, as follows:
table 1:
the multi-dimensional scoring method provided by the embodiment of the invention can visually express the influence of the signaling storm on the architecture, can achieve higher fault tolerance, and avoids misinformation caused by data congestion due to insufficient computing resources of individual nodes. As shown in fig. 4, a more complete process is performed in the embodiment of the present invention, and the relation flowchart of the signaling storm type is obtained by decrypting the NAS message of the S1-MME interface to obtain the XDR log and analyzing the XDR log.
In the embodiment of the present invention, the number of Attach messages of MME network elements/eNB base stations/areas/terminals in the statistical time interval, the number of Authentication messages of MME network elements/eNB base stations/areas/terminals in the statistical time interval, the number of E-RAB Setup and rejected EPS bearer context Activation messages of MME network elements/eNB base stations/areas/terminals in the statistical time interval, the number of S1 cut-out and S1 cut-in messages of MME network elements/eNB base stations/areas/terminals in the statistical time interval, and the Paging message of MME network elements/eNB base stations/areas/terminals in the statistical time interval specifically include:
the method comprises the steps of generating an XDR log of an S1-MME interface by decrypting an NAS message and obtaining contents according to decryption, and identifying the XDR log according to the parameters of an Attach, Authentication, E-RAB Setup, Dedicated EPS Bearer Context Activation, S1 cut-out, S1 cut-in or Paging contained in a Procedure Type field in the XDR log;
and, the XDR log also carries a service flow start time and a service flow end time, which are used to provide a basis for the counting time interval.
In the embodiment of the present invention, a typical XDR log structure is further provided, wherein the S1-MME interface XDR List is shown in table 2 below:
table 2:
further, an XDR log of an S1-MME interface is generated by decrypting the NAS message and obtaining the content according to the decryption, wherein the XDR log carries one or more of a Machine IP TYPE field, an MME IP Addr field, an eNB IP Addr field, an eNBID field, a TAI field, an ECGI field, a Cell ID field, an IMSI field, an IMEI field and an MSISDN field;
the Machine IP TYPE field and/or the MME IP Addr field are/is used for identifying an MME network element; the eNB IP Addr field and/or the eNB ID field is used to identify the eNB base station; a TAI field, an ECGI field, and/or a Cell ID field are used to identify a zone; the IMSI field, IMEI field, or MSISDN field is used to identify the terminal.
In addition, the attach success rate, the authentication success rate, the activation success rate, the handover success rate, and the paging success rate are specifically determined by decrypting the NAS message, determining whether the corresponding message is successful according to a Status field carried in an XDR log of the content generation S1-MME interface obtained by decryption, and obtaining the corresponding success rate by dividing the number of the respective successful messages by the total number of the respective successful messages (as shown in table 1 above).
In the embodiment of the present invention, in order to achieve more accurate signaling storm identification, further refinement is performed on the S1-MME interface that is attacked by a signaling storm, which is specifically represented as:
the abnormal quantity of the number of the activation messages specifically comprises the following steps:
one or more of a default bearer activation request signaling storm, a default bearer activation success signaling storm, an NB-IoT default bearer activation failure signaling storm, a dedicated bearer activation request signaling storm, a dedicated bearer activation success signaling storm, a dedicated bearer activation request signaling storm for an APN, and an MS activation session request signaling storm;
the abnormal quantity of the handover message quantity specifically includes: an inter-MME handover-out attempted signaling storm and an inter-MME handover-in attempted signaling storm.
Specifically, the attach signaling storm, the default bearer activation request signaling storm, the default bearer activation success signaling storm, the NB-IoT default bearer activation failure signaling storm, the dedicated bearer activation request signaling storm, the dedicated bearer activation success signaling storm, the dedicated bearer activation request signaling storm for APN, the MS activation session request signaling storm, the paging request signaling storm, the inter-MME handover out attempt signaling storm, and the inter-MME handover in attempt signaling storm are determined according to the scores of the sub-items constituting the total score. For example: and when the total score reaches the category of the signaling storm, further analyzing the scores of all the sub-items, and if the scores of the sub-items further meet the corresponding high threshold value, attributing the type of the signaling storm as the type of the signaling storm corresponding to the theme.
In the embodiment of the present invention, the signaling storm type further includes:
a tracking area update request signaling storm, a tracking area update request signaling storm within an NB-IoT MME, and a tracking area update request signaling storm.
Example 2
Compared with embodiment 1, the embodiment of the present invention further provides a verification method for the above refined signaling storm, and specific messages to be verified are as follows:
after confirming the signaling storm type, the following method processes can be used for confirmation, specifically:
attached message storm detection algorithm
The generation of the Attach signaling storm alarm is confirmed when the number of pieces of the current 5-minute granularity Attach message today > the number of pieces of the current 5-minute granularity Attach message yesterday 20, that is, the number of pieces of the Attach message is counted in 5-minute one-time slice, and the number of pieces of the current 5-minute granularity Attach message today > 20 times the number of pieces of the current 5-minute granularity Attach message yesterday.
Default bearer activation request signaling storm detection algorithm
Number of pieces of current granularity of 5 minutes today sm. That is, the number of pieces of the sm.actdefaulteposbearerrequest message is counted in 5-minute one-time slice, and when the number of pieces of the current 5-minute granularity sm.actdefaultepsberarerrequest message is more than 20 times the number of pieces of the current 5-minute granularity sm.actdefaultepsbearerrequest message, the generation of the sm.actdefaultepsberarerrequest signaling storm alarm is confirmed.
Default bearer activation success signaling storm detection algorithm
Number of pieces of current granularity of 5 minutes today sm. That is, the number of the sm.actdefaulteposrbeareraccept messages is counted in 5-minute time slice, and when the number of the current 5-minute granularity sm.actdefaulteposrbeareraccept messages is more than 20 times the number of the current 5-minute granularity sm.actdefaulteposrbeareraccept messages in yesterday, the generation of the sm.actdefaulteposrbeareraccept signaling storm alarm is confirmed.
NB-IoT default bearer activation signaling storm detection algorithm
Number of pieces of current granularity of 5 minutes today nb. actdefaultepsbearerequest message > current granularity of 5 minutes yesterday nb. actdefaultepsbearerequest message 20; that is, the number of pieces of Attach message is counted in 5 minutes by one time slice, and when the number of pieces of current 5 minute granularity nb. actdefaultepsbearberrequest message is more than 20 times the number of pieces of current 5 minute granularity nb. actdefaultepsbearberrequest message in yesterday, nb.
NB-IoT default bearer activation failure signaling storm detection algorithm
Number of pieces of current 5 minute granularity today nb.actdefaultepsbearerfail messages > 20 number of pieces of current 5 minute granularity yesterday nb.actdefaultepsbearerfail messages —; that is, the number of nb.actdefaulteposbearerfail messages is counted in 5 minutes by one time slice, and when the number of current 5 minute granularity nb.actdefaulteposbearerfail messages is more than 20 times the number of current 5 minute granularity nb.actdefaulteposbearerfail messages yesterday, it is confirmed that nb.actdefaulteposbearerfail signaling storm alarm is generated.
Dedicated bearer activation request signaling storm detection algorithm
Number of pieces of current 5 minute granularity sm. actdedicatedepsberarerrequest messages for today > current 5 minute granularity sm. actdedicatedepsberarerrequest messages for yesterday 20; that is, the number of pieces of the sm.actdedicatedbesarbearerequest message is counted in 5-minute one time slice, and when the number of pieces of the current 5-minute granularity sm.actdedicatedbesarbearerequest message is more than 20 times the number of pieces of the current 5-minute granularity sm.actdedicatedbearerequest message, the sm.actdedicatedbearerequest message is generated.
Dedicated bearer activation success signaling storm detection algorithm
Number of pieces of current granularity of 5 minutes today sm. actdedicatedmepsedbearerecept message > current granularity of 5 minutes yesterday sm. actdedicatedmepbearerecept message 20; that is, the number of pieces of the sm.actdedicatedpisbearerecept message is counted in 5-minute one-time slice, and when the number of pieces of the current 5-minute granularity sm.actdedicatedpisbearerecept message is more than 20 times the number of pieces of the current 5-minute granularity sm.actdedicatedpisbearerecept message, it is confirmed that the sm.actdedicatedpisbearerecepsererecept signaling storm alarm is generated.
Dedicated bearer activation request signaling storm detection algorithm for sub-APN
Number of pieces of current 5 minute granularity sm.actdedicatedepsbearberrequest. _ Apn messages > 20 for current 5 minute granularity sm.actdedicatedepsbearberrequest. _ Apn messages yesterday; that is, the number of pieces of sm.actdedicatedbearerequest. _ Apn messages is counted in 5-minute one-time slices, and when the number of pieces of sm.actdedicatedbearerequest. _ Apn messages is 20 times larger than the number of pieces of sm.actdedicatedbearerequest. _ Apn messages at the current 5-minute granularity of current 5-minute day, the sm.actdedicatedbearerequest. _ Apn signaling storm alarm is confirmed to be generated.
MS activated session request signaling storm detection algorithm
Number of pieces for today's current 5 minute granularity sm. That is, the number of pieces of the sm.attactpdpcontext message is counted in 5-minute one-time slice, and when the number of pieces of the current 5-minute granularity sm.attactpdpcontext message is greater than 20 times the number of pieces of the current 5-minute granularity sm.attactpdpcontext message in yesterday, it is confirmed that the sm.attactpdpcontext signaling storm alarm is generated.
Paging request signaling storm detection algorithm
Number of bars for today's current 5 minute granularity mm.pagatt message > 20 number of bars for yesterday's current 5 minute granularity mm.pagatt message; that is, the number of mm.pagattat messages is counted in 5 minutes by one time slice, and when the number of mm.pagattat messages with current 5 minute granularity is more than 20 times of the number of mm.pagattat messages with current 5 minute granularity of yesterday, it is confirmed that the mm.pagattat signaling storm alarm is generated.
Tracking area update request signaling storm detection algorithm
Number of pieces of current 5 minute granularity mm.taurequest message today > number of pieces of current 5 minute granularity mm.taurequest message yesterday 20; that is, the number of mm.taurequest messages is counted in 5-minute time slices, and when the number of mm.taurequest messages of current 5-minute granularity is greater than 20 times the number of mm.taurequest messages of current 5-minute granularity of yesterday, it is confirmed that an mm.taurequest signaling storm alarm is generated.
Tracking area update request signaling storm detection algorithm in NB-IoT MME
Number of pieces of current 5 minute granularity nb. intramtetaurequest message today > number of pieces of current 5 minute granularity nb. intramtetaurequest message yesterday 20; that is, the number of pieces of nb. intramtetaurequest message is counted in 5-minute one-time slice, and when the number of pieces of nb. intramtetaurequest message is greater than 20 times the number of pieces of nb. intramtetaurequest message, which is currently 5-minute granularity, the nb. intramtetaurequest signaling storm alarm is confirmed to be generated.
Tracking area update request signaling storm detection algorithm
Number of pieces of current 5 minute granularity mm.taurequest message today > number of pieces of current 5 minute granularity mm.taurequest message yesterday 20; that is, the number of mm.taurequest messages is counted in 5-minute time slices, and when the number of mm.taurequest messages of current 5-minute granularity is greater than 20 times the number of mm.taurequest messages of current 5-minute granularity of yesterday, it is confirmed that an mm.taurequest signaling storm alarm is generated.
inter-MME handover-out attempt signaling storm detection algorithm
Number of pieces of current 5 minute granularity ho.attoutlnmm message today > number of pieces of current 5 minute granularity ho.attoutlnmm message yesterday 20; the number of pieces of HO.AttOutInterMme information is counted by one time slice of 5 minutes, and when the number of pieces of HO.AttOutInterMme information with current 5-minute granularity is more than 20 times of the number of pieces of HO.AttOutInterMme information with current 5-minute granularity of yesterday, the generation of HO.AttOutInterMme signaling storm alarm is confirmed.
inter-MME handover in attempt signaling storm
Number of pieces of ho.attlntermm message of current granularity of 5 minutes today > number of pieces of ho.attlntermm message of current granularity of 5 minutes of yesterday 20; that is, the number of pieces of ho.attlnconexmme messages is counted in 5-minute time slices, and when the number of pieces of ho.attlnconexme messages with current granularity of 5 minutes is more than 20 times the number of pieces of ho.attlnconexme messages with current granularity of 5 minutes in yesterday, it is confirmed that ho.attlnconexme signaling storm alarm is generated.
In comparison, the verification method related in embodiment 2 of the present invention has higher calculation redundancy, and is suitable for being completed in cooperation with embodiment 1 of the present invention, that is, after which signaling storm type is evaluated in embodiment 1 of the present invention, verification is performed through embodiment 2, and a corresponding signaling storm alarm is issued after verification is passed.
However, it is not excluded that, when the computing resources allow, the implementation manner of periodically running the computing process described in embodiment 2 of the present invention is directly adopted to directly determine the types of the signaling storms.
Example 3
Fig. 5 is a schematic structural diagram of an apparatus for detecting a storm attack in signaling of the internet of things according to an embodiment of the present invention. The apparatus for detecting internet of things signaling storm attack of the present embodiment includes one or more processors 21 and a memory 22. In fig. 5, one processor 21 is taken as an example.
The processor 21 and the memory 22 may be connected by a bus or other means, and fig. 5 illustrates the connection by a bus as an example.
The memory 22, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs and non-volatile computer-executable programs, such as the method for detecting internet of things signaling storm attacks in embodiment 1. The processor 21 performs the method of internet of things signaling storm attack detection by running non-volatile software programs and instructions stored in the memory 22.
The memory 22 may include high speed random access memory and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, the memory 22 may optionally include memory located remotely from the processor 21, and these remote memories may be connected to the processor 21 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The program instructions/modules stored in the memory 22, when executed by the one or more processors 21, perform the method for internet of things signaling storm attack detection in embodiment 1, for example, perform the steps illustrated in fig. 2 and 3 described above.
Those of ordinary skill in the art will appreciate that all or part of the steps of the various methods of the embodiments may be implemented by associated hardware as instructed by a program, which may be stored on a computer-readable storage medium, which may include: a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic or optical disk, or the like.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (10)
1. A method for detecting storm attack of signaling of Internet of things is characterized in that optical splitter equipment is arranged on interface links of S1-MME, S10, S11 and S6a, original data flow of each interface is mirrored, mirror flow is collected by a set probe, and mirror flow data collected by the probe is sent to a processing terminal, and the method comprises the following steps:
decrypting the NAS message of the S1-MME interface according to the parameters of the acquired S10, S11 and S6a interfaces;
counting the total scores of one or more of abnormal flow, abnormal attachment message amount, abnormal authentication message amount, abnormal activation message amount, abnormal switching message amount, abnormal paging message amount, abnormal attachment success rate amount, abnormal authentication success rate amount, abnormal activation success rate amount, abnormal switching success rate amount and abnormal paging success rate amount of four types of main bodies corresponding to an MME network element, an eNB base station, an area and a terminal in a preset time interval;
and confirming whether the S1-MME interface is attacked by the signaling storm according to the total score.
2. The method for detecting internet of things signaling storm attack according to claim 1, wherein the decrypting the NAS message of the S1-MME interface according to the parameters of the acquired S10, S11, S6a interfaces specifically comprises:
extracting IMSI, AUTN and KASME from the AIR message and AIA message in the Diameter protocol of the S6a interface, and establishing a first association relationship between IMSI and AUTN;
establishing a second association structure required for decryption, the second association structure comprising: AUTN, XRES, RAND, KASME, encryption identification, complete protection algorithm identification, uplink counting and downlink counting;
extracting AUTN from the Authentication request message, and establishing a third association relationship with the MMEID and the ENBID;
extracting EPS integer algorithm information, and updating the encryption identifier with the MMEID, the ENBID and the third association relation;
calculating AUTN through the MMEID, the ENBID and the encrypted NAS message, and finding a corresponding KASME in the second association structure through the calculated AUTN;
and deducing KNASME according to the KASME, and further completing the NAS message decryption.
3. The method for detecting internet of things signaling storm attack according to claim 1, wherein the confirmation of the abnormal traffic, the abnormal quantity of the attachment message quantity, the abnormal quantity of the authentication message quantity, the abnormal quantity of the activation message quantity, the abnormal quantity of the switching message quantity, the abnormal quantity of the paging message quantity, the abnormal quantity of the attachment success rate, the abnormal quantity of the authentication success rate, the abnormal quantity of the activation success rate, the abnormal quantity of the switching success rate and the abnormal quantity of the paging success rate specifically comprises:
counting the flow value of an MME network element/eNB base station/area/terminal in a time interval, judging whether the flow value exceeds a preset I low threshold value, a preset I medium threshold value or a preset I high threshold value, and respectively giving scores of 20, 15 and 10 according to the flow value exceeding the preset I low threshold value, the preset I medium threshold value and the preset I high threshold value; wherein, the abnormal flow is considered to occur when the flow value exceeds a preset I-th low threshold value;
counting the number of Attach messages of the MME network element/eNB base station/region/terminal in a time interval, judging whether the number exceeds a preset II low threshold value, a preset II medium threshold value or a preset II high threshold value, and respectively giving 10, 7 and 4 scores according to the number exceeds the preset II low threshold value, the preset II medium threshold value and the preset II high threshold value; wherein, if the number of Attach messages exceeds a preset II-th low threshold, the abnormal quantity of Attach messages is considered to occur;
counting the number of Authentication messages of MME network elements/eNB base stations/areas/terminals in a time interval, judging whether the number of the Authentication messages exceeds a preset III low threshold value, a preset III medium threshold value or a preset III high threshold value, and respectively giving scores of 10, 7 and 4 according to the number of the Authentication messages exceeding the preset III low threshold value, the preset III medium threshold value and the preset III high threshold value; wherein, the Authentication message abnormal quantity is considered to occur when the number of the Authentication messages exceeds a preset III low threshold value;
counting the number of messages of E-RAB Setup and deleted EPSBearer Context Activation of an MME network element/eNB base station/area/terminal in a time interval, judging whether the number exceeds a preset IV low threshold value, a preset IV middle threshold value or a preset IV high threshold value, and respectively giving 10, 7 and 4 scores according to the number exceeds the preset IV low threshold value, the preset IV middle threshold value and the preset IV high threshold value; wherein, the E-RAB Setup and the deleted EPS Bearer context information message number exceed a preset IV low threshold value and then the abnormal amount of the activation message is considered to occur;
counting the number of messages of S1 switching-out and S1 switching-in of MME network elements/eNB base stations/areas/terminals in a time interval, judging whether the number exceeds a preset Vth low threshold value, a preset Vth middle threshold value or a preset Vth high threshold value, and respectively giving scores of 10, 7 and 4 according to the number exceeds the preset Vth low threshold value, the preset Vth middle threshold value and the preset Vth high threshold value; when the number of the S1 cut-in messages and the number of the S1 cut-in messages exceed a preset Vth low threshold, the switching message abnormal quantity is considered to occur;
counting the number of Paging messages of the MME network element/eNB base station/region/terminal in a time interval, judging whether the number exceeds a preset VI low threshold value, a preset VI middle threshold value or a preset VI high threshold value, and respectively giving 10, 7 and 4 scores according to the number exceeds the preset VI low threshold value, the preset VI middle threshold value and the preset VI high threshold value; wherein, the Paging message abnormal quantity is considered to occur when the number of Paging messages exceeds a preset VI low threshold;
counting the success rate of Attach messages of the MME network element/eNB base station/region/terminal in a time interval, judging whether the success rate exceeds a preset VII-th low threshold, a preset VII-th medium threshold or a preset VII-th high threshold, and respectively giving scores of 6, 4 and 2 according to the fact that the success rate exceeds the preset VII-th low threshold, the preset VII-th medium threshold and the preset VII-th high threshold; wherein, the attachment success rate abnormal quantity is considered to occur when the success rate of the Attach message exceeds a preset VII-th low threshold;
counting the success rate of the Authentication message of the MME network element/eNB base station/area/terminal in the time interval, judging whether the success rate exceeds a preset VIII low threshold value, a preset VIII middle threshold value or a preset VIII high threshold value, and respectively giving scores of 6, 4 and 2 according to the fact that the success rate exceeds the preset VIII low threshold value, the preset VIII middle threshold value and the preset VIII high threshold value; wherein, the success rate of the Authentication message exceeds a preset VIII low threshold value, and then the Authentication success rate is considered to be abnormal;
counting the success rate of E-RAB Setup and differentiated EPSBearer Context Activation messages of an MME network element/eNB base station/area/terminal in a time interval, judging whether the success rate exceeds a preset IX low threshold, a preset IX middle threshold or a preset IX high threshold, and respectively giving scores of 6, 4 and 2 according to the fact that the success rate exceeds the preset IX low threshold, the preset IX middle threshold and the preset IX high threshold; wherein, the success rate of the E-RAB Setup and the Dedicated EPS Bearer context information exceeds a preset IX low threshold value, and then the abnormal amount of the activation success rate is considered to occur;
counting the success rate of S1 cut-out and S1 cut-in messages of an MME network element/eNB base station/area/terminal in a time interval, judging whether the success rate exceeds a preset Xth low threshold value, a preset Xth middle threshold value or a preset Xth high threshold value, and respectively giving scores of 6, 4 and 2 according to the fact that the success rate exceeds the preset Xth low threshold value, the preset Xth middle threshold value and the preset Xth high threshold value; wherein, the success rate of the S1 cut-out and S1 cut-in messages exceeds the preset Xth low threshold value, and then the abnormal amount of the switching success rate is considered to occur;
counting the success rate of the Paging message of the MME network element/eNB base station/region/terminal in the time interval, judging whether the success rate exceeds a preset XI-th low threshold, a preset XI-th middle threshold or a preset XI-th high threshold, and respectively giving scores of 6, 4 and 2 according to the fact that the success rate exceeds the preset XI-th low threshold, the preset XI-th middle threshold and the preset XI-th high threshold; when the success rate of the S1 cut-out and S1 cut-in messages exceeds a preset XI-th low threshold, the abnormal quantity of the paging success rate is considered to occur;
wherein, the total score sum > =80 of each item indicates whether the S1-MME interface is attacked by the signaling storm to a high degree; 65< = sum <80 indicates whether the S1-MME interface is attacked by a signaling storm to a medium degree; sum <65 indicates whether the S1-MME interface is suffering from a low degree of signaling storm attack.
4. The method for detecting storm attack of signaling of internet of things according to claim 3, wherein the number of Attach messages of MME network elements/eNB base stations/areas/terminals in the statistical time interval, the number of Authentication messages of MME network elements/eNB base stations/areas/terminals in the statistical time interval, the number of E-RAB Setup and Dedicated EPS Bearer Context Activation messages of MME network elements/eNB base stations/areas/terminals in the statistical time interval, the number of S1 cut-out and S1 cut-in messages of MME network elements/eNB base stations/areas/terminals in the statistical time interval, and the Paging message of MME network elements/eNB base stations/areas/terminals in the statistical time interval specifically include:
the method comprises the steps of generating an XDR log of an S1-MME interface by decrypting an NAS message and obtaining contents according to decryption, and identifying the XDR log according to the parameters of an Attach, Authentication, E-RAB Setup, Dedicated EPS Bearer Context Activation, S1 cut-out, S1 cut-in or Paging contained in a Procedure Type field in the XDR log;
and, the XDR log also carries a service flow start time and a service flow end time, which are used to provide a basis for the counting time interval.
5. The method for detecting the storm attack of the signaling of the internet of things according to claim 3, wherein an XDR log of an S1-MME interface is generated by decrypting the NAS message and obtaining the content according to the decryption, wherein the XDR log carries one or more of Machine IPTP field, MME IP Addr field, eNB ID field, TAI field, ECGI field, Cell ID field, IMSI field, IMEI field and MSISDN field;
the Machine IP TYPE field and/or the MME IP Addr field are/is used for identifying an MME network element; the eNB IP Addr field and/or the eNB ID field is used to identify the eNB base station; a TAI field, an ECGI field, and/or a Cell ID field are used to identify a zone; the IMSI field, IMEI field, or MSISDN field is used to identify the terminal.
6. The method for detecting the internet of things signaling storm attack according to claim 3, wherein the attach success rate, the authentication success rate, the activation success rate, the handover success rate, and the paging success rate are determined whether the corresponding message is successful or not by decrypting the NAS message and according to a Status field carried in an XDR log of the content generation S1-MME interface obtained by decryption, and the corresponding success rate is obtained by dividing the number of the respective successful messages by the total number of the respective successful messages.
7. The method for detecting internet of things signaling storm attack according to claim 3, wherein activating an abnormal amount of message quantity specifically comprises:
one or more of a default bearer activation request signaling storm, a default bearer activation success signaling storm, an NB-IoT default bearer activation failure signaling storm, a dedicated bearer activation request signaling storm, a dedicated bearer activation success signaling storm, a dedicated bearer activation request signaling storm for an APN, and an MS activation session request signaling storm;
the abnormal quantity of the handover message quantity specifically includes: an inter-MME handover-out attempted signaling storm and an inter-MME handover-in attempted signaling storm.
8. The method for internet of things signaling storm attack detection according to claim 7, wherein the signaling storm type further comprises:
a tracking area update request signaling storm, a tracking area update request signaling storm within an NB-IoT MME, and a tracking area update request signaling storm.
9. The method for detecting internet of things signaling storm attack according to claim 7, wherein the attach signaling storm, default bearer activation request signaling storm, default bearer activation success signaling storm, NB-IoT default bearer activation failure signaling storm, dedicated bearer activation request signaling storm, dedicated bearer activation success signaling storm, dedicated bearer activation request signaling storm for APN, MS activation session request signaling storm, paging request signaling storm, inter-MME handover out attempt signaling storm, and inter-MME handover in attempt signaling storm are determined according to scores of sub-items constituting the total score.
10. An apparatus for internet of things signaling storm attack detection, the apparatus comprising:
at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor and programmed to perform the method of internet of things signaling storm attack detection of any of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911273537.4A CN110719302A (en) | 2019-12-12 | 2019-12-12 | Method and device for detecting signaling storm attack of Internet of things |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911273537.4A CN110719302A (en) | 2019-12-12 | 2019-12-12 | Method and device for detecting signaling storm attack of Internet of things |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110719302A true CN110719302A (en) | 2020-01-21 |
Family
ID=69216680
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911273537.4A Pending CN110719302A (en) | 2019-12-12 | 2019-12-12 | Method and device for detecting signaling storm attack of Internet of things |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110719302A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190075484A1 (en) * | 2014-07-22 | 2019-03-07 | Parallel Wireless, Inc. | Signaling Storm Reduction from Radio Networks |
| CN111464359A (en) * | 2020-04-03 | 2020-07-28 | 杭州迪普科技股份有限公司 | Abnormal flow alarm decision system and method |
| US10893436B2 (en) | 2014-08-08 | 2021-01-12 | Parallel Wireless, Inc. | Congestion and overload reduction |
| CN112468331A (en) * | 2020-11-13 | 2021-03-09 | 中盈优创资讯科技有限公司 | Method and device for diagnosing abnormal NB card based on MME log |
| CN113784368A (en) * | 2020-06-10 | 2021-12-10 | 中国移动通信集团湖北有限公司 | Signaling storm prevention and control method and computing equipment |
| WO2022057501A1 (en) * | 2020-09-16 | 2022-03-24 | 中兴通讯股份有限公司 | Method for identifying abnormal terminal, analysis apparatus and device, and storage medium |
| CN115150034A (en) * | 2021-03-15 | 2022-10-04 | 中国移动通信集团福建有限公司 | Early warning method and device for signaling storm and electronic equipment |
| CN115835211A (en) * | 2022-12-13 | 2023-03-21 | 武汉博易讯信息科技有限公司 | 5G signaling attack detection system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102438241A (en) * | 2011-12-30 | 2012-05-02 | 北京中创信测科技股份有限公司 | Device and method for decrypting NAS (Network Attached Storage) signaling in LTE (Long Term Evolution) protocol monitoring analysis |
| CN104427534A (en) * | 2013-09-06 | 2015-03-18 | 中国移动通信集团公司 | Detection method and movable detection device of long-term evolution software acqusition |
| CN105722139A (en) * | 2014-12-04 | 2016-06-29 | 中国移动通信集团上海有限公司 | Signaling storm management method and apparatus based on PCC framework |
| US20170238278A1 (en) * | 2016-02-17 | 2017-08-17 | Parallel Wireless, Inc. | Handling Unresponsive MMEs |
| CN107404728A (en) * | 2016-05-18 | 2017-11-28 | 中国移动通信集团江苏有限公司 | A kind of method and device of network problem positioning |
| US10123232B2 (en) * | 2014-07-22 | 2018-11-06 | Parallel Wireless, Inc. | Signaling storm reduction from radio networks |
| CN109936590A (en) * | 2017-12-15 | 2019-06-25 | 大唐移动通信设备有限公司 | Information transferring method and device, computer storage medium, communication system |
-
2019
- 2019-12-12 CN CN201911273537.4A patent/CN110719302A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102438241A (en) * | 2011-12-30 | 2012-05-02 | 北京中创信测科技股份有限公司 | Device and method for decrypting NAS (Network Attached Storage) signaling in LTE (Long Term Evolution) protocol monitoring analysis |
| CN104427534A (en) * | 2013-09-06 | 2015-03-18 | 中国移动通信集团公司 | Detection method and movable detection device of long-term evolution software acqusition |
| US10123232B2 (en) * | 2014-07-22 | 2018-11-06 | Parallel Wireless, Inc. | Signaling storm reduction from radio networks |
| CN105722139A (en) * | 2014-12-04 | 2016-06-29 | 中国移动通信集团上海有限公司 | Signaling storm management method and apparatus based on PCC framework |
| US20170238278A1 (en) * | 2016-02-17 | 2017-08-17 | Parallel Wireless, Inc. | Handling Unresponsive MMEs |
| CN107404728A (en) * | 2016-05-18 | 2017-11-28 | 中国移动通信集团江苏有限公司 | A kind of method and device of network problem positioning |
| CN109936590A (en) * | 2017-12-15 | 2019-06-25 | 大唐移动通信设备有限公司 | Information transferring method and device, computer storage medium, communication system |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190075484A1 (en) * | 2014-07-22 | 2019-03-07 | Parallel Wireless, Inc. | Signaling Storm Reduction from Radio Networks |
| US11129046B2 (en) * | 2014-07-22 | 2021-09-21 | Parallel Wireless, Inc. | Signaling storm reduction from radio networks |
| US10893436B2 (en) | 2014-08-08 | 2021-01-12 | Parallel Wireless, Inc. | Congestion and overload reduction |
| CN111464359A (en) * | 2020-04-03 | 2020-07-28 | 杭州迪普科技股份有限公司 | Abnormal flow alarm decision system and method |
| CN113784368A (en) * | 2020-06-10 | 2021-12-10 | 中国移动通信集团湖北有限公司 | Signaling storm prevention and control method and computing equipment |
| CN113784368B (en) * | 2020-06-10 | 2023-08-15 | 中国移动通信集团湖北有限公司 | Prevention and control method of signaling storm and computing equipment |
| WO2022057501A1 (en) * | 2020-09-16 | 2022-03-24 | 中兴通讯股份有限公司 | Method for identifying abnormal terminal, analysis apparatus and device, and storage medium |
| CN112468331A (en) * | 2020-11-13 | 2021-03-09 | 中盈优创资讯科技有限公司 | Method and device for diagnosing abnormal NB card based on MME log |
| CN115150034A (en) * | 2021-03-15 | 2022-10-04 | 中国移动通信集团福建有限公司 | Early warning method and device for signaling storm and electronic equipment |
| CN115150034B (en) * | 2021-03-15 | 2024-05-03 | 中国移动通信集团福建有限公司 | Signalling storm early warning method and device and electronic equipment |
| CN115835211A (en) * | 2022-12-13 | 2023-03-21 | 武汉博易讯信息科技有限公司 | 5G signaling attack detection system |
| CN115835211B (en) * | 2022-12-13 | 2024-03-12 | 武汉博易讯信息科技有限公司 | 5G signaling attack detection system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110719302A (en) | Method and device for detecting signaling storm attack of Internet of things | |
| CN111030876B (en) | NB-IoT terminal fault positioning method and device based on DPI | |
| JP7268240B2 (en) | Signaling storm blocking method, apparatus and device, and storage medium | |
| CN107046468B (en) | Physical layer authentication threshold determination method and system | |
| de-la-Bandera et al. | Cell outage detection based on handover statistics | |
| WO2016090961A1 (en) | Method and device for network associations analysis | |
| CN110417717B (en) | Login behavior identification method and device | |
| EP2763349A1 (en) | Methods and Apparatus for Determining Improved Mobile Network Key Performance Indicators | |
| CN110856188B (en) | Communication method, apparatus, system, and computer-readable storage medium | |
| CN113225339B (en) | Network security monitoring method and device, computer equipment and storage medium | |
| CN112738538B (en) | Live broadcasting room on-hook behavior detection method and device, electronic equipment and computer readable storage medium | |
| CN108271195A (en) | Based on the soft or hard signalling correlated analysis method and equipment adopted | |
| WO2011026405A1 (en) | Method and device for detecting umts terminal | |
| CN111479287B (en) | Simulation test method, device, equipment and storage medium for core network of non-independent networking | |
| CN113225342B (en) | Communication abnormality detection method and device, electronic equipment and storage medium | |
| CN113015080A (en) | Pseudo base station identification and positioning method and device, electronic equipment and storage medium | |
| CN106941690B (en) | Data quality determination method and device | |
| EP2958361A1 (en) | A key server utilized in analyzing signaling messages of a wireless network | |
| WO2017020748A1 (en) | Method and device for processing signalling tracking task | |
| CN115208928B (en) | Remote monitoring method and device for fuel cell | |
| CN105791036B (en) | A kind of AP access detection method and device | |
| CN109982373B (en) | LTE frequent fallback point analysis method and device, computing device and storage medium | |
| US20230308904A1 (en) | Data processing method, device and storage medium | |
| CN115835211A (en) | 5G signaling attack detection system | |
| CN115633359A (en) | PFCP session security detection method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200121 |