CN110830422A - Terminal behavior data processing method and equipment - Google Patents
Terminal behavior data processing method and equipment Download PDFInfo
- Publication number
- CN110830422A CN110830422A CN201810911341.2A CN201810911341A CN110830422A CN 110830422 A CN110830422 A CN 110830422A CN 201810911341 A CN201810911341 A CN 201810911341A CN 110830422 A CN110830422 A CN 110830422A
- Authority
- CN
- China
- Prior art keywords
- terminal
- network device
- target network
- behavior data
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/107—Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The invention provides a terminal behavior data processing method and device, and relates to the technical field of communication. The method comprises the following steps: acquiring terminal behavior data through first target network equipment; wherein the first target network device comprises: the unified data store UDR, the user subscription data management UDM, the user plane function UPF, the access and mobility management function AMF, the session management function SMF, the policy control function PCF, the operation, maintenance and management OAM, or the application function AF. The scheme of the invention solves the problem that the judgment result error is larger due to the fact that the judgment data of the terminal behavior is single.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for processing terminal behavior data.
Background
As a brand-new information communication technology, the application of the internet of things has gradually penetrated into various fields. According to IDC (Internet Data Center), the global Internet of things connection reaches 300 hundred million by 2020; by 2025, the worldwide internet of things connection will reach 700 billion. The method has the advantages that the method has great connection requirements on the Internet of Things, puts higher requirements on the network capacity of the Internet of Things, adopts authorized spectrum in wide-area cellular Internet of Things technology represented by (NB-IoT narrowband Internet of Things, Narrow Band Internet of Things) and application scenarios eMTC of the Internet of Things, has the characteristics of small interference and high reliability, and can bear a large amount of Internet of Things services. In the aspect of network functions, the cellular internet of things core network meets the requirements of deep coverage, low cost, low power consumption and massive connection of the cellular internet of things, the low-speed and low-frequency data transmission requirements of the CIoT terminal of the cellular internet of things are met by optimizing a signaling flow, a data transmission scheme, a mobility management scheme and the like, the auxiliary terminal achieves the purposes of saving electricity and reducing cost, and the lightweight core network is constructed.
However, with the rapid development of the internet of things technology and industry, large-scale application of the internet of things also faces severe security challenges and resource efficient scheduling requirements.
On the one hand, in the aspect of safety, most of Internet of things equipment is unattended, such as equipment such as a larcarat and a shared bicycle, is easy to damage, even stolen and stolen, and cannot be maintained in time, so that property loss is caused; on the other hand, a large number of internet of things devices, such as network cameras and routers, are directly exposed on the internet and are easily discovered by web crawlers and malicious attackers. More seriously, a significant proportion of these devices are at risk of weak passwords, known bugs, etc., and may become zombie hosts infected with malicious code. The infected equipment can continuously infect other equipment to form a large-scale internet of things botnet; alternatively, they accept and execute instructions from the command and control server, launch large-scale DDoS (Distributed Denial of Service) attacks, and cause significant damage and impact on traffic on the internet. Therefore, the terminal behaviors, especially the behaviors of the unattended terminal, need to be supervised and monitored urgently, so that the abnormal behaviors in the terminal can be predicted and early warned in advance, and the loss can be effectively reduced.
In the aspect of resource scheduling, the internet of things is interconnection of massive terminals, massive services and massive data provide severe scheduling and high utilization rate requirements for the current limited resources, and particularly for low-delay services, such as fire service, security service and severe weather monitoring and alarming service, the network must have the capacity of meeting the ultra-low delay requirements of the overall service fairness and the services at the same time so as to ensure the safety of people and property.
However, in the prior art, the judgment data of the terminal behavior is single, which causes a problem of large error of the judgment result.
Disclosure of Invention
The invention aims to provide a terminal behavior data processing method and equipment, which can depict terminal behaviors through multi-dimensional data and obtain more accurate behavior judgment results.
In order to achieve the above object, an embodiment of the present invention provides a terminal behavior data processing method, applied to a first network device, including:
acquiring terminal behavior data through first target network equipment; wherein the first target network device comprises: the unified data store UDR, the user subscription data management UDM, the user plane function UPF, the access and mobility management function AMF, the session management function SMF, the policy control function PCF, the operation, maintenance and management OAM, or the application function AF.
Wherein the terminal behavior data comprises:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
Wherein the method further comprises:
and analyzing the terminal behavior data to obtain grouping information, wherein the terminals belonging to the same group have the same characteristic description information.
Wherein the grouping information includes: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or
The grouping information indicates group identification and feature description information corresponding to each terminal device identification.
Wherein the method further comprises:
and sending the grouping information to a second target network device, wherein the second target network device comprises the UDR and/or the UDM.
Wherein the sending the packet information to a second target network device comprises:
sending an add/update packet request to the second target network device, the add/update packet request including the packet information;
the method further comprises the following steps:
and receiving the adding/updating packet response sent by the second target network equipment.
Wherein the method further comprises:
based on the grouping information, carrying out anomaly detection on the current behavior data of the target terminal to obtain a detection result;
sending the detection result to a third target network device, where the third target network device includes: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
Wherein the sending the detection result to the third target network device includes:
sending an exception notification to a third target network device, wherein the exception notification comprises the detection result;
the method further comprises the following steps:
and receiving an abnormity notification confirmation sent by the third target network equipment.
Wherein before the sending the detection result to the third target network device, the method further comprises:
receiving a subscription abnormal request sent by a third target network device;
the sending the detection result to the third target network device includes:
and sending a subscription abnormal response to the third target network equipment, wherein the subscription abnormal response comprises the detection result.
Wherein the detection result comprises:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
Wherein the anomaly level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
Wherein, the performing anomaly detection on the current behavior data of the target terminal based on the grouping information further comprises, before obtaining a detection result:
receiving a primary abnormal identifier sent by a fourth target network device, wherein the fourth target network device comprises at least one of AMF, SMF or PCF;
the performing anomaly detection on the current behavior data of the target terminal based on the grouping information to obtain a detection result comprises:
and carrying out anomaly detection on the target terminal corresponding to the primary anomaly identification through the primary anomaly identification and the grouping information to obtain a detection result.
Before the receiving of the primary anomaly identification sent by the fourth target network device, the method further includes:
sending packet information to the fourth target network device; and the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
Wherein the first network device comprises a network data analysis function, NWDAF.
In order to achieve the above object, an embodiment of the present invention provides a terminal behavior data processing method, applied to a first network device, including:
sending the packet information to a second target network device; wherein the second target network device comprises a UDR and/or a UDM; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information.
Wherein the terminal behavior data comprises:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
Wherein the grouping information includes: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or
The grouping information indicates group identification and feature description information corresponding to each terminal device identification.
Wherein the sending the packet information to the second target network device includes:
sending an add/update packet request to the second target network device, the add/update packet request including the packet information;
the method further comprises the following steps:
and receiving the adding/updating packet response sent by the second target network equipment.
Before the sending the packet information to the second target network device, the method further includes:
acquiring terminal behavior data through first target network equipment; wherein the first target network device comprises: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
Wherein the method further comprises:
based on the grouping information, carrying out anomaly detection on the current behavior data of the target terminal to obtain a detection result;
sending the detection result to a third target network device, where the third target network device includes: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
Wherein the sending the detection result to the third target network device includes:
sending an exception notification to a third target network device, wherein the exception notification comprises the detection result;
the method further comprises the following steps:
and receiving an abnormity notification confirmation sent by the third target network equipment.
Wherein before the sending the detection result to the third target network device, the method further comprises:
receiving a subscription abnormal request sent by a third target network device;
the sending the detection result to the third target network device includes:
and sending a subscription abnormal response to the third target network equipment, wherein the subscription abnormal response comprises the detection result.
Wherein the detection result comprises:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
Wherein the anomaly level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
Wherein, the performing anomaly detection on the current behavior data of the target terminal based on the grouping information further comprises, before obtaining a detection result:
receiving a primary abnormal identifier sent by a fourth target network device, wherein the fourth target network device comprises at least one of AMF, SMF or PCF;
the performing anomaly detection on the current behavior data of the target terminal based on the grouping information to obtain a detection result comprises:
and carrying out anomaly detection on the target terminal corresponding to the primary anomaly identification through the primary anomaly identification and the grouping information to obtain a detection result.
Before the receiving of the primary anomaly identification sent by the fourth target network device, the method further includes:
sending packet information to the fourth target network device; and the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
Wherein the first network device comprises an NWDAF.
In order to achieve the above object, an embodiment of the present invention provides a terminal behavior data processing method, applied to a first network device, including:
sending the detection result to a third target network device; the detection result is obtained by performing anomaly detection on the current behavior data of the target terminal based on the grouping information; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information; the third target network device includes: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
Wherein the detection result comprises:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
Wherein the anomaly level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
Wherein the sending the detection result to the third target network device includes:
sending an exception notification to a third target network device, wherein the exception notification comprises the detection result;
the method further comprises the following steps:
and receiving an abnormity notification confirmation sent by the third target network equipment.
Wherein before the sending the detection result to the third target network device, the method further comprises:
receiving a subscription abnormal request sent by a third target network device;
the sending the detection result to the third target network device includes:
and sending a subscription abnormal response to the third target network equipment, wherein the subscription abnormal response comprises the detection result.
Before sending the detection result to the third target network device, the method further includes:
receiving a primary abnormal identifier sent by a fourth target network device, wherein the fourth target network device comprises at least one of AMF, SMF or PCF;
and carrying out anomaly detection on the target terminal corresponding to the primary anomaly identification through the primary anomaly identification and the grouping information to obtain a detection result.
Before the receiving of the primary anomaly identification sent by the fourth target network device, the method further includes:
sending packet information to the fourth target network device; and the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
Before sending the detection result to the third target network device, the method further includes:
acquiring terminal behavior data through first target network equipment; wherein the first target network device comprises: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
Wherein the terminal behavior data comprises:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
Wherein the grouping information includes: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or
The grouping information indicates group identification and feature description information corresponding to each terminal device identification.
Wherein the method further comprises:
and sending the grouping information to a second target network device, wherein the second target network device comprises the UDR and/or the UDM.
Wherein the sending the packet information to a second target network device comprises:
sending an add/update packet request to the second target network device, the add/update packet request including the packet information;
the method further comprises the following steps:
and receiving the adding/updating packet response sent by the second target network equipment.
Wherein the first network device comprises an NWDAF.
In order to achieve the above object, an embodiment of the present invention provides a terminal behavior data processing method, applied to a first network device, including:
performing anomaly detection on a target terminal corresponding to the primary anomaly identification through the primary anomaly identification and the grouping information to obtain a detection result; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information.
Before the performing anomaly detection on the target terminal corresponding to the primary anomaly identifier through the primary anomaly identifier and the grouping information to obtain a detection result, the method further comprises:
and receiving the primary abnormal identifier sent by a fourth target network device, wherein the fourth target network device comprises at least one of an AMF, an SMF or a PCF.
Before the receiving of the primary anomaly identification sent by the fourth target network device, the method further includes:
sending packet information to the fourth target network device; and the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
Wherein the method further comprises:
sending the detection result to a third target network device, where the third target network device includes: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
Wherein the sending the detection result to the third target network device includes:
sending an exception notification to a third target network device, wherein the exception notification comprises the detection result;
the method further comprises the following steps:
and receiving an abnormity notification confirmation sent by the third target network equipment.
Wherein before the sending the detection result to the third target network device, the method further comprises:
receiving a subscription abnormal request sent by a third target network device;
the sending the detection result to the third target network device includes:
and sending a subscription abnormal response to the third target network equipment, wherein the subscription abnormal response comprises the detection result.
Wherein the detection result comprises:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
Wherein the anomaly level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
Before the performing anomaly detection on the target terminal corresponding to the primary anomaly identifier through the primary anomaly identifier and the grouping information to obtain a detection result, the method further comprises:
acquiring terminal behavior data through first target network equipment; wherein the first target network device comprises: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
Wherein the terminal behavior data comprises:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
Wherein the grouping information includes: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or
The grouping information indicates group identification and feature description information corresponding to each terminal device identification.
Wherein the method further comprises:
and sending the grouping information to a second target network device, wherein the second target network device comprises the UDR and/or the UDM.
Wherein the sending the packet information to a second target network device comprises:
sending an add/update packet request to the second target network device, the add/update packet request including the packet information;
the method further comprises the following steps:
and receiving the adding/updating packet response sent by the second target network equipment.
Wherein the first network device comprises an NWDAF.
In order to achieve the above object, an embodiment of the present invention provides a terminal behavior data processing method, applied to a second network device, including:
receiving a detection result of a target terminal sent by first network equipment, wherein the detection result is obtained by performing anomaly detection on current behavior data of the target terminal by the first network equipment based on grouping information; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information.
Wherein the detection result comprises:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
Wherein the anomaly level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
Wherein the terminal behavior data comprises:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
Wherein the grouping information includes: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or
The grouping information indicates group identification and feature description information corresponding to each terminal device identification.
The receiving of the detection result of the target terminal sent by the first network device includes:
receiving an exception notification sent by the first network device, wherein the exception notification comprises the detection result;
the method further comprises the following steps:
and sending an abnormal notification confirmation to the first network equipment.
Before the receiving of the detection result of the target terminal sent by the first network device, the method further includes:
sending a subscription exception request to the first network device;
the receiving a detection result of the target terminal sent by the first network device includes:
and receiving a subscription abnormal response sent by the first network equipment, wherein the subscription abnormal response comprises the detection result.
After receiving the detection result of the target terminal sent by the first network device, the method further includes:
and managing the target terminal according to a preset exception handling strategy according to the detection result.
Wherein the second network device is a PCF;
the managing the target terminal according to the detection result and a preset exception handling strategy comprises the following steps:
and carrying out corresponding strategy decision according to the abnormal identifier and/or the abnormal grade identifier of the target terminal.
Wherein the second network device is an AMF;
the managing the target terminal according to the detection result and a preset exception handling strategy comprises the following steps:
and performing corresponding access control, mobility restriction or registration area management according to the abnormal identifier and/or the abnormal grade identifier of the target terminal.
Wherein the second network device is an SMF;
the managing the target terminal according to the detection result and a preset exception handling strategy comprises the following steps:
and performing corresponding session management or policy control according to the abnormal identifier and/or the abnormal grade identifier of the target terminal.
Wherein, the second network equipment is AMF, SMF or PCF;
before managing the target terminal according to the detection result and a preset exception handling strategy, the method further includes:
receiving grouping information sent by the first network equipment or the second target network equipment; the grouping information indicates group identification and feature description information corresponding to each terminal equipment identification; the second target network device is a UDR and/or a UDM;
and sending a primary abnormal identifier to the first network equipment under the condition that the target terminal is determined to be abnormal according to the grouping information.
Wherein the second network device is a UDR or a UDM;
before the receiving of the detection result of the target terminal sent by the first network device, the method further includes:
and receiving the grouping information sent by the first network equipment.
Wherein, the receiving the packet information sent by the first network device includes:
receiving an add/update grouping request sent by the first network device, wherein the add/update grouping request comprises the grouping information;
the method further comprises the following steps:
sending an add/update packet response to the first network device.
Wherein the method further comprises:
deleting the grouping information of the abnormal terminal in the service shutdown state; the abnormal terminal belongs to a group, and the current behavior data of the terminals with the number larger than a second threshold value are separated from the normal characteristic threshold value range of the group;
after receiving a terminal registration request, judging whether grouping information of a sending terminal of the terminal registration request exists or not;
if not, rejecting the sending terminal to register and access; if so, registering access.
Wherein the method further comprises:
and sending packet information to at least one of the AMF, the SMF or the PCF, wherein the packet information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
Wherein the second network device is an AF;
and managing the target terminal according to a preset exception handling strategy according to the detection result, wherein the management comprises the following steps:
and according to the abnormal identifier and/or the abnormal grade identifier of the target terminal, performing corresponding service shutdown or requesting new QoS resources.
Wherein the method further comprises:
and sending the terminal behavior data recorded by the terminal to the first network equipment.
To achieve the above objects, embodiments of the present invention provide an NWDAF comprising a first processor and a first transceiver, wherein,
the first transceiver is used for acquiring terminal behavior data through first target network equipment; wherein the first target network device comprises: the unified data store UDR, the user subscription data management UDM, the user plane function UPF, the access and mobility management function AMF, the session management function SMF, the policy control function PCF, the operation, maintenance and management OAM, or the application function AF.
To achieve the above objects, embodiments of the present invention provide an NWDAF comprising a second processor and a second transceiver, wherein,
the second transceiver is used for sending the grouping information to a second target network device; wherein the second target network device comprises a UDR and/or a UDM; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information.
To achieve the above objects, embodiments of the present invention provide an NWDAF comprising a third processor and a third transceiver, wherein,
the third transceiver is used for sending a detection result to a third target network device; the detection result is obtained by performing anomaly detection on the current behavior data of the target terminal based on the grouping information; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information; the third target network device includes: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
To achieve the above objects, embodiments of the present invention provide an NWDAF comprising a fourth processor and a fourth transceiver, wherein,
the fourth processor is used for carrying out anomaly detection on the target terminal corresponding to the primary anomaly identification through the primary anomaly identification and the grouping information to obtain a detection result; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information.
To achieve the above object, an embodiment of the present invention provides a network device, which includes a fifth processor and a fifth transceiver, wherein,
the fifth transceiver is configured to receive a detection result of the target terminal sent by the first network device, where the detection result is obtained by performing, by the first network device, abnormality detection on current behavior data of the target terminal based on packet information; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information.
To achieve the above object, an embodiment of the present invention provides a network device, including a transceiver, a memory, a processor, and a computer program stored in the memory and executable on the processor; the processor, when executing the computer program, implements the terminal behavior data processing method as applied to the first network device, or implements the terminal behavior data processing method as applied to the first network device.
To achieve the above object, an embodiment of the present invention provides a computer-readable storage medium having stored thereon a computer program that, when executed by a processor, implements the steps of the terminal behavior data processing method as applied to the first network device or implements the steps of the terminal behavior data processing method as applied to the first network device.
The technical scheme of the invention has the following beneficial effects:
the terminal behavior data processing method of the embodiment of the invention can acquire the terminal behavior data through the first target network device (namely at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM or AF) as the terminal behavior data source, so that the terminal behavior is described in a multi-dimensional data manner based on the terminal behavior data, and a more accurate behavior judgment result is obtained.
Drawings
Fig. 1 is a flowchart of a terminal behavior data processing method applied to a first network device according to an embodiment of the present invention;
FIG. 2 is a block diagram of a system in an embodiment of the invention;
FIG. 3 is a schematic diagram illustrating an application of the method according to the embodiment of the present invention in scenario one;
FIG. 4 is a schematic diagram illustrating an application of the method according to the embodiment of the present invention in scenario two;
FIG. 5 is a schematic diagram of an application of the method of the embodiment of the present invention in scenario three;
FIG. 6 is a schematic diagram illustrating an application of the method according to the embodiment of the present invention in scenario four;
FIG. 7 is a schematic diagram illustrating an application of the method according to the embodiment of the present invention in scenario five;
FIG. 8 is a schematic diagram illustrating an application of the method according to the embodiment of the present invention in scenario six;
fig. 9 is a schematic diagram of an application of the method according to the embodiment of the present invention in scenario seven;
fig. 10 is a schematic diagram illustrating an application of the method according to the embodiment of the present invention in scenario eight;
FIG. 11 is a diagram illustrating an application of the method according to an embodiment of the present invention in scenario nine;
fig. 12 is a schematic diagram of an application of the method in scenario ten according to the embodiment of the present invention;
FIG. 13 is a schematic diagram illustrating an application of the method of the embodiment of the present invention in scenario eleven;
fig. 14 is a flowchart of a terminal behavior data processing method applied to a first network device according to another embodiment of the present invention;
fig. 15 is a flowchart of a terminal behavior data processing method applied to a first network device according to another embodiment of the present invention;
fig. 16 is a flowchart of a terminal behavior data processing method applied to a first network device according to still another embodiment of the present invention;
fig. 17 is a flowchart of a terminal behavior data processing method applied to a second network device according to an embodiment of the present invention;
FIG. 18 is a schematic structural diagram of an NWDAF of an embodiment of the present invention;
FIG. 19 is a schematic structural diagram of an NWDAF of another embodiment of the present invention;
FIG. 20 is a schematic structural diagram of an NWDAF of yet another embodiment of the present invention;
FIG. 21 is a schematic structural diagram of an NWDAF of yet another embodiment of the present invention;
fig. 22 is a schematic structural diagram of a network device according to an embodiment of the present invention;
fig. 23 is a schematic structural diagram of a network device according to another embodiment of the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantages of the present invention more apparent, the following detailed description is given with reference to the accompanying drawings and specific embodiments.
The invention provides a terminal behavior data processing method aiming at the problem that the existing judgment data of terminal behavior is single and the judgment result error is large, and the terminal behavior is described through multi-dimensional data to obtain a more accurate behavior judgment result.
As shown in fig. 1, a method for processing terminal behavior data according to an embodiment of the present invention is applied to a first network device, and includes:
In this embodiment, the first network device F may obtain the terminal behavior data via a first target network device (at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF) as a terminal behavior data source, so as to perform multidimensional data characterization on the terminal behavior based on the terminal behavior data, so as to obtain a more accurate behavior determination result.
Wherein the first network device comprises a network data analysis function, NWDAF.
As shown in fig. 2, the NWDAF in system 200 is capable of communicating with UDRs, UDMs, UPFs, AMFs, SMFs, PCFs, OAM, and AFs.
Specifically, the NWDAF may request the terminal behavior data from the first target network device, or the first target network device may actively transmit the terminal behavior data through a protocol with the first target network device.
Optionally, the terminal behavior data includes:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
Here, the geographical location of the terminal may be regional information (e.g., beijing haichi district); the time characteristic is the characteristic of the terminal behavior in time, such as the application APP used by the terminal on weekdays is of type A1, and the APP used on non-weekdays is of type A2; the movement law is the law of the terminal behavior on the position, such as that the terminal always moves from the B1 position to the B2 position within a period of time of a working day; the functional characteristic is the characteristic of the terminal behavior on the function, such as that the terminal always visits a travel website about a certain place in the latest time period; the packet characteristics are characteristics of terminal behaviors on the packet, such as the packet frequency of the terminal; packet size is a characteristic of the behavior of the terminal on the packet, such as the amount of packets per month is within a fixed range; the source address-destination address is a characteristic of the terminal behavior on network access, such as C-site that the terminal frequently accesses. Of course, the terminal behavior data is not limited to the above, and is not listed here.
In this embodiment, after acquiring the terminal behavior data, to facilitate subsequent determination of terminal abnormality, optionally, the method further includes:
and analyzing the terminal behavior data to obtain grouping information, wherein the terminals belonging to the same group have the same characteristic description information.
Here, the feature description information corresponds to terminal behavior data, and may be a geographical location, a time characteristic, a movement rule, a functional characteristic, a packet transmission characteristic, a packet size, a source address-destination address, or the like of the terminal. For example, for a geographical location, fire hydrants and water level monitors with the same geographical location are grouped together; aiming at the time characteristic, the street lamps of the timing switch are divided into a group; according to the size of a data packet, cameras for uploading video data in large flow are divided into a group; aiming at the characteristic of the hair packet, the water meter and the electric meter which are frequently sent in small packets are divided into a group. Of course, the feature description information may also be a combination of at least two of the geographical location, time characteristic, movement rule, function characteristic, packet sending characteristic, packet size and source address-destination address of the terminal to complete the grouping. The NWDAF carries out grouping according to the common feature description information based on the acquired terminal behavior data to obtain grouping information, so that a basis is provided for judging whether the terminal behavior is abnormal or not.
Optionally, the grouping information includes: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or
The grouping information indicates group identification and feature description information corresponding to each terminal device identification.
Thus, the grouping information can describe the grouping result for different requirements. Here, the grouping information (i.e., Group-level grouping information) indicating the terminal device identifier and the feature description information corresponding to each Group identifier may be represented by a Group set format, such as { Group i: < identification of terminal equipment UE1, identification of UE2, …, identification of UEN >, and profile information | i of group i is a natural number }, where i is a group identification of a current group; for the grouping information (i.e. terminal-level grouping information) indicating the group id and the profile information corresponding to each terminal device id, it can be represented by the terminal device attribute set form, such as { UE j: < identification of group m, profile > j of group m is a natural number }, where group m is a group to which UE j belongs. Of course, the grouping information of the two different indication contents can be represented by other manners such as different format lists besides using the set representation, and will not be described herein again.
Of course, the packet information often includes burst behavior data (historical behavior data) of the terminal device, so as to avoid misjudging the burst behavior as abnormal in the process of detecting the abnormal behavior of the terminal.
In this embodiment of the present invention, regarding the obtained packet information, considering that the NWDAF itself stores the packet information, which may occupy resources and affect the working performance, optionally, the method further includes:
and sending the grouping information to a second target network device, wherein the second target network device comprises the UDR and/or the UDM.
Here, the NWDAF transmits the grouped packet information to the second target network device (i.e., UDR and/or UDM) to store the packet information in the second target network device.
Optionally, the sending the packet information to the second target network device includes:
sending an add/update packet request to the second target network device, the add/update packet request including the packet information;
the method further comprises the following steps:
and receiving the adding/updating packet response sent by the second target network equipment.
The NWDAF sends an add/update packet request including packet information to the second target network device, delivers the packet information to the second target network device, and then receives an add/update packet response sent by the second target network device to obtain the delivery result of the packet information.
It should be appreciated that in this embodiment, for packet information sent by the NWDAF to the second target network device, the second target network device may store the packet information after receiving it, and may subsequently return the NWDAF for the NWDAF to perform anomaly detection for the terminal; and may also be sent to a fourth target network device (i.e., at least one of the AMF, SMF, or PCF) to enable the fourth target network device to perform preliminary anomaly detection for the terminal based on the packet information. If the grouping information sent by the NWDAF to the second target network device indicates the terminal device identifier and the feature description information corresponding to each group identifier, before sending to the fourth target network device, the grouping information is adjusted for the terminal device, so that the adjusted grouping information indicates the group identifier and the feature description information corresponding to each terminal device identifier, and the fourth target network device can complete preliminary anomaly detection for the terminal device.
Further, in this embodiment, optionally, the method further includes:
based on the grouping information, carrying out anomaly detection on the current behavior data of the target terminal to obtain a detection result;
sending the detection result to a third target network device, where the third target network device includes: at least one of UDR, UDM, AMF, SMF, PCF, OAM, or AF.
The NWDAF can perform anomaly detection on current behavior data of a target terminal(s) according to packet information obtained after grouping to obtain a detection result, and then, by sending the detection result to a third target network device (i.e. at least one of UDR, UDM, AMF, SMF, PCF, OAM, or AF), the third target network device can perform effective and targeted management on the target terminal according to a preset anomaly handling policy after receiving the detection result. Here, the packet information on which the NWDAF anomaly detection is based may be packet information stored locally after being packetized, or may be stored in the second target network device.
Optionally, the detection result includes:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
Optionally, the anomaly level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
Therefore, in the process of analyzing the current behavior data of the target terminal in real time by the NWDAF to detect the abnormality, not only can the judgment on whether the terminal (behavior) is abnormal or not be made, but also the judgment on the degree of abnormality of the terminal (behavior) can be made to obtain the detection result, so that the third target network device can correspondingly manage the abnormal identifier and/or the abnormal level identifier.
The normal characteristic threshold range used in the abnormal detection of the group terminal is determined according to the characteristic description information in the group grouping information. For example, for the street lamps in the same group, the characteristic description information is '19: 00 on, 5:30 off', and the determined normal characteristic threshold range comprises the light-on time '18: 58-19: 02' and the light-off time '4: 28-5: 32' in consideration of the time delay of the switching. And by the standard of the three-level abnormal grade, the current behavior data of the group of street lamps and one street lamp in the group can be analyzed in real time, and the abnormal grade is divided. Taking the lighting time as an example, if the lighting time of one road lamp or the number of the road lamps in the group smaller than the first threshold (e.g. 3) falls within "18: 58-19: 02", but the lighting time is 18:59 or 19:02, configuring a first abnormal grade identifier for the street lamp or the group of street lamps if the street lamp belongs to the edge area of the normal characteristic threshold range; if the turn-on time of one street lamp is deviated from 18:58-19:02, configuring a second abnormal grade identifier for the street lamp or the group of street lamps; if the light-on time of the street lamps in the group, which are greater than the second threshold (which may be the same as the first threshold, such as 3, or different from the first threshold), deviates from "18: 58-19: 02", a second abnormal grade identifier may be configured for the group of street lamps or only for the street lamps deviating from the normal characteristic threshold range in the group of street lamps. In order to avoid errors, the edge area is not set to a specific value, but is a smaller interval, for example, the edge area of "18: 58-19: 02" includes: 18:58.00-18:59.10 and 19:01.50-19: 02.00.
Optionally, the sending the detection result to the third target network device includes:
sending an exception notification to a third target network device, wherein the exception notification comprises the detection result;
the method further comprises the following steps:
and receiving an abnormity notification confirmation sent by the third target network equipment.
Here, the NWDAF may inform the third target network device of the detection result directly by the abnormality notification after obtaining the detection result, and by receiving an abnormality notification acknowledgement sent by the third target network device, know that the detection result is successfully transmitted. In this case, whether or not the UDR, UDM, AMF, SMF, PCF, OAM, and AF can receive the abnormality notification including the detection result is determined by the NWDAF, for example, a network device capable of receiving the abnormality notification is configured in advance in the NWDAF, or the NWDAF selects a network device capable of receiving the abnormality notification according to its internal policy based on the detection result.
Further or optionally, before the sending the detection result to the third target network device, the method further includes:
receiving a subscription abnormal request sent by a third target network device;
the sending the detection result to the third target network device includes:
and sending a subscription abnormal response to the third target network equipment, wherein the subscription abnormal response comprises the detection result.
Here, the third target network device may send a subscription exception request to the NWDAF in advance, to notify the NWDAF that it needs to acquire a detection result of the exception detection, and then the NWDAF may send the detection result to the third target network device through a subscription exception response. The third target network device sends a subscription exception request to the NWDAF, and preferably, may also be before exception detection is performed.
In this embodiment, the fourth target network device is a network device capable of receiving grouping information (the grouping information indicates a group identifier and feature description information corresponding to each terminal device identifier), and may perform preliminary anomaly detection for the terminal device based on the grouping information to obtain a preliminary anomaly identifier of the terminal device. Therefore, before performing anomaly detection on the current behavior data of the target terminal based on the grouping information and obtaining a detection result, the method further includes:
receiving a primary abnormal identifier sent by a fourth target network device, wherein the fourth target network device comprises at least one of AMF, SMF or PCF;
the performing anomaly detection on the current behavior data of the target terminal based on the grouping information to obtain a detection result comprises:
and carrying out anomaly detection on the target terminal corresponding to the primary anomaly identification through the primary anomaly identification and the grouping information to obtain a detection result.
The NWDAF will receive the primary anomaly identifier sent by the fourth target network device, and then, may perform anomaly detection on the target terminal corresponding to the primary anomaly identifier in combination with the received primary anomaly identifier and the analyzed packet information, so as to obtain a detection result. Here, by receiving the primary anomaly identifier, the NWDAF already preliminarily knows the behavior of the target terminal corresponding to the primary anomaly identifier, and can perform targeted processing on the target terminal in the process of further anomaly detection, thereby saving signaling.
Optionally, before the receiving the primary anomaly identification sent by the fourth target network device, the method further includes:
sending packet information to the fourth target network device; and the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
Here, when the fourth target network device performs preliminary abnormality detection of the terminal device, the packet information based on which is transmitted by the NWDAF. Specifically, the NWDAF may directly send the grouping information (the grouping information indicates the group identifier and the feature description information corresponding to each terminal device identifier) obtained through analysis to the fourth target network device, and the NWDAF may also receive a corresponding response; the fourth target network device may also request the NWDAF for the packet information, and the NWDAF feeds back a corresponding response according to the request, where the response includes the required packet information. Preferably, after monitoring that the terminal device uses the data service online, the fourth target network device requests the NWDAF for the grouping information corresponding to the current terminal device, so as to reduce signaling overhead.
In addition, as can be seen from the above, when the fourth target network device performs the preliminary abnormality detection of the terminal device, the packet information according to the first target network device may be provided by the second target network device. Wherein the second target network device may be a fourth target network device that forwards packet information (the packet information indicates group identifiers and feature description information corresponding to each terminal device identifier) sent by the received NWDAF to the fourth target network device; or, after the received grouping information sent by the NWDAF (the grouping information indicates the terminal device identifier and the feature description information corresponding to each group identifier), the grouping information is adjusted for the terminal device and then sent to the fourth target network device. Similarly, the fourth target network device may receive the packet information actively sent by the second target network device, and feed back a corresponding response to the second target network device; or requesting the second target network device for the packet information, where the second target network device feeds back a corresponding response according to the request, and the response includes the required packet information.
It should also be understood that, in the embodiment of the present invention, after receiving the detection result sent by the NWDAF, different network devices often manage their own functions accordingly:
PCF makes corresponding strategy decision according to the abnormal mark and/or abnormal grade mark of the target terminal; the AMF performs corresponding access control, mobility restriction or registration area management according to the abnormal identifier and/or the abnormal grade identifier of the target terminal; the SMF performs corresponding session management or policy control according to the abnormal identifier and/or the abnormal grade identifier of the target terminal; when the UDR and the UDM store the packet information, the packet information of the abnormal terminal in the service shutdown state (that is, the current behavior data of the terminals with the number greater than the second threshold number is out of the normal characteristic threshold range of the group to which the abnormal terminal belongs) is deleted (for example, the terminal device identifier is deleted in the group to which the abnormal terminal belongs, or the terminal device identifier, the group information corresponding to the terminal device identifier and the characteristic description information are deleted), and then, after receiving the terminal registration request, it is determined whether the packet information of the sending terminal of the terminal registration request exists, if not, the sending terminal is rejected for registration access, and if so, the sending terminal is registered for access; the AF will perform corresponding service shutdown or request new QoS resources according to the abnormal identifier and/or the abnormal class identifier of the target terminal.
Of course, the processing manner of the network device for the detection result sent by the NWDAF is only a better implementation, and other processing manners of the network device are not excluded, and are not described herein again.
The method of the present invention will be described below with reference to different application scenarios (assuming that the packet information analyzed by NWDAF is stored locally in scenarios one to five, and the packet information analyzed by NWDAF is stored in UDR and/or UDM in scenarios six to eleven):
scenario one, interaction between NWDAF and PCF, and policy management by PCF according to the result of terminal anomaly detection, as shown in fig. 3:
step 1: the NWDAF collects terminal behavior data (including but not limited to geographical location, temporal characteristics, mobility rules, functional characteristics, packet origination characteristics, packet size, source-destination address, etc.) from other network devices (including but not limited to AMFs, SMFs, UPFs, UDR/UDMs, PCFs, OAM, AFs, etc.).
Step 2: the NWDAF groups the collected terminal behavior data (intelligently groups the terminals according to some common characteristics, such as fire hydrant/water level monitor with the same geographical position, street lamp with a timing switch, camera for uploading video data in large flow, water meter/electricity meter with frequent small packets, etc.), so as to form group information (i.e. group characteristic information and/or historical characteristic information) and store the group information locally. Wherein the content of the first and second substances,
the packet information includes, but is not limited to:
{ Group i: < identity of UE1, identity of UE2, …, identity of UE n >, profile | i of group i is a natural number }; or
{ UE j: < identification of group m, feature description information > | j of group m is a natural number }.
And step 3: the UE data unit session establishes UE PDU session idle (user on-line).
Performing A or B
A: and 4, step 4: the PCF sends a subscribe exception request to the NWDAF,
and 5: the NWDAF acquires the current terminal behavior data in real time, judges whether the terminal is abnormal or not according to grouping information (analyzes the current terminal behavior data in real time, and analyzes whether the terminal is abnormal or not by combining information such as but not limited to position information, time information, mobility information, packet sending frequency, uplink/downlink service message size, flow, IP address and the like, and analyzes whether the terminal is abnormal or not by combining group characteristic information and/or historical characteristic information. The NWDAF real-time analysis method comprises the steps of analyzing terminal behavior data in real time, simultaneously analyzing a single terminal and a terminal group, and dividing abnormal grades. And the NWDAF generates an abnormal identifier and/or an abnormal grade identifier according to the analysis to obtain a detection result.
Step 6: the NWDAF returns a subscription exception response to the PCF that includes at least an exception identification and/or an exception level identification.
B: and 4, step 4: the same as step 5 in the above A;
and 5: the NWDAF sends an anomaly notification to the PCF that includes at least an anomaly identification and/or an anomaly level identification.
Step 6: the PCF receives the notification and feeds back an exception notification acknowledgement.
And 7: and the PCF carries out policy decision (carries out policy management operations including service area restriction policy, QoS control policy, service shutdown and the like according to the abnormal identifier and/or the abnormal grade identifier sent by the NWDAF) according to the detection result of the terminal.
And 8: the network executes the operations of resource scheduling or service shutdown and the like according to the strategy issued by the PCF.
Step 9-10: the user equipment registers UE registration (the user is on-line again), and the PCF makes policy decision and issues the policy according to the detection result (step 6 in A or step 5 in B) fed back by the NWDAF and the policy configured by the PCF.
And step 11, the network executes the operations of resource scheduling or service shutdown and the like according to the strategy issued by the PCF.
Scenario two, interaction between the NWDAF and the AMF, and access and mobility management performed by the AMF according to the result of the terminal anomaly detection are as shown in fig. 4:
step 1-5: steps 1-6 of scenario one are not described herein again.
Step 6: after receiving the detection result, the AMF performs operations such as access control, mobility restriction, registration area management, and the like by using the abnormal identifier and/or the abnormal class.
Scene three, interaction between the NWDAF and the SMF, and session management and policy control performed by the SMF according to the result of the terminal anomaly detection, as shown in fig. 5:
step 1-5: steps 1-6 of scenario one are not described herein again.
Step 6: after receiving the detection result, the SMF performs operations such as session management and policy control by the exception identifier and/or the exception level.
Scene four, interaction between the NWDAF and the AF, and the AF initiating a service shutdown request or a new QoS resource request according to the result of the terminal anomaly detection, as shown in fig. 6:
step 1-5: steps 1-6 of scenario one are not described herein again.
Step 6: after receiving the detection result, the AF initiates a service shutdown request or a new QoS resource request (i.e., performs service shutdown or requests a new QoS resource) by the abnormal identifier and/or the abnormal class.
And in a fifth scenario, the NWDAF sends grouping information (the grouping information indicates a group identifier and feature description information corresponding to each terminal device identifier) to at least one of the AMF, the SMF or the PCF, so that the AMF, the SMF or the PCF performs preliminary judgment according to the real-time behavior of the user device, and of course, the grouping information may also be specific to a specific terminal (e.g., a terminal that has used a data service online). If the preliminary judgment is abnormal, AMF, SMF, PCF may transmit the preliminary abnormal flag to NWDAF, which further combines with the overall analysis of the group to which the user belongs to comprehensively judge whether the user is abnormal and the abnormal level, as shown in fig. 7:
the NWDAF collects terminal behavior data from other network devices and analyzes the data to obtain grouping information, wherein the grouping information indicates group identification and feature description information corresponding to each terminal device identification.
A or B
A: step 1: sending terminal level grouping information (the grouping information indicates group identification and feature description information corresponding to each terminal equipment identification) to AMF, SMF and PCF;
step 2: and the AMF, the SMF and the PCF return a response to the NWDAF after receiving the terminal level grouping information.
Or executing B after the user uses the data service online
B: step 1: AMF, SMF and PCF send terminal level grouping information request to NWDAF;
step 2: the NWDAF sends a terminal-level grouping information response to the AMF, the SMF and the PCF;
and step 3: AMF, SMF and PCF analyze the abnormal condition of the user in real time according to the grouping information of the terminal level;
and 4, step 4: if AMF, SMF and PCF preliminarily judge that the terminal is abnormal, generating a preliminary abnormal identifier and sending the preliminary abnormal identifier to the NWDAF;
and 5: and the NWDAF further analyzes the grouping to which the user belongs integrally by combining the preliminary abnormal identifier, and comprehensively judges whether the user is abnormal or not and judges the abnormal grade.
Scene six, NWDAF interacts with UDR/UDM, storing grouping information, as shown in fig. 8:
step 1-2: step 1-2 of the same application scenario one, but not stored locally;
and step 3: the NWDAF initiates an add/update packet request (i.e., a request to add/update packet information) to the UDR/UDM;
and 4, step 4: the UDR/UDM receives the request to add/update the packet information, stores the packet information, and returns a response message to the NWDAF.
Scene seven, interaction between the NWDAF and the PCF, and policy management by the PCF according to the result of the terminal anomaly detection, as shown in fig. 9:
step 1: UDR/UDM has stored packet information from NWDAF;
step 2-7: 3-8 in scenario one of the same example;
and 8: if the terminal is in a high abnormal level (that is, the current behavior data of the terminals with the number larger than the second threshold number in the group to which the terminal belongs is out of the normal characteristic threshold range of the group to which the terminal belongs) and the service is shut down, the UDR/UDM deletes the terminal from the group information (for example, deletes the terminal device identifier in the group to which the terminal belongs, or deletes the terminal device identifier and the group information and the characteristic description information corresponding to the terminal device identifier).
Step 9-10: and UE registration, namely the UDR/UDM refuses to register access if judging that the UE is not in the grouping information according to the grouping information.
Step 11: and feeding back the registration response UE registration request of the user equipment to inform that the registration fails.
Scene eight, interaction between the NWDAF and the AMF, and access and mobility management performed by the AMF according to the result of the terminal anomaly detection, as shown in fig. 10:
step 1-5: 1-5 in the same scene seven;
step 6: after receiving the detection result, the AMF performs operations such as access control, mobility restriction, registration area management, and the like by using the abnormal identifier and/or the abnormal class.
Scene nine, interaction between the NWDAF and the SMF, and session management and policy control performed by the SMF according to the result of the terminal anomaly detection, as shown in fig. 11:
step 1-5: 1-5 in the same scene seven;
step 6: after receiving the detection result, the SMF performs operations such as session management and policy control by the exception identifier and/or the exception level.
Scenario ten, interaction between the NWDAF and the AF, and the AF initiating a service shutdown request or a new QoS resource request according to the result of the terminal anomaly detection, as shown in fig. 12:
step 1-5: steps 1-5 of scene seven.
Step 6: after receiving the detection result, the AF initiates a service shutdown request or a new QoS resource request (i.e., performs service shutdown or requests a new QoS resource) by the abnormal identifier and/or the abnormal class.
In the first scenario, the UDR/UDM sends the terminal-level packet information to at least one of the AMF, SMF or PCF according to the packet information received from the NWDAF, so that the AMF, SMF or PCF can make a preliminary judgment according to the real-time behavior of the user, and of course, the terminal-level packet information may also be specific to a specific terminal (e.g. a terminal that has used service data online). If the preliminary judgment is abnormal, AMF, SMF, PCF may transmit the preliminary abnormal flag to NWDAF, which further combines with the overall analysis of the packet to which the user belongs to comprehensively judge whether the user is abnormal and the abnormal level, as shown in fig. 13:
and the UDR/UDM can extract the characteristic description information corresponding to the terminal equipment based on the grouping information according to the stored grouping information.
A or B
A: step 1: sending the terminal level grouping information or the terminal feature description information to AMF, SMF and PCF;
step 2: and the AMF, the SMF and the PCF return a response to the UDR/UDM after receiving the terminal-level grouping information or the terminal characteristic description information.
Or executing B after the user uses the data service online
B: step 1: AMF, SMF and PCF send terminal level grouping information or terminal characteristic description information request to UDR/UDM;
step 2: the UDR/UDM sends terminal-level grouping information or terminal characteristic description information response to AMF, SMF and PCF;
and step 3: AMF, SMF and PCF analyze the abnormal condition of the user in real time according to the terminal level grouping information or the terminal characteristic information;
and 4, step 4: if AMF, SMF and PCF preliminarily judge that the terminal is abnormal, generating a preliminary abnormal identifier and sending the preliminary abnormal identifier to the NWDAF;
and 5: and the NWDAF further combines the overall analysis of the user group to comprehensively judge whether the user is abnormal or not and judge the abnormal level.
In summary, in the terminal behavior data processing method according to the embodiment of the present invention, the NWDAF may obtain the terminal behavior data through the first target network device (at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF) serving as the terminal behavior data source, so as to perform multidimensional data characterization on the terminal behavior based on the terminal behavior data, so as to obtain a more accurate behavior determination result.
As shown in fig. 14, a terminal behavior data processing method according to another embodiment of the present invention is applied to a first network device, and includes:
step 1401, sending the grouping information to a second target network device; wherein the second target network device comprises a UDR and/or a UDM; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information.
Through this step, the NWDAF (i.e., the first network device) can notify the second target network device of the grouping information (i.e., the grouping information obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information), so that the UDR and/or the UDM store the grouping information for subsequent processing, thereby avoiding that the NWDAF itself stores the grouping information, occupies resources, and affects the working performance. Because the grouping information is obtained according to the terminal behavior data, the terminal behavior can be described by multi-dimensional data, and a more accurate behavior judgment result can be obtained.
Optionally, the terminal behavior data includes:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
Here, the geographical location of the terminal may be regional information (e.g., beijing haichi district); the time characteristic is the characteristic of the terminal behavior in time, such as the application APP used by the terminal on weekdays is of type A1, and the APP used on non-weekdays is of type A2; the movement law is the law of the terminal behavior on the position, such as that the terminal always moves from the B1 position to the B2 position within a period of time of a working day; the functional characteristic is the characteristic of the terminal behavior on the function, such as that the terminal always visits a travel website about a certain place in the latest time period; the packet characteristics are characteristics of terminal behaviors on the packet, such as the packet frequency of the terminal; packet size is a characteristic of the behavior of the terminal on the packet, such as the amount of packets per month is within a fixed range; the source address-destination address is a characteristic of the terminal behavior on network access, such as C-site that the terminal frequently accesses. Of course, the terminal behavior data is not limited to the above, and is not listed here.
In this embodiment, the NWDAF may analyze the terminal behavior data to obtain the grouping information. Correspondingly, when grouping, the same feature description information of the same group of terminals may also be the geographical location, time characteristic, movement rule, functional characteristic, packet sending characteristic, packet size or source address-destination address of the terminal. For example, for a geographical location, fire hydrants and water level monitors with the same geographical location are grouped together; aiming at the time characteristic, the street lamps of the timing switch are divided into a group; according to the size of a data packet, cameras for uploading video data in large flow are divided into a group; aiming at the characteristic of the hair packet, the water meter and the electric meter which are frequently sent in small packets are divided into a group. Of course, the feature description information may also be a combination of at least two of the geographical location, time characteristic, movement rule, function characteristic, packet sending characteristic, packet size and source address-destination address of the terminal to complete the grouping. The NWDAF carries out grouping according to the common feature description information based on the acquired terminal behavior data to obtain grouping information, so that a basis is provided for judging whether the terminal behavior is abnormal or not.
Optionally, the grouping information includes: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or
The grouping information indicates group identification and feature description information corresponding to each terminal device identification.
Thus, the grouping information can describe the grouping result for different requirements. Wherein, the grouping information indicating the terminal device identifier and the feature description information corresponding to each Group identifier may be represented by a Group set form, such as { Group i: < identification of terminal equipment UE1, identification of UE2, …, identification of UEN >, and profile information | i of group i is a natural number }, where i is a group identification of a current group; the grouping information indicating the group id and the profile information corresponding to each terminal device id may be represented in the form of a terminal device attribute set, such as { UE j: < identification of group m, profile > j of group m is a natural number }, where group m is a group to which UE j belongs. Of course, the grouping information of the two different indication contents can be represented by other manners such as different format lists besides using the set representation, and will not be described herein again.
Of course, the packet information often includes burst behavior data (historical behavior data) of the terminal device, so as to avoid misjudging the burst behavior as abnormal in the process of detecting the abnormal behavior of the terminal.
Optionally, the sending the packet information to the second target network device includes:
sending an add/update packet request to the second target network device, the add/update packet request including the packet information;
the method further comprises the following steps:
and receiving the adding/updating packet response sent by the second target network equipment.
The NWDAF sends an add/update packet request including packet information to the second target network device, delivers the packet information to the second target network device, and then receives an add/update packet response sent by the second target network device to obtain the delivery result of the packet information.
It should be appreciated that in this embodiment, for packet information sent by the NWDAF to the second target network device, the second target network device may store the packet information after receiving it, and may transmit back the NWDAF later, so that the NWDAF performs anomaly detection for the terminal; and may also be sent to a fourth target network device (i.e., at least one of the AMF, SMF, or PCF) to enable the fourth target network device to perform preliminary anomaly detection for the terminal based on the packet information. If the grouping information sent by the NWDAF to the second target network device indicates the terminal device identifier and the feature description information corresponding to each group identifier, the grouping information is adjusted for the terminal device before being sent to the fourth target network device, so that the fourth target network device can complete preliminary anomaly detection for the terminal device.
In this embodiment of the present invention, to obtain more accurate packet information, before sending the packet information to the second target network device, the method further includes:
acquiring terminal behavior data through first target network equipment; wherein the first target network device comprises: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
The NWDAF acquires the terminal behavior data through at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF, so as to describe the terminal behavior based on the terminal behavior data by multidimensional data, so that the obtained grouping information can be used for more accurate behavior judgment. Specifically, the NWDAF may request the terminal behavior data from the first target network device, or the first target network device may actively send the terminal behavior data through a protocol with the first target network device.
Further, optionally, the method further comprises:
based on the grouping information, carrying out anomaly detection on the current behavior data of the target terminal to obtain a detection result;
sending the detection result to a third target network device, where the third target network device includes: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
The NWDAF can perform anomaly detection on current behavior data of a target terminal(s) based on the packet information to obtain a detection result, and then, by sending the detection result to a third target network device (i.e., at least one of UDR, UDM, AMF, SMF, PCF, OAM, or AF), the third target network device can perform effective and targeted management on the target terminal according to a preset anomaly handling policy after receiving the detection result. At this time, since the packet information is stored in the UDR and/or UDM, the NWDAF needs to request the packet information from the UDR and/or UDM to complete the anomaly detection before performing the anomaly detection.
Optionally, the detection result includes:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
Optionally, the anomaly level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
Therefore, in the process of analyzing the current behavior data of the target terminal in real time by the NWDAF to detect the abnormality, not only can the judgment on whether the terminal (behavior) is abnormal or not be made, but also the judgment on the degree of abnormality of the terminal (behavior) can be made to obtain the detection result, so that the third target network device can correspondingly manage the abnormal identifier and/or the abnormal level identifier.
The normal characteristic threshold range used in the abnormal detection of the group terminal is determined according to the characteristic description information in the group grouping information. For example, for the street lamps in the same group, the characteristic description information is '19: 00 on, 5:30 off', and the determined normal characteristic threshold range comprises the light-on time '18: 58-19: 02' and the light-off time '4: 28-5: 32' in consideration of the time delay of the switching. And by the standard of the three-level abnormal grade, the current behavior data of the group of street lamps and one street lamp in the group can be analyzed in real time, and the abnormal grade is divided. Taking the lighting time as an example, if the lighting time of one road lamp or the number of the road lamps in the group smaller than the first threshold (e.g. 3) falls within "18: 58-19: 02", but the lighting time is 18:59 or 19:02, configuring a first abnormal grade identifier for the street lamp or the group of street lamps if the street lamp belongs to the edge area of the normal characteristic threshold range; if the turn-on time of one street lamp is deviated from 18:58-19:02, configuring a second abnormal grade identifier for the street lamp or the group of street lamps; if the light-on time of the street lamps in the group, which are greater than the second threshold (which may be the same as the first threshold, such as 3, or different from the first threshold), deviates from "18: 58-19: 02", a second abnormal grade identifier may be configured for the group of street lamps or only for the street lamps deviating from the normal characteristic threshold range in the group of street lamps. In order to avoid errors, the edge area is not set to a specific value, but is a smaller interval, for example, the edge area of "18: 58-19: 02" includes: 18:58.00-18:59.10 and 19:01.50-19: 02.00.
Optionally, the sending the detection result to the third target network device includes:
sending an exception notification to a third target network device, wherein the exception notification comprises the detection result;
the method further comprises the following steps:
and receiving an abnormity notification confirmation sent by the third target network equipment.
Here, the NWDAF may inform the third target network device of the detection result directly by the abnormality notification after obtaining the detection result, and by receiving an abnormality notification acknowledgement sent by the third target network device, know that the detection result is successfully transmitted. In this case, whether or not the UDR, UDM, AMF, SMF, PCF, OAM, and AF can receive the abnormality notification including the detection result is determined by the NWDAF, for example, a network device capable of receiving the abnormality notification is configured in advance in the NWDAF, or the NWDAF selects a network device capable of receiving the abnormality notification according to its internal policy based on the detection result.
Further or optionally, before the sending the detection result to the third target network device, the method further includes:
receiving a subscription abnormal request sent by a third target network device;
the sending the detection result to the third target network device includes:
and sending a subscription abnormal response to the third target network equipment, wherein the subscription abnormal response comprises the detection result.
Here, the third target network device may send a subscription exception request to the NWDAF in advance, to notify the NWDAF that it needs to acquire a detection result of the exception detection, and then the NWDAF may send the detection result to the third target network device through a subscription exception response. The third target network device sends a subscription exception request to the NWDAF, and preferably, may also be before exception detection is performed.
In this embodiment, the fourth target network device is a network device capable of receiving grouping information (the grouping information indicates a group identifier and feature description information corresponding to each terminal device identifier), so that preliminary anomaly detection is performed on the terminal device based on the grouping information, and a preliminary anomaly identifier of the terminal device is obtained. Therefore, the temperature of the molten metal is controlled,
the performing, based on the grouping information, abnormality detection on the current behavior data of the target terminal, before obtaining a detection result, further includes:
receiving a primary abnormal identifier sent by a fourth target network device, wherein the fourth target network device comprises at least one of AMF, SMF or PCF;
the performing anomaly detection on the current behavior data of the target terminal based on the grouping information to obtain a detection result comprises:
and carrying out anomaly detection on the target terminal corresponding to the primary anomaly identification through the primary anomaly identification and the grouping information to obtain a detection result.
The NWDAF will receive the primary anomaly identifier sent by the fourth target network device, and then, may perform anomaly detection on the target terminal corresponding to the primary anomaly identifier in combination with the received primary anomaly identifier and the analyzed packet information, so as to obtain a detection result. Here, by receiving the primary anomaly identifier, the NWDAF already preliminarily knows the behavior of the target terminal corresponding to the primary anomaly identifier, and can perform targeted processing on the target terminal in the process of further anomaly detection, thereby saving signaling.
Optionally, before the receiving the primary anomaly identification sent by the fourth target network device, the method further includes:
sending packet information to the fourth target network device; and the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
Here, when the fourth target network device performs preliminary abnormality detection of the terminal device, the packet information based on which is transmitted by the NWDAF. Specifically, the NWDAF may directly send the grouping information (the grouping information indicates the group identifier and the feature description information corresponding to each terminal device identifier) obtained through analysis to the fourth target network device, and the NWDAF may also receive a corresponding response.
However, in this embodiment, the grouping information (the grouping information indicates the group identifier and the feature description information corresponding to each terminal device identifier) obtained through analysis is stored in the UDR and/or the UDM, so that when the fourth target network device performs the preliminary abnormality detection of the terminal device, the grouping information according to the grouping information may also be provided by the second target network device. Wherein the second target network device may be a fourth target network device that forwards stored NWDAF-sent grouping information (the grouping information indicates group identification and feature description information corresponding to each terminal device identification) to the fourth target network device; or, the stored grouping information transmitted by the NWDAF (the grouping information indicates the terminal device identifier and the feature description information corresponding to each group identifier) is adjusted for the terminal device and then transmitted to the fourth target network device. Similarly, the fourth target network device may receive the packet information actively sent by the second target network device, and feed back a corresponding response to the second target network device. Or requesting the second target network device for the packet information, and feeding back a corresponding response according to the request by the second target network device, wherein the response includes the required packet information. Preferably, after monitoring that the terminal device uses the data service online, the fourth target network device requests the second target network device for the grouping information corresponding to the current terminal device, so as to reduce signaling overhead.
It should also be understood that, in the embodiment of the present invention, after receiving the detection result sent by the NWDAF, different network devices often manage their own functions:
PCF makes corresponding strategy decision according to the abnormal mark and/or abnormal grade mark of the target terminal; the AMF performs corresponding access control, mobility restriction or registration area management according to the abnormal identifier and/or the abnormal grade identifier of the target terminal; the SMF performs corresponding session management or policy control according to the abnormal identifier and/or the abnormal grade identifier of the target terminal; the UDR and the UDM delete grouping information (such as deleting a terminal device identifier in an affiliated group, or deleting a terminal device identifier and group information and feature description information corresponding to the terminal device identifier) of an abnormal terminal in a service shutdown state (that is, in a group to which the abnormal terminal belongs, the current behavior data of the terminals of which the number is greater than the second threshold number is out of a normal feature threshold range of the affiliated group), and then, after receiving a terminal registration request, judge whether there is grouping information of a transmitting terminal of the terminal registration request, if not, reject the transmitting terminal registration access, and if so, register access; the AF will perform corresponding service shutdown or request new QoS resources according to the abnormal identifier and/or the abnormal class identifier of the target terminal.
Of course, the processing manner of the network device for the detection result sent by the NWDAF is only a better implementation, and other processing manners of the network device are not excluded, and are not described herein again.
In addition, the method of the embodiment of the present invention is also applicable to the scenes six to eleven of the first embodiment, which is not described herein again.
In summary, in the terminal behavior data processing method according to the embodiment of the present invention, the NWDAF may notify the second target network device of the grouping information (that is, the grouping information obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information), so that the UDR and/or the UDM may store the grouping information for subsequent processing, and the NWDAF may avoid that the NWDAF itself stores the grouping information, and may occupy resources and affect the working performance. Because the grouping information is obtained according to the terminal behavior data, the terminal behavior can be described by multi-dimensional data, and a more accurate behavior judgment result can be obtained.
As shown in fig. 15, a method for processing terminal behavior data according to an embodiment of the present invention is applied to a first network device, and includes:
Through this step, the first network device informs the third target network device (i.e., at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF) of the detection result (i.e., the detection result obtained by performing anomaly detection on the current behavior data of the target terminal based on the packet information), so that the third target network device can perform effective and targeted management on the target terminal according to a preset anomaly handling policy after receiving the detection result. The detection result is the grouping information obtained by grouping the terminals based on the terminal behavior data, so that the terminal behavior can be described by the multidimensional data, and a more accurate behavior judgment result can be obtained.
Wherein the first network device comprises an NWDAF.
Optionally, the detection result includes:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
Optionally, the anomaly level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
Therefore, in the process of analyzing the current behavior data of the target terminal in real time by the NWDAF to detect the abnormality, not only can the judgment on whether the terminal (behavior) is abnormal or not be made, but also the judgment on the degree of abnormality of the terminal (behavior) can be made to obtain the detection result, so that the third target network device can correspondingly manage the abnormal identifier and/or the abnormal level identifier.
The normal characteristic threshold range used in the abnormal detection of the group terminal is determined according to the characteristic description information in the group grouping information. For example, for the street lamps in the same group, the characteristic description information is '19: 00 on, 5:30 off', and the determined normal characteristic threshold range comprises the light-on time '18: 58-19: 02' and the light-off time '4: 28-5: 32' in consideration of the time delay of the switching. And by the standard of the three-level abnormal grade, the current behavior data of the group of street lamps and one street lamp in the group can be analyzed in real time, and the abnormal grade is divided. Taking the lighting time as an example, if the lighting time of one road lamp or the number of the road lamps in the group smaller than the first threshold (e.g. 3) falls within "18: 58-19: 02", but the lighting time is 18:59 or 19:02, configuring a first abnormal grade identifier for the street lamp or the group of street lamps if the street lamp belongs to the edge area of the normal characteristic threshold range; if the turn-on time of one street lamp is deviated from 18:58-19:02, configuring a second abnormal grade identifier for the street lamp or the group of street lamps; if the light-on time of the street lamps in the group, which are greater than the second threshold (which may be the same as the first threshold, such as 3, or different from the first threshold), deviates from "18: 58-19: 02", a second abnormal grade identifier may be configured for the group of street lamps or only for the street lamps deviating from the normal characteristic threshold range in the group of street lamps. In order to avoid errors, the edge area is not set to a specific value, but is a smaller interval, for example, the edge area of "18: 58-19: 02" includes: 18:58.00-18:59.10 and 19:01.50-19: 02.00.
Optionally, the sending the detection result to the third target network device includes:
sending an exception notification to a third target network device, wherein the exception notification comprises the detection result;
the method further comprises the following steps:
and receiving an abnormity notification confirmation sent by the third target network equipment.
Here, the NWDAF may inform the third target network device of the detection result directly by the abnormality notification after obtaining the detection result, and by receiving an abnormality notification acknowledgement sent by the third target network device, know that the detection result is successfully transmitted. In this case, whether or not the UDR, UDM, AMF, SMF, PCF, OAM, and AF can receive the abnormality notification including the detection result is determined by the NWDAF, for example, a network device capable of receiving the abnormality notification is configured in advance in the NWDAF, or the NWDAF selects a network device capable of receiving the abnormality notification according to its internal policy based on the detection result.
Further or optionally, before the sending the detection result to the third target network device, the method further includes:
receiving a subscription abnormal request sent by a third target network device;
the sending the detection result to the third target network device includes:
and sending a subscription abnormal response to the third target network equipment, wherein the subscription abnormal response comprises the detection result.
Here, the third target network device may send a subscription exception request to the NWDAF in advance, to notify the NWDAF that it needs to acquire a detection result of the exception detection, and then the NWDAF may send the detection result to the third target network device through a subscription exception response. The third target network device sends a subscription exception request to the NWDAF, and preferably, may also be before exception detection is performed.
In this embodiment, the fourth target network device is a network device capable of receiving grouping information (the grouping information indicates a group identifier and feature description information corresponding to each terminal device identifier), and may perform preliminary anomaly detection for the terminal device based on the grouping information to obtain a preliminary anomaly identifier of the terminal device. Therefore, before the sending the detection result to the third target network device, the method further includes:
receiving a primary abnormal identifier sent by a fourth target network device, wherein the fourth target network device comprises at least one of AMF, SMF or PCF;
and carrying out anomaly detection on the target terminal corresponding to the primary anomaly identification through the primary anomaly identification and the grouping information to obtain a detection result.
The NWDAF will receive the primary anomaly identifier sent by the fourth target network device, and then, may perform anomaly detection on the target terminal corresponding to the primary anomaly identifier in combination with the received primary anomaly identifier and the analyzed packet information, so as to obtain a detection result. Here, by receiving the primary anomaly identifier, the NWDAF already preliminarily knows the behavior of the target terminal corresponding to the primary anomaly identifier, and can perform targeted processing on the target terminal in the process of further anomaly detection, thereby saving signaling.
Optionally, before the receiving the primary anomaly identification sent by the fourth target network device, the method further includes:
sending packet information to the fourth target network device; and the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
Here, when the fourth target network device performs preliminary abnormality detection of the terminal device, the packet information based on which is transmitted by the NWDAF. Specifically, the NWDAF may directly send the grouping information (the grouping information indicates the group identifier and the feature description information corresponding to each terminal device identifier) obtained through analysis to the fourth target network device, and the NWDAF may also receive a corresponding response; the fourth target network device may also request the NWDAF for the packet information, and the NWDAF feeds back a corresponding response according to the request, where the response includes the required packet information. Preferably, after monitoring that the terminal device uses the data service online, the fourth target network device requests the NWDAF for the grouping information corresponding to the current terminal device, so as to reduce signaling overhead.
In this embodiment, to better obtain the packet information required for the anomaly detection, before sending the detection result to the third target network device, the method further includes:
acquiring terminal behavior data through first target network equipment; wherein the first target network device comprises: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
The NWDAF acquires the terminal behavior data through at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF, so as to describe the terminal behavior based on the terminal behavior data by multidimensional data, so that the obtained grouping information can be used for more accurate behavior judgment. Specifically, the NWDAF may request the terminal behavior data from the first target network device, or the first target network device may actively send the terminal behavior data through a protocol with the first target network device.
Wherein the terminal behavior data comprises:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
Here, the geographical location of the terminal may be regional information (e.g., beijing haichi district); the time characteristic is the characteristic of the terminal behavior in time, such as the application APP used by the terminal on weekdays is of type A1, and the APP used on non-weekdays is of type A2; the movement law is the law of the terminal behavior on the position, such as that the terminal always moves from the B1 position to the B2 position within a period of time of a working day; the functional characteristic is the characteristic of the terminal behavior on the function, such as that the terminal always visits a travel website about a certain place in the latest time period; the packet characteristics are characteristics of terminal behaviors on the packet, such as the packet frequency of the terminal; packet size is a characteristic of the behavior of the terminal on the packet, such as the amount of packets per month is within a fixed range; the source address-destination address is a characteristic of the terminal behavior on network access, such as C-site that the terminal frequently accesses. Of course, the terminal behavior data is not limited to the above, and is not listed here.
In this embodiment, the grouping information may be obtained by analyzing the terminal behavior data by the NWDAF, and performing anomaly detection on the current behavior data of the target terminal by the NWDAF based on the grouping information to obtain a detection result. Correspondingly, when grouping, the same feature description information of the same group of terminals may also be the geographical location, time characteristic, movement rule, functional characteristic, packet sending characteristic, packet size or source address-destination address of the terminal. For example, for a geographical location, fire hydrants and water level monitors with the same geographical location are grouped together; aiming at the time characteristic, the street lamps of the timing switch are divided into a group; according to the size of a data packet, cameras for uploading video data in large flow are divided into a group; aiming at the characteristic of the hair packet, the water meter and the electric meter which are frequently sent in small packets are divided into a group. Of course, the feature description information may also be a combination of at least two of the geographical location, time characteristic, movement rule, function characteristic, packet sending characteristic, packet size and source address-destination address of the terminal to complete the grouping. The NWDAF carries out grouping according to the common feature description information based on the acquired terminal behavior data to obtain grouping information, so that a basis is provided for judging whether the terminal behavior is abnormal or not.
Optionally, the grouping information includes: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or
The grouping information indicates group identification and feature description information corresponding to each terminal device identification.
Thus, the grouping information can describe the grouping result for different requirements. Wherein, the grouping information indicating the terminal device identifier and the feature description information corresponding to each Group identifier may be represented by a Group set form, such as { Group i: < identification of terminal equipment UE1, identification of UE2, …, identification of UEN >, and profile information | i of group i is a natural number }, where i is a group identification of a current group; the grouping information indicating the group id and the profile information corresponding to each terminal device id may be represented in the form of a terminal device attribute set, such as { UE j: < identification of group m, profile > j of group m is a natural number }, where group m is a group to which UE j belongs. Of course, the grouping information of the two different indication contents can be represented by other manners such as different format lists besides using the set representation, and will not be described herein again.
Of course, the packet information often includes burst behavior data (historical behavior data) of the terminal device, so as to avoid misjudging the burst behavior as abnormal in the process of detecting the abnormal behavior of the terminal.
Considering that the NWDAF itself stores the packet information, and may occupy resources and affect the working performance, optionally, the method further includes:
and sending the grouping information to a second target network device, wherein the second target network device comprises the UDR and/or the UDM.
Here, the NWDAF transmits the grouped packet information to the second target network device (i.e., UDR and/or UDM) to store the packet information in the second target network device.
Optionally, the sending the packet information to the second target network device includes:
sending an add/update packet request to the second target network device, the add/update packet request including the packet information;
the method further comprises the following steps:
and receiving the adding/updating packet response sent by the second target network equipment.
The NWDAF sends an add/update packet request including packet information to the second target network device, delivers the packet information to the second target network device, and then receives an add/update packet response sent by the second target network device to obtain the delivery result of the packet information.
It should be appreciated that in this embodiment, for packet information sent by the NWDAF to the second target network device, the second target network device may store the packet information after receiving it, and may subsequently return the NWDAF for the NWDAF to perform anomaly detection for the terminal; and may also be sent to a fourth target network device (i.e., at least one of the AMF, SMF, or PCF) to enable the fourth target network device to perform preliminary anomaly detection for the terminal based on the packet information. If the grouping information sent by the NWDAF to the second target network device indicates the terminal device identifier and the feature description information corresponding to each group identifier, before sending to the fourth target network device, the grouping information is adjusted for the terminal device, so that the adjusted grouping information indicates the group identifier and the feature description information corresponding to each terminal device identifier, and the fourth target network device can complete preliminary anomaly detection for the terminal device.
In addition, the method of the embodiment of the present invention is also applicable to the scenarios from the first scenario to the eleventh scenario of the first embodiment, which are not described herein again.
In summary, in the terminal behavior data processing method according to the embodiment of the present invention, the NWDAF notifies the third target network device of the detection result (i.e., the detection result obtained by performing the anomaly detection on the current behavior data of the target terminal based on the packet information), so that after receiving the detection result, the third target network device can perform effective and targeted management on the target terminal according to the preset anomaly processing policy. The detection result is obtained according to the grouping information, so that the multi-dimensional data can depict the terminal behavior to obtain a more accurate behavior judgment result.
As shown in fig. 16, a method for processing terminal behavior data according to an embodiment of the present invention is applied to a first network device, and includes:
According to the step 1601, the first network device performs the anomaly detection for the target terminal (the target terminal corresponds to the primary anomaly identifier) in combination with the primary anomaly identifier and the grouping information (the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information). Moreover, due to the fact that the anomaly detection is based on grouping information obtained by grouping the terminals based on the terminal behavior data, the multidimensional data can depict the terminal behavior to obtain a more accurate behavior judgment result.
Wherein the first network device comprises an NWDAF.
Optionally, before performing, by the primary anomaly identifier and the grouping information, anomaly detection on the target terminal corresponding to the primary anomaly identifier to obtain a detection result, the method further includes:
and receiving the primary abnormal identifier sent by a fourth target network device, wherein the fourth target network device comprises at least one of an AMF, an SMF or a PCF.
Thus, the primary anomaly identification upon which the NWDAF performs anomaly detection is transmitted by the fourth target network device (i.e., at least one of the AMF, SMF, or PCF).
Optionally, before the receiving the primary anomaly identification sent by the fourth target network device, the method further includes:
sending packet information to the fourth target network device; and the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
Here, the NWDAF causes the fourth target network device to perform preliminary abnormality detection of the terminal device according to the grouping information by notifying the fourth target network device of the grouping information indicating the group identification and the feature description information corresponding to each terminal device identification. Specifically, the NWDAF may directly send the grouping information (the grouping information indicates the group identifier and the feature description information corresponding to each terminal device identifier) obtained through analysis to the fourth target network device, and the NWDAF may also receive a corresponding response; the fourth target network device may also request the NWDAF for the packet information, and the NWDAF feeds back a corresponding response according to the request, where the response includes the required packet information. Preferably, after monitoring that the terminal device uses the data service online, the fourth target network device requests the NWDAF for the grouping information corresponding to the current terminal device, so as to reduce signaling overhead.
In addition, in this embodiment, when the fourth target network device performs the preliminary abnormality detection of the terminal device, the packet information according to may also be provided by the second target network device. Wherein the second target network device may be a fourth target network device that forwards packet information (the packet information indicates group identifiers and feature description information corresponding to each terminal device identifier) sent by the received NWDAF to the fourth target network device; or, after the received grouping information sent by the NWDAF (the grouping information indicates the terminal device identifier and the feature description information corresponding to each group identifier), the grouping information is adjusted for the terminal device and then sent to the fourth target network device. Similarly, the fourth target network device may receive the packet information actively sent by the second target network device, and feed back a corresponding response to the second target network device; or requesting the second target network device for the packet information, where the second target network device feeds back a corresponding response according to the request, and the response includes the required packet information.
After obtaining the detection result through the abnormality detection, the method further includes:
sending the detection result to a third target network device, where the third target network device includes: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
After the NWDAF completes the anomaly detection, the NWDAF informs the third target network device (i.e., at least one of UDR, UDM, AMF, SMF, PCF, OAM, or AF) of the obtained detection result, so that the third target network device can perform effective and targeted management on the target terminal according to a preset anomaly handling policy after receiving the detection result.
Optionally, the detection result includes:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
Optionally, the anomaly level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
Therefore, in the process of analyzing the current behavior data of the target terminal in real time for abnormality detection based on the primary abnormality identifier, the NWDAF can judge whether the terminal (behavior) is abnormal or not, and can also judge the abnormality degree of the terminal (behavior) to obtain a detection result, so that the third target network device can correspondingly manage the abnormality identifier and/or the abnormality level identifier.
The normal characteristic threshold range used in the abnormal detection of the group terminal is determined according to the characteristic description information in the group grouping information. For example, for the street lamps in the same group, the characteristic description information is '19: 00 on, 5:30 off', and the determined normal characteristic threshold range comprises the light-on time '18: 58-19: 02' and the light-off time '4: 28-5: 32' in consideration of the time delay of the switching. And by the standard of the three-level abnormal grade, the current behavior data of the group of street lamps and one street lamp in the group can be analyzed in real time, and the abnormal grade is divided. Taking the lighting time as an example, if the lighting time of one road lamp or the number of the road lamps in the group smaller than the first threshold (e.g. 3) falls within "18: 58-19: 02", but the lighting time is 18:59 or 19:02, configuring a first abnormal grade identifier for the street lamp or the group of street lamps if the street lamp belongs to the edge area of the normal characteristic threshold range; if the turn-on time of one street lamp is deviated from 18:58-19:02, configuring a second abnormal grade identifier for the street lamp or the group of street lamps; if the light-on time of the street lamps in the group, which are greater than the second threshold (which may be the same as the first threshold, such as 3, or different from the first threshold), deviates from "18: 58-19: 02", a second abnormal grade identifier may be configured for the group of street lamps or only for the street lamps deviating from the normal characteristic threshold range in the group of street lamps. In order to avoid errors, the edge area is not set to a specific value, but is a smaller interval, for example, the edge area of "18: 58-19: 02" includes: 18:58.00-18:59.10 and 19:01.50-19: 02.00.
Optionally, the sending the detection result to the third target network device includes:
sending an exception notification to a third target network device, wherein the exception notification comprises the detection result;
the method further comprises the following steps:
and receiving an abnormity notification confirmation sent by the third target network equipment.
Here, the NWDAF may inform the third target network device of the detection result directly by the abnormality notification after obtaining the detection result, and by receiving an abnormality notification acknowledgement sent by the third target network device, know that the detection result is successfully transmitted. In this case, whether or not the UDR, UDM, AMF, SMF, PCF, OAM, and AF can receive the abnormality notification including the detection result is determined by the NWDAF, for example, a network device capable of receiving the abnormality notification is configured in advance in the NWDAF, or the NWDAF selects a network device capable of receiving the abnormality notification according to its internal policy based on the detection result.
Further or optionally, before the sending the detection result to the third target network device, the method further includes:
receiving a subscription abnormal request sent by a third target network device;
the sending the detection result to the third target network device includes:
and sending a subscription abnormal response to the third target network equipment, wherein the subscription abnormal response comprises the detection result.
Here, the third target network device may send a subscription exception request to the NWDAF in advance, to notify the NWDAF that it needs to acquire a detection result of the exception detection, and then the NWDAF may send the detection result to the third target network device through a subscription exception response. The third target network device sends a subscription exception request to the NWDAF, and preferably, may also be before exception detection is performed.
It should also be understood that, in the embodiment of the present invention, after receiving the detection result sent by the NWDAF, different network devices often manage their own functions:
PCF makes corresponding strategy decision according to the abnormal mark and/or abnormal grade mark of the target terminal; the AMF performs corresponding access control, mobility restriction or registration area management according to the abnormal identifier and/or the abnormal grade identifier of the target terminal; the SMF performs corresponding session management or policy control according to the abnormal identifier and/or the abnormal grade identifier of the target terminal; the UDR and the UDM delete grouping information (such as deleting a terminal device identifier in an affiliated group, or deleting a terminal device identifier and group information and feature description information corresponding to the terminal device identifier) of an abnormal terminal in a service shutdown state (that is, in a group to which the abnormal terminal belongs, the current behavior data of the terminals of which the number is greater than the second threshold number is out of a normal feature threshold range of the affiliated group), and then, after receiving a terminal registration request, judge whether there is grouping information of a transmitting terminal of the terminal registration request, if not, reject the transmitting terminal registration access, and if so, register access; the AF will perform corresponding service shutdown or request new QoS resources according to the abnormal identifier and/or the abnormal class identifier of the target terminal.
Of course, the processing manner of the network device for the detection result sent by the NWDAF is only a better implementation, and other processing manners of the network device are not excluded, and are not described herein again.
Optionally, before performing, by the primary anomaly identifier and the grouping information, anomaly detection on the target terminal corresponding to the primary anomaly identifier to obtain a detection result, the method further includes:
acquiring terminal behavior data through first target network equipment; wherein the first target network device comprises: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
The NWDAF acquires the terminal behavior data through at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF, so as to describe the terminal behavior based on the terminal behavior data by multidimensional data, so that the obtained grouping information can be used for more accurate behavior judgment. Specifically, the NWDAF may request the terminal behavior data from the first target network device, or the first target network device may actively send the terminal behavior data through a protocol with the first target network device.
Optionally, the terminal behavior data includes:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
Here, the geographical location of the terminal may be regional information (e.g., beijing haichi district); the time characteristic is the characteristic of the terminal behavior in time, such as the application APP used by the terminal on weekdays is of type A1, and the APP used on non-weekdays is of type A2; the movement law is the law of the terminal behavior on the position, such as that the terminal always moves from the B1 position to the B2 position within a period of time of a working day; the functional characteristic is the characteristic of the terminal behavior on the function, such as that the terminal always visits a travel website about a certain place in the latest time period; the packet characteristics are characteristics of terminal behaviors on the packet, such as the packet frequency of the terminal; packet size is a characteristic of the behavior of the terminal on the packet, such as the amount of packets per month is within a fixed range; the source address-destination address is a characteristic of the terminal behavior on network access, such as C-site that the terminal frequently accesses. Of course, the terminal behavior data is not limited to the above, and is not listed here.
In this embodiment, after the NWDAF acquires the terminal behavior data, to facilitate subsequent terminal abnormality determination, the NWDAF may analyze the terminal behavior data to obtain grouping information, and terminals belonging to the same group have the same feature description information. Here, the feature description information corresponds to terminal behavior data, and may be a geographical location, a time characteristic, a movement rule, a functional characteristic, a packet transmission characteristic, a packet size, a source address-destination address, or the like of the terminal. For example, for a geographical location, fire hydrants and water level monitors with the same geographical location are grouped together; aiming at the time characteristic, the street lamps of the timing switch are divided into a group; according to the size of a data packet, cameras for uploading video data in large flow are divided into a group; aiming at the characteristic of the hair packet, the water meter and the electric meter which are frequently sent in small packets are divided into a group. Of course, the feature description information may also be a combination of at least two of the geographical location, time characteristic, movement rule, function characteristic, packet sending characteristic, packet size and source address-destination address of the terminal to complete the grouping. The NWDAF carries out grouping according to the common feature description information based on the acquired terminal behavior data to obtain grouping information, so that a basis is provided for judging whether the terminal behavior is abnormal or not.
Optionally, the grouping information includes: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or
The grouping information indicates group identification and feature description information corresponding to each terminal device identification.
Thus, the grouping information can describe the grouping result for different requirements. Here, the grouping information (i.e., Group-level grouping information) indicating the terminal device identifier and the feature description information corresponding to each Group identifier may be represented by a Group set format, such as { Group i: < identification of terminal equipment UE1, identification of UE2, …, identification of UEN >, and profile information | i of group i is a natural number }, where i is a group identification of a current group; for the grouping information (i.e. terminal-level grouping information) indicating the group id and the profile information corresponding to each terminal device id, it can be represented by the terminal device attribute set form, such as { UE j: < identification of group m, profile > j of group m is a natural number }, where group m is a group to which UE j belongs. Of course, the grouping information of the two different indication contents can be represented by other manners such as different format lists besides using the set representation, and will not be described herein again.
Of course, the packet information often includes burst behavior data (historical behavior data) of the terminal device, so as to avoid misjudging the burst behavior as abnormal in the process of detecting the abnormal behavior of the terminal.
In this embodiment of the present invention, regarding the obtained packet information, considering that the NWDAF itself stores the packet information, which may occupy resources and affect the working performance, optionally, the method further includes:
and sending the grouping information to a second target network device, wherein the second target network device comprises the UDR and/or the UDM.
Here, the NWDAF transmits the grouped packet information to the second target network device (i.e., UDR and/or UDM) to store the packet information in the second target network device.
Optionally, the sending the packet information to the second target network device includes:
sending an add/update packet request to the second target network device, the add/update packet request including the packet information;
the method further comprises the following steps:
and receiving the adding/updating packet response sent by the second target network equipment.
The NWDAF sends an add/update packet request including packet information to the second target network device, delivers the packet information to the second target network device, and then receives an add/update packet response sent by the second target network device to obtain the delivery result of the packet information.
It should be appreciated that in this embodiment, for packet information sent by the NWDAF to the second target network device, the second target network device may store the packet information after receiving it, and may subsequently return the NWDAF for the NWDAF to perform anomaly detection for the terminal; and may also be sent to a fourth target network device (i.e., at least one of the AMF, SMF, or PCF) to enable the fourth target network device to perform preliminary anomaly detection for the terminal based on the packet information. If the grouping information sent by the NWDAF to the second target network device indicates the terminal device identifier and the feature description information corresponding to each group identifier, before sending to the fourth target network device, the grouping information is adjusted for the terminal device, so that the adjusted grouping information indicates the group identifier and the feature description information corresponding to each terminal device identifier, and the fourth target network device can complete preliminary anomaly detection for the terminal device.
In addition, the method of the embodiment of the present invention is also applicable to scene five, scene six, and scene eleven in the first embodiment, which are not described herein again.
In summary, in the terminal behavior data processing method according to the embodiment of the present invention, the NWDAF performs anomaly detection on a target terminal (the target terminal corresponds to the primary anomaly identifier) in combination with the primary anomaly identifier and grouping information (the grouping information is obtained by grouping terminals based on terminal behavior data, and terminals belonging to the same group have the same feature description information). Moreover, due to the fact that the anomaly detection is based on grouping information obtained by grouping the terminals based on the terminal behavior data, the multidimensional data can depict the terminal behavior to obtain a more accurate behavior judgment result.
As shown in fig. 17, a method for processing terminal behavior data according to an embodiment of the present invention is applied to a second network device, and includes:
Through step 1701, in the terminal behavior data processing method according to the embodiment of the present invention, the second network device may receive the detection result sent by the first network device (e.g., NWDAF), and since the detection result is obtained by the first network device performing anomaly detection on the current behavior data of the target terminal based on the packet information; and the grouping information is obtained by grouping the terminals based on the terminal behavior data, the terminals belonging to the same group have the same characteristic description information, and the detection result has higher accuracy due to the fact that the terminal behavior can be multi-dimensionally depicted, so that effective management is performed later.
Here, the second network device may be at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
Optionally, the detection result includes:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
Optionally, the anomaly level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
Optionally, the terminal behavior data includes:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
Here, the geographical location of the terminal may be regional information (e.g., beijing haichi district); the time characteristic is the characteristic of the terminal behavior in time, such as the application APP used by the terminal on weekdays is of type A1, and the APP used on non-weekdays is of type A2; the movement law is the law of the terminal behavior on the position, such as that the terminal always moves from the B1 position to the B2 position within a period of time of a working day; the functional characteristic is the characteristic of the terminal behavior on the function, such as that the terminal always visits a travel website about a certain place in the latest time period; the packet characteristics are characteristics of terminal behaviors on the packet, such as the packet frequency of the terminal; packet size is a characteristic of the behavior of the terminal on the packet, such as the amount of packets per month is within a fixed range; the source address-destination address is a characteristic of the terminal behavior on network access, such as C-site that the terminal frequently accesses. Of course, the terminal behavior data is not limited to the above, and is not listed here.
Correspondingly, the NWDAF analyzes the terminal behavior data to obtain grouping information, where the terminals belonging to the same group have the same feature description information, and the feature description information corresponds to the terminal behavior data, and may also be the geographic location, time characteristic, movement rule, functional characteristic, packet sending characteristic, packet size, or source address-destination address of the terminal. For example, for a geographical location, fire hydrants and water level monitors with the same geographical location are grouped together; aiming at the time characteristic, the street lamps of the timing switch are divided into a group; according to the size of a data packet, cameras for uploading video data in large flow are divided into a group; aiming at the characteristic of the hair packet, the water meter and the electric meter which are frequently sent in small packets are divided into a group. Of course, the feature description information may also be a combination of at least two of the geographical location, time characteristic, movement rule, function characteristic, packet sending characteristic, packet size and source address-destination address of the terminal to complete the grouping. The NWDAF carries out grouping according to the common feature description information based on the acquired terminal behavior data to obtain grouping information, so that a basis is provided for judging whether the terminal behavior is abnormal or not.
Optionally, the grouping information includes: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or
The grouping information indicates group identification and feature description information corresponding to each terminal device identification.
Thus, the grouping information can describe the grouping result for different requirements. Here, the grouping information (i.e., Group-level grouping information) indicating the terminal device identifier and the feature description information corresponding to each Group identifier may be represented by a Group set format, such as { Group i: < identification of terminal equipment UE1, identification of UE2, …, identification of UEN >, and profile information | i of group i is a natural number }, where i is a group identification of a current group; for the grouping information (i.e. terminal-level grouping information) indicating the group id and the profile information corresponding to each terminal device id, it can be represented by the terminal device attribute set form, such as { UE j: < identification of group m, profile > j of group m is a natural number }, where group m is a group to which UE j belongs. Of course, the grouping information of the two different indication contents can be represented by other manners such as different format lists besides using the set representation, and will not be described herein again.
Of course, the packet information often includes burst behavior data (historical behavior data) of the terminal device, so as to avoid misjudging the burst behavior as abnormal in the process of detecting the abnormal behavior of the terminal.
Optionally, the receiving a detection result of the target terminal sent by the first network device includes:
receiving an exception notification sent by the first network device, wherein the exception notification comprises the detection result;
the method further comprises the following steps:
and sending an abnormal notification confirmation to the first network equipment.
Here, the NWDAF may inform the second network device of the detection result directly by the abnormality notification after obtaining the detection result, and the second network device receives the abnormality notification and returns an abnormality notification acknowledgement to inform that the detection result is successfully transmitted. Specifically, whether the UDR, the UDM, the AMF, the SMF, the PCF, the OAM, and the AF can receive the anomaly notification including the detection result is determined by the NWDAF, for example, a network device capable of receiving the anomaly notification is configured in advance in the NWDAF, or the NWDAF selects a network device capable of receiving the anomaly notification according to the detection result and its internal policy.
Optionally, before the receiving the detection result of the target terminal sent by the first network device, the method further includes:
sending a subscription exception request to the first network device;
the receiving a detection result of the target terminal sent by the first network device includes:
and receiving a subscription abnormal response sent by the first network equipment, wherein the subscription abnormal response comprises the detection result.
Here, the second network device sends a subscription exception request to the NWDAF in advance according to its own needs, informing the NWDAF that it needs to acquire a detection result of exception detection, and then the NWDAF sends the detection result to the second network device through a subscription exception response. Preferably, the subscription exception request is sent to the first network device before the NWDAF performs the exception detection.
Optionally, after receiving the detection result of the target terminal sent by the first network device, the method further includes:
and managing the target terminal according to a preset exception handling strategy according to the detection result.
After receiving the detection result, the second network device can manage the target terminal according to the preset exception handling strategy aiming at the self function.
Optionally, the second network device is a PCF;
the managing the target terminal according to the detection result and a preset exception handling strategy comprises the following steps:
and carrying out corresponding strategy decision according to the abnormal identifier and/or the abnormal grade identifier of the target terminal.
Optionally, the second network device is an AMF;
the managing the target terminal according to the detection result and a preset exception handling strategy comprises the following steps:
and performing corresponding access control, mobility restriction or registration area management according to the abnormal identifier and/or the abnormal grade identifier of the target terminal.
Optionally, the second network device is an SMF;
the managing the target terminal according to the detection result and a preset exception handling strategy comprises the following steps:
and performing corresponding session management or policy control according to the abnormal identifier and/or the abnormal grade identifier of the target terminal.
Optionally, the second network device is an AMF, an SMF, or a PCF;
before the management of the target terminal according to the detection result and a preset exception handling strategy, the method further includes:
receiving grouping information sent by the first network equipment or the second target network equipment; the grouping information indicates group identification and feature description information corresponding to each terminal equipment identification; the second target network device is a UDR and/or a UDM;
and sending a primary abnormal identifier to the first network equipment under the condition that the target terminal is determined to be abnormal according to the grouping information.
Here, the AMF, SMF, or PCF may perform preliminary anomaly detection on the terminal device based on the grouping information (the grouping information indicates the group identifier and the feature description information corresponding to each terminal device identifier), and send a primary anomaly identifier of the target terminal to the first network device when determining that the target terminal is anomalous, so that the NWDAF performs anomaly detection on the target terminal corresponding to the primary anomaly identifier in combination with the received primary anomaly identifier and the grouping information obtained through analysis, thereby implementing targeted processing and saving signaling.
The packet information according to which the AMF, SMF, or PCF performs the preliminary anomaly detection may be sent by the first network device or the second target network device. After analyzing the packet information (the packet information indicates the group identifier and the feature description information corresponding to each terminal device identifier), the NWDAF directly sends the packet information to at least one of the AMF, the SMF or the PCF, and the NWDAF also receives a corresponding response; or AMF, SMF or PCF requests the packet information from NWDAF, and NWDAF feeds back the corresponding response according to the request, and the response comprises the required packet information. Preferably, after monitoring that the terminal device uses the data service online, the AMF, the SMF, or the PCF requests the NWDAF for packet information corresponding to the current terminal device, so as to reduce signaling overhead.
And both the UDR and the UDM can store the packet information analyzed by the NWDAF, so that the AMF, the SMF or the PCF can receive the packet information sent by the UDR and/or the UDM. Of course, due to the requirement of the AMF, SMF or PCF on the packet information, the UDR and UDM may be configured to forward the received packet information (which indicates the group identifier and the feature description information corresponding to each terminal device identifier) sent by the NWDAF to the AMF, SMF or PCF; or, after the received packet information transmitted by the NWDAF (the packet information indicates the terminal device identifier and the feature description information corresponding to each group identifier), the packet information is adjusted for the terminal device so that the adjusted packet information indicates the group identifier and the feature description information corresponding to each terminal device identifier, and then the adjusted packet information is transmitted to the AMF, the SMF, or the PCF. Similarly, the AMF, the SMF, or the PCF may receive the packet information actively sent by the second target network device, and feed back a corresponding response to the second target network device; or requesting the second target network device for the packet information, where the second target network device feeds back a corresponding response according to the request, and the response includes the required packet information.
Optionally, the second network device is a UDR or a UDM;
before receiving the detection result of the target terminal sent by the first network device, the method further includes:
and receiving the grouping information sent by the first network equipment.
For the UDR or the UDM, in this embodiment, it is also possible to receive the packet information sent by the first network device and store the packet information before receiving the detection result, according to the storage requirement of the first network device. Thus, the UDR and the UDM storing the packet information can subsequently transmit the packet information back to the NWDAF, so that the NWDAF can perform anomaly detection on the terminal; and may be sent to at least one of the AMF, SMF, or PCF to enable preliminary anomaly detection for the terminal based on the packet information. Of course, the grouping information sent to the AMF, SMF, or PCF needs to be grouping information indicating the group identifier and the feature description information corresponding to each terminal device identifier.
Optionally, the receiving packet information sent by the first network device includes:
receiving an add/update grouping request sent by the first network device, wherein the add/update grouping request comprises the grouping information;
the method further comprises the following steps:
sending an add/update packet response to the first network device.
Here, the UDR or the UDM will receive the add/update packet request sent by the first network device, obtain the packet information included in the add/update packet request, and then return an add/update packet response to inform that the packet information was successfully transmitted.
Optionally, the method further includes:
deleting the grouping information of the abnormal terminal in the service shutdown state; the abnormal terminal belongs to a group, and the current behavior data of the terminals with the number larger than a second threshold value are separated from the normal characteristic threshold value range of the group;
after receiving a terminal registration request, judging whether grouping information of a sending terminal of the terminal registration request exists or not;
if not, rejecting the sending terminal to register and access; if so, registering access.
Here, since the UDR or the UDM stores the packet information, the packet information of the abnormal terminal in the service shutdown state can be deleted, so that after receiving the terminal registration request, it is determined whether the packet information of the transmitting terminal of the terminal registration request exists, and if not, the transmitting terminal is rejected to register access; if so, registering access. Specifically, deleting the group information of the terminal may be deleting the terminal device identifier of the terminal in the group to which the terminal belongs, or deleting the terminal device identifier of the terminal and the group information and the feature description information corresponding to the terminal device identifier.
Optionally, the method further comprises:
and sending packet information to at least one of the AMF, the SMF or the PCF, wherein the packet information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
Here, since the UDR or UDM stores packet information, it is possible to transmit the packet information to at least one of the AMF, SMF, or PCF. At this time, the grouping information indicates the group id and the profile information corresponding to each terminal device id, corresponding to the preliminary anomaly detection requirement of the AMF, SMF, or PCF
In addition, in this embodiment, the second network device is an AF;
and managing the target terminal according to a preset exception handling strategy according to the detection result, wherein the management comprises the following steps:
and according to the abnormal identifier and/or the abnormal grade identifier of the target terminal, performing corresponding service shutdown or requesting new QoS resources.
In this embodiment, the method further includes:
and sending the terminal behavior data recorded by the terminal to the first network equipment.
Here, the second network device sends the terminal behavior data recorded by itself to the first network device in order to ensure that the first network device performs the terminal behavior data analysis to obtain the packet information required for the abnormality detection. Of course, the terminal behavior data may be sent when the terminal behavior data is requested from the second network device for NWDAF, or may be actively sent by the second network device through a protocol with the first network device.
It should be noted that, the method is used in conjunction with the terminal behavior data processing method applied to the first network device to implement terminal behavior data processing, and the implementation manner of the embodiment of the terminal behavior data processing method applied to the first network device is applicable to the method and can achieve the same technical effect.
As shown in fig. 18, an embodiment of the invention provides an NWDAF1800 comprising a first processor 1801 and a first transceiver 1802, wherein,
the first transceiver 1802 is configured to obtain terminal behavior data via a first target network device; wherein the first target network device comprises: the unified data store UDR, the user subscription data management UDM, the user plane function UPF, the access and mobility management function AMF, the session management function SMF, the policy control function PCF, the operation, maintenance and management OAM, or the application function AF.
Optionally, the terminal behavior data includes:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
Optionally, the first processor 1801 is configured to:
and analyzing the terminal behavior data to obtain grouping information, wherein the terminals belonging to the same group have the same characteristic description information.
Optionally, the grouping information includes: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or
The grouping information indicates group identification and feature description information corresponding to each terminal device identification.
Optionally, the first transceiver 1802 is further configured to:
and sending the grouping information to a second target network device, wherein the second target network device comprises the UDR and/or the UDM.
Optionally, the first transceiver 1802 is further configured to:
sending an add/update packet request to the second target network device, the add/update packet request including the packet information;
and receiving the adding/updating packet response sent by the second target network equipment.
Optionally, the first processor 1801 is further configured to: based on the grouping information, carrying out anomaly detection on the current behavior data of the target terminal to obtain a detection result;
the first transceiver 1802 is further configured to: sending the detection result to a third target network device, where the third target network device includes: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
Optionally, the first transceiver 1802 is further configured to:
sending an exception notification to a third target network device, wherein the exception notification comprises the detection result;
and receiving an abnormity notification confirmation sent by the third target network equipment.
Optionally, the first transceiver 1802 is further configured to:
receiving a subscription abnormal request sent by a third target network device;
and sending a subscription abnormal response to the third target network equipment, wherein the subscription abnormal response comprises the detection result.
Optionally, the detection result includes:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
Optionally, the anomaly level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
Optionally, the first transceiver 1802 is further configured to: receiving a primary abnormal identifier sent by a fourth target network device, wherein the fourth target network device comprises at least one of AMF, SMF or PCF;
the first processor 1801 is further configured to:
and carrying out anomaly detection on the target terminal corresponding to the primary anomaly identification through the primary anomaly identification and the grouping information to obtain a detection result.
Optionally, the first transceiver 1802 is further configured to:
sending packet information to the fourth target network device; and the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
The NWDAF of the embodiment of the present invention obtains the terminal behavior data through the first target network device (at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF) as the terminal behavior data source, so as to perform multidimensional data characterization on the terminal behavior based on the terminal behavior data, thereby obtaining a more accurate behavior determination result.
As shown in fig. 19, embodiments of the invention also provide an NWDAF1900 that includes a second processor 1901 and a second transceiver 1902, wherein,
the second transceiver 1902 is configured to send packet information to a second target network device; wherein the second target network device comprises a UDR and/or a UDM; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information.
Optionally, the terminal behavior data includes:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
Optionally, the grouping information includes: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or
The grouping information indicates group identification and feature description information corresponding to each terminal device identification.
Optionally, the second transceiver 1902 is further configured to:
sending an add/update packet request to the second target network device, the add/update packet request including the packet information;
and receiving the adding/updating packet response sent by the second target network equipment.
Optionally, the second transceiver 1902 is further configured to:
acquiring terminal behavior data through first target network equipment; wherein the first target network device comprises: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
Optionally, the second processor 1901 is configured to: based on the grouping information, carrying out anomaly detection on the current behavior data of the target terminal to obtain a detection result;
the second transceiver 1902 is further configured to: sending the detection result to a third target network device, where the third target network device includes: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
Optionally, the second transceiver 1902 is further configured to:
sending an exception notification to a third target network device, wherein the exception notification comprises the detection result;
and receiving an abnormity notification confirmation sent by the third target network equipment.
Optionally, the second transceiver 1902 is further configured to:
receiving a subscription abnormal request sent by a third target network device;
and sending a subscription abnormal response to the third target network equipment, wherein the subscription abnormal response comprises the detection result.
Optionally, the detection result includes:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
Optionally, the anomaly level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
Optionally, the second transceiver 1902 is further configured to: receiving a primary abnormal identifier sent by a fourth target network device, wherein the fourth target network device comprises at least one of AMF, SMF or PCF;
the second processor 1901 is also configured to:
and carrying out anomaly detection on the target terminal corresponding to the primary anomaly identification through the primary anomaly identification and the grouping information to obtain a detection result.
Optionally, the second transceiver 1902 is further configured to:
sending packet information to the fourth target network device; and the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
The NWDAF of the embodiment of the present invention can notify the second target network device of the grouping information (that is, the grouping information obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information), so that the UDR and/or the UDM can store the grouping information for subsequent processing, thereby avoiding that the NWDAF itself stores the grouping information, occupies resources, and affects the working performance. Because the grouping information is obtained according to the terminal behavior data, the terminal behavior can be described by multi-dimensional data, and a more accurate behavior judgment result can be obtained.
As shown in fig. 20, an embodiment of the invention provides an NWDAF2000 comprising a third processor 2001 and a third transceiver 2002, wherein,
the third transceiver 2002 is configured to send a detection result to a third target network device; the detection result is obtained by performing anomaly detection on the current behavior data of the target terminal based on the grouping information; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information; the third target network device includes: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
Optionally, the detection result includes:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
Optionally, the anomaly level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
Optionally, the third transceiver 2002 is further configured to:
sending an exception notification to a third target network device, wherein the exception notification comprises the detection result;
and receiving an abnormity notification confirmation sent by the third target network equipment.
Optionally, the third transceiver 2002 is further configured to:
receiving a subscription abnormal request sent by a third target network device;
and sending a subscription abnormal response to the third target network equipment, wherein the subscription abnormal response comprises the detection result.
Optionally, the third transceiver 2002 is further configured to: receiving a primary abnormal identifier sent by a fourth target network device, wherein the fourth target network device comprises at least one of AMF, SMF or PCF;
the third processor 2001 is configured to: and carrying out anomaly detection on the target terminal corresponding to the primary anomaly identification through the primary anomaly identification and the grouping information to obtain a detection result.
Optionally, the third transceiver 2002 is further configured to:
sending packet information to the fourth target network device; and the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
Optionally, the third transceiver 2002 is further configured to:
acquiring terminal behavior data through first target network equipment; wherein the first target network device comprises: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
Optionally, the terminal behavior data includes:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
Optionally, the grouping information includes: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or
The grouping information indicates group identification and feature description information corresponding to each terminal device identification.
Optionally, the third transceiver 2002 is further configured to:
and sending the grouping information to a second target network device, wherein the second target network device comprises the UDR and/or the UDM.
Optionally, the third transceiver 2002 is further configured to:
sending an add/update packet request to the second target network device, the add/update packet request including the packet information;
and receiving the adding/updating packet response sent by the second target network equipment.
The NWDAF of the embodiment of the present invention notifies the third target network device of the detection result (i.e., the detection result obtained by performing anomaly detection on the current behavior data of the target terminal based on the packet information), so that after receiving the detection result, the third target network device can perform effective and targeted management on the target terminal according to a preset anomaly handling policy. The detection result is obtained according to the grouping information, so that the multi-dimensional data can depict the terminal behavior to obtain a more accurate behavior judgment result.
As shown in fig. 21, an embodiment of the present invention further provides an NWDAF2100, comprising a fourth processor 2101 and a fourth transceiver 2102, wherein,
the fourth processor 2101 is configured to perform anomaly detection on a target terminal corresponding to a primary anomaly identifier according to the primary anomaly identifier and grouping information to obtain a detection result; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information.
Optionally, the fourth transceiver 2102 is configured to:
and receiving the primary abnormal identifier sent by a fourth target network device, wherein the fourth target network device comprises at least one of an AMF, an SMF or a PCF.
Optionally, the fourth transceiver 2102 is further configured to:
sending packet information to the fourth target network device; and the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
Optionally, the fourth transceiver 2102 is further configured to:
sending the detection result to a third target network device, where the third target network device includes: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
Optionally, the fourth transceiver 2102 is further configured to:
sending an exception notification to a third target network device, wherein the exception notification comprises the detection result;
and receiving an abnormity notification confirmation sent by the third target network equipment.
Optionally, the fourth transceiver 2102 is further configured to:
receiving a subscription abnormal request sent by a third target network device;
and sending a subscription abnormal response to the third target network equipment, wherein the subscription abnormal response comprises the detection result.
Optionally, the detection result includes:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
Optionally, the anomaly level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
Optionally, the fourth transceiver 2102 is further configured to:
acquiring terminal behavior data through first target network equipment; wherein the first target network device comprises: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
Optionally, the terminal behavior data includes:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
Optionally, the grouping information includes: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or
The grouping information indicates group identification and feature description information corresponding to each terminal device identification.
Optionally, the fourth transceiver 2102 is further configured to:
and sending the grouping information to a second target network device, wherein the second target network device comprises the UDR and/or the UDM.
Optionally, the fourth transceiver 2102 is further configured to:
sending an add/update packet request to the second target network device, the add/update packet request including the packet information;
and receiving the adding/updating packet response sent by the second target network equipment.
The NWDAF of the embodiment of the present invention performs anomaly detection for a target terminal (the target terminal corresponds to the primary anomaly identifier) in combination with the primary anomaly identifier and grouping information (the grouping information is obtained by grouping terminals based on terminal behavior data, and terminals belonging to the same group have the same feature description information). Moreover, due to the fact that the anomaly detection is based on grouping information obtained by grouping the terminals based on the terminal behavior data, the multidimensional data can depict the terminal behavior to obtain a more accurate behavior judgment result.
As shown in fig. 22, an embodiment of the invention provides a network device 2200 comprising a fifth processor 2201 and a fifth transceiver 2202, wherein,
the fifth transceiver 2202 is configured to receive a detection result of a target terminal sent by a first network device, where the detection result is obtained by performing, by the first network device, anomaly detection on current behavior data of the target terminal based on packet information; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information.
Optionally, the detection result includes:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
Optionally, the anomaly level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
Optionally, the terminal behavior data includes:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
Optionally, the grouping information includes: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or
The grouping information indicates group identification and feature description information corresponding to each terminal device identification.
Optionally, the fifth transceiver is further configured to:
receiving an exception notification sent by the first network device, wherein the exception notification comprises the detection result;
and sending an abnormal notification confirmation to the first network equipment.
Optionally, the fifth transceiver 2202 is further configured to:
sending a subscription exception request to the first network device;
and receiving a subscription abnormal response sent by the first network equipment, wherein the subscription abnormal response comprises the detection result.
Optionally, the fifth processor 2201 is configured to:
and managing the target terminal according to a preset exception handling strategy according to the detection result.
Optionally, the second network device is a PCF;
the fifth processor 2201 is further configured to:
and carrying out corresponding strategy decision according to the abnormal identifier and/or the abnormal grade identifier of the target terminal.
Optionally, the second network device is an AMF;
the fifth processor 2201 is further configured to:
and performing corresponding access control, mobility restriction or registration area management according to the abnormal identifier and/or the abnormal grade identifier of the target terminal.
Optionally, the second network device is an SMF;
the fifth processor 2201 is further configured to:
and performing corresponding session management or policy control according to the abnormal identifier and/or the abnormal grade identifier of the target terminal.
Optionally, the second network device is an AMF, an SMF, or a PCF;
the fifth transceiver 2202 further operable to:
receiving grouping information sent by the first network equipment or the second target network equipment; the grouping information indicates group identification and feature description information corresponding to each terminal equipment identification; the second target network device is a UDR and/or a UDM;
and sending a primary abnormal identifier to the first network equipment under the condition that the target terminal is determined to be abnormal according to the grouping information.
Optionally, the second network device is a UDR or a UDM;
the fifth transceiver 2202 further operable to:
and receiving the grouping information sent by the first network equipment.
Optionally, the fifth transceiver 2202 is further configured to:
receiving an add/update grouping request sent by the first network device, wherein the add/update grouping request comprises the grouping information;
sending an add/update packet response to the first network device.
Optionally, the fifth processor 2201 is further configured to:
deleting the grouping information of the abnormal terminal in the service shutdown state; the abnormal terminal belongs to a group, and the current behavior data of the terminals with the number larger than a second threshold value are separated from the normal characteristic threshold value range of the group;
after receiving a terminal registration request, judging whether grouping information of a sending terminal of the terminal registration request exists or not;
if not, rejecting the sending terminal to register and access; if so, registering access.
Optionally, the fifth transceiver 2202 is further configured to:
and sending packet information to at least one of the AMF, the SMF or the PCF, wherein the packet information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
Optionally, the second network device is an AF;
the fifth processor 2201 is further configured to:
and according to the abnormal identifier and/or the abnormal grade identifier of the target terminal, performing corresponding service shutdown or requesting new QoS resources.
Optionally, the fifth transceiver 2202 is further configured to:
and sending the terminal behavior data recorded by the terminal to the first network equipment.
The network device of the embodiment of the present invention receives a detection result sent by a first network device (e.g., NWDAF), and the detection result is obtained by performing anomaly detection on current behavior data of a target terminal by the first network device based on packet information; and the grouping information is obtained by grouping the terminals based on the terminal behavior data, the terminals belonging to the same group have the same characteristic description information, and the detection result has higher accuracy due to the fact that the terminal behavior can be multi-dimensionally depicted, so that effective management is performed later.
As shown in fig. 23, a network device according to an embodiment of the present invention includes a transceiver 2301, a memory 2302, a processor 2303, and a computer program stored in the memory 2302 and executable on the processor 2303; the processor 2303, when executing the computer program, implements the terminal behavior data processing method as applied to the various embodiments of the first network device, or implements the terminal behavior data processing method as applied to the second network device.
The transceiver 2301 is used for receiving and transmitting data under the control of the processor 2303.
In FIG. 23, among other things, the bus architecture may include any number of interconnected buses and bridges, with one or more processors, represented by the processor 2303, and various circuits of the memory, represented by the memory 2302, being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 2301 may be multiple elements, i.e., include a transmitter and a transceiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 2303 is responsible for managing the bus architecture and general processing, and the memory 2302 may store data used by the processor 2303 in performing operations.
Embodiments of the present invention further provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the terminal behavior data processing method applied to the first network device in each embodiment, or implements the steps of the terminal behavior data processing method applied to the second network device, and can achieve the same technical effects, and in order to avoid repetition, the steps are not described again here. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
An embodiment of the present invention further provides a terminal behavior data processing system, and as shown in fig. 2, the system includes NWDAF, UDR, UDM, UPF, AMF, SMF, PCF, OAM, and AF that can implement the foregoing embodiments.
The exemplary embodiments described above are described with reference to the drawings, and many different forms and embodiments of the invention may be made without departing from the spirit and teaching of the invention, therefore, the invention is not to be construed as limited to the exemplary embodiments set forth herein. Rather, these exemplary embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. In the drawings, the size and relative sizes of elements may be exaggerated for clarity. The terminology used herein is for the purpose of describing particular example embodiments only and is not intended to be limiting. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. Unless otherwise indicated, a range of values, when stated, includes the upper and lower limits of the range and any subranges therebetween.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (79)
1. A terminal behavior data processing method is applied to first network equipment and is characterized by comprising the following steps:
acquiring terminal behavior data through first target network equipment; wherein the first target network device comprises: the unified data store UDR, the user subscription data management UDM, the user plane function UPF, the access and mobility management function AMF, the session management function SMF, the policy control function PCF, the operation, maintenance and management OAM, or the application function AF.
2. The method according to claim 1, wherein the terminal behavior data includes:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
3. The method for processing terminal behavior data according to claim 1, further comprising:
and analyzing the terminal behavior data to obtain grouping information, wherein the terminals belonging to the same group have the same characteristic description information.
4. The method according to claim 3, wherein the grouping information comprises: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
5. The terminal behavior data processing method according to claim 3 or 4, wherein the method further comprises:
and sending the grouping information to a second target network device, wherein the second target network device comprises the UDR and/or the UDM.
6. The method according to claim 5, wherein the sending the packet information to a second target network device comprises:
sending an add/update packet request to the second target network device, the add/update packet request including the packet information;
the method further comprises the following steps:
and receiving the adding/updating packet response sent by the second target network equipment.
7. The method according to claim 3, wherein the method further comprises:
based on the grouping information, carrying out anomaly detection on the current behavior data of the target terminal to obtain a detection result;
sending the detection result to a third target network device, where the third target network device includes: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
8. The method according to claim 7, wherein the sending the detection result to a third target network device includes:
sending an exception notification to a third target network device, wherein the exception notification comprises the detection result;
the method further comprises the following steps:
and receiving an abnormity notification confirmation sent by the third target network equipment.
9. The method according to claim 7, wherein before the sending the detection result to a third target network device, the method further comprises:
receiving a subscription abnormal request sent by a third target network device;
the sending the detection result to the third target network device includes:
and sending a subscription abnormal response to the third target network equipment, wherein the subscription abnormal response comprises the detection result.
10. The method according to claim 7, wherein the detection result comprises:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
11. The terminal behavior data processing method according to claim 10, wherein the abnormality level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
12. The method according to claim 7, wherein before performing anomaly detection on the current behavior data of the target terminal based on the grouping information and obtaining a detection result, the method further comprises:
receiving a primary abnormal identifier sent by a fourth target network device, wherein the fourth target network device comprises at least one of AMF, SMF or PCF;
the performing anomaly detection on the current behavior data of the target terminal based on the grouping information to obtain a detection result comprises:
and carrying out anomaly detection on the target terminal corresponding to the primary anomaly identification through the primary anomaly identification and the grouping information to obtain a detection result.
13. The method according to claim 12, further comprising, before the receiving the primary anomaly identification sent by the fourth target network device:
sending packet information to the fourth target network device; and the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
14. The terminal behavior data processing method according to claim 1, wherein the first network device comprises a network data analysis function NWDAF.
15. A terminal behavior data processing method is applied to first network equipment and is characterized by comprising the following steps:
sending the packet information to a second target network device; wherein the second target network device comprises a UDR and/or a UDM; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information.
16. The method according to claim 15, wherein the terminal behavior data includes:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
17. The method according to claim 15, wherein the grouping information comprises: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
18. The method for processing terminal behavior data according to claim 15, wherein the sending the packet information to the second target network device comprises:
sending an add/update packet request to the second target network device, the add/update packet request including the packet information;
the method further comprises the following steps:
and receiving the adding/updating packet response sent by the second target network equipment.
19. The method for processing terminal behavior data according to claim 15, further comprising, before the sending the packet information to the second target network device:
acquiring terminal behavior data through first target network equipment; wherein the first target network device comprises: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
20. The method according to claim 15, wherein the method further comprises:
based on the grouping information, carrying out anomaly detection on the current behavior data of the target terminal to obtain a detection result;
sending the detection result to a third target network device, where the third target network device includes: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
21. The method as claimed in claim 20, wherein the sending the detection result to a third target network device comprises:
sending an exception notification to a third target network device, wherein the exception notification comprises the detection result;
the method further comprises the following steps:
and receiving an abnormity notification confirmation sent by the third target network equipment.
22. The method according to claim 20, wherein before the sending the detection result to a third target network device, the method further comprises:
receiving a subscription abnormal request sent by a third target network device;
the sending the detection result to the third target network device includes:
and sending a subscription abnormal response to the third target network equipment, wherein the subscription abnormal response comprises the detection result.
23. The method according to claim 20, wherein the detection result comprises:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
24. The terminal behavior data processing method according to claim 20, wherein the abnormality level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
25. The method according to claim 20, wherein before performing anomaly detection on the current behavior data of the target terminal based on the grouping information and obtaining a detection result, the method further comprises:
receiving a primary abnormal identifier sent by a fourth target network device, wherein the fourth target network device comprises at least one of AMF, SMF or PCF;
the performing anomaly detection on the current behavior data of the target terminal based on the grouping information to obtain a detection result comprises:
and carrying out anomaly detection on the target terminal corresponding to the primary anomaly identification through the primary anomaly identification and the grouping information to obtain a detection result.
26. The method according to claim 25, further comprising, before the receiving the primary anomaly identification sent by the fourth target network device:
sending packet information to the fourth target network device; and the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
27. The terminal behavior data processing method of claim 15, wherein the first network device comprises an NWDAF.
28. A terminal behavior data processing method is applied to first network equipment and is characterized by comprising the following steps:
sending the detection result to a third target network device; the detection result is obtained by performing anomaly detection on the current behavior data of the target terminal based on the grouping information; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information; the third target network device includes: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
29. The method according to claim 28, wherein the detection result comprises:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
30. The terminal behavior data processing method according to claim 29, wherein the abnormality level identification comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
31. The method as claimed in claim 28, wherein the sending the detection result to a third target network device comprises:
sending an exception notification to a third target network device, wherein the exception notification comprises the detection result;
the method further comprises the following steps:
and receiving an abnormity notification confirmation sent by the third target network equipment.
32. The method of claim 28, wherein before the sending the detection result to the third target network device, the method further comprises:
receiving a subscription abnormal request sent by a third target network device;
the sending the detection result to the third target network device includes:
and sending a subscription abnormal response to the third target network equipment, wherein the subscription abnormal response comprises the detection result.
33. The method for processing terminal behavior data according to claim 28, further comprising, before the sending the detection result to the third target network device:
receiving a primary abnormal identifier sent by a fourth target network device, wherein the fourth target network device comprises at least one of AMF, SMF or PCF;
and carrying out anomaly detection on the target terminal corresponding to the primary anomaly identification through the primary anomaly identification and the grouping information to obtain a detection result.
34. The method according to claim 33, wherein before the receiving the primary anomaly identification sent by the fourth target network device, the method further comprises:
sending packet information to the fourth target network device; and the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
35. The method for processing terminal behavior data according to claim 28, further comprising, before the sending the detection result to the third target network device:
acquiring terminal behavior data through first target network equipment; wherein the first target network device comprises: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
36. The method according to claim 28, wherein the terminal behavior data includes:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
37. The method according to claim 28, wherein the grouping information includes: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
38. The terminal behavior data processing method according to claim 28 or 37, wherein the method further comprises:
and sending the grouping information to a second target network device, wherein the second target network device comprises the UDR and/or the UDM.
39. The method of claim 38, wherein the sending the packet information to a second target network device comprises:
sending an add/update packet request to the second target network device, the add/update packet request including the packet information;
the method further comprises the following steps:
and receiving the adding/updating packet response sent by the second target network equipment.
40. The terminal behavior data processing method of claim 28, wherein the first network device comprises an NWDAF.
41. A terminal behavior data processing method is applied to first network equipment and is characterized by comprising the following steps:
performing anomaly detection on a target terminal corresponding to the primary anomaly identification through the primary anomaly identification and the grouping information to obtain a detection result; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information.
42. The method according to claim 41, wherein before performing anomaly detection on the target terminal corresponding to the primary anomaly identifier through the primary anomaly identifier and the grouping information to obtain a detection result, the method further comprises:
and receiving the primary abnormal identifier sent by a fourth target network device, wherein the fourth target network device comprises at least one of an AMF, an SMF or a PCF.
43. The method for processing terminal behavior data according to claim 42, further comprising, before the receiving the primary anomaly identification sent by the fourth target network device:
sending packet information to the fourth target network device; and the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
44. The method of processing terminal behavior data according to claim 41, further comprising:
sending the detection result to a third target network device, where the third target network device includes: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
45. The method of claim 44, wherein the sending the detection result to a third target network device comprises:
sending an exception notification to a third target network device, wherein the exception notification comprises the detection result;
the method further comprises the following steps:
and receiving an abnormity notification confirmation sent by the third target network equipment.
46. The method of claim 44, wherein before the sending the detection result to a third target network device, the method further comprises:
receiving a subscription abnormal request sent by a third target network device;
the sending the detection result to the third target network device includes:
and sending a subscription abnormal response to the third target network equipment, wherein the subscription abnormal response comprises the detection result.
47. The method according to claim 41, wherein the detection result comprises:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
48. The method according to claim 47, wherein the anomaly level identifier comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
49. The method according to claim 41, wherein before performing anomaly detection on the target terminal corresponding to the primary anomaly identifier through the primary anomaly identifier and the grouping information to obtain a detection result, the method further comprises:
acquiring terminal behavior data through first target network equipment; wherein the first target network device comprises: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
50. The method according to claim 41, wherein the terminal behavior data includes:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
51. The method according to claim 41, wherein the grouping information comprises: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
52. The method for processing terminal behavior data according to claim 41 or 51, wherein the method further comprises:
and sending the grouping information to a second target network device, wherein the second target network device comprises the UDR and/or the UDM.
53. The method of claim 52, wherein the sending the packet information to a second target network device comprises:
sending an add/update packet request to the second target network device, the add/update packet request including the packet information;
the method further comprises the following steps:
and receiving the adding/updating packet response sent by the second target network equipment.
54. The terminal behavior data processing method of claim 41, wherein the first network device comprises an NWDAF.
55. A terminal behavior data processing method is applied to a second network device, and is characterized by comprising the following steps:
receiving a detection result of a target terminal sent by first network equipment, wherein the detection result is obtained by performing anomaly detection on current behavior data of the target terminal by the first network equipment based on grouping information; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information.
56. The method according to claim 55, wherein the detection result comprises:
an abnormal identifier for indicating whether the terminal is abnormal; and/or
And the abnormal grade identification is used for indicating the abnormal degree of the terminal.
57. The method according to claim 56, wherein the anomaly level identifier comprises:
a first anomaly level identification, a second anomaly level identification and a third anomaly level identification; wherein the content of the first and second substances,
the first abnormal grade mark is used for indicating that a terminal or a terminal in the same group has current behavior data of the terminals with the quantity less than a first threshold value, does not deviate from the normal characteristic threshold value range of the belonging group, but is in the marginal area of the normal characteristic threshold value range;
the second abnormal grade mark is used for indicating that the current behavior data of a terminal is separated from the normal characteristic threshold range of the group to which the current behavior data belongs;
and the third abnormal grade mark is used for indicating that the current behavior data of the terminals with the number larger than the second threshold number exists in the same group and is out of the normal characteristic threshold range of the group.
58. The method of claim 55, wherein the terminal behavior data comprises:
geographical location of the terminal, time characteristics, movement law, functional characteristics, packet-sending characteristics, packet size or source-destination address.
59. The method according to claim 55, wherein the grouping information comprises: group identification, terminal equipment identification and feature description information of the current grouping; wherein the content of the first and second substances,
the grouping information indicates terminal equipment identification and feature description information corresponding to each group identification; or the grouping information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
60. The method of claim 55, wherein the receiving the detection result of the target terminal sent by the first network device comprises:
receiving an exception notification sent by the first network device, wherein the exception notification comprises the detection result;
the method further comprises the following steps:
and sending an abnormal notification confirmation to the first network equipment.
61. The method for processing terminal behavior data according to claim 55, further comprising, before the receiving the detection result of the target terminal sent by the first network device:
sending a subscription exception request to the first network device;
the receiving a detection result of the target terminal sent by the first network device includes:
and receiving a subscription abnormal response sent by the first network equipment, wherein the subscription abnormal response comprises the detection result.
62. The method for processing terminal behavior data according to claim 55, further comprising, after the receiving the detection result of the target terminal sent by the first network device:
and managing the target terminal according to a preset exception handling strategy according to the detection result.
63. The method of claim 62, wherein the second network device is a PCF;
the managing the target terminal according to the detection result and a preset exception handling strategy comprises the following steps:
and carrying out corresponding strategy decision according to the abnormal identifier and/or the abnormal grade identifier of the target terminal.
64. The method according to claim 62, wherein the second network device is an AMF;
the managing the target terminal according to the detection result and a preset exception handling strategy comprises the following steps:
and performing corresponding access control, mobility restriction or registration area management according to the abnormal identifier and/or the abnormal grade identifier of the target terminal.
65. The method of claim 62, wherein the second network device is an SMF;
the managing the target terminal according to the detection result and a preset exception handling strategy comprises the following steps:
and performing corresponding session management or policy control according to the abnormal identifier and/or the abnormal grade identifier of the target terminal.
66. The method of claim 62, wherein the second network device is an AMF, an SMF, or a PCF;
before managing the target terminal according to the detection result and a preset exception handling strategy, the method further includes:
receiving grouping information sent by the first network equipment or the second target network equipment; the grouping information indicates group identification and feature description information corresponding to each terminal equipment identification; the second target network device is a UDR and/or a UDM;
and sending a primary abnormal identifier to the first network equipment under the condition that the target terminal is determined to be abnormal according to the grouping information.
67. The method of claim 55, wherein the second network device is a UDR or UDM;
before the receiving of the detection result of the target terminal sent by the first network device, the method further includes:
and receiving the grouping information sent by the first network equipment.
68. The method according to claim 67, wherein the receiving packet information sent by the first network device comprises:
receiving an add/update grouping request sent by the first network device, wherein the add/update grouping request comprises the grouping information;
the method further comprises the following steps:
sending an add/update packet response to the first network device.
69. The method of processing terminal behavior data according to claim 67, further comprising:
deleting the grouping information of the abnormal terminal in the service shutdown state; the abnormal terminal belongs to a group, and the current behavior data of the terminals with the number larger than a second threshold value are separated from the normal characteristic threshold value range of the group;
after receiving a terminal registration request, judging whether grouping information of a sending terminal of the terminal registration request exists or not;
if not, rejecting the sending terminal to register and access; if so, registering access.
70. The method of processing terminal behavior data according to claim 67, further comprising:
and sending packet information to at least one of the AMF, the SMF or the PCF, wherein the packet information indicates the group identification and the feature description information corresponding to each terminal equipment identification.
71. The method according to claim 62, wherein the second network device is an AF;
and managing the target terminal according to a preset exception handling strategy according to the detection result, wherein the management comprises the following steps:
and according to the abnormal identifier and/or the abnormal grade identifier of the target terminal, performing corresponding service shutdown or requesting new QoS resources.
72. The method of claim 65, wherein the method further comprises:
and sending the terminal behavior data recorded by the terminal to the first network equipment.
73. An NWDAF comprising a first processor and a first transceiver, wherein,
the first transceiver is used for acquiring terminal behavior data through first target network equipment; wherein the first target network device comprises: the unified data store UDR, the user subscription data management UDM, the user plane function UPF, the access and mobility management function AMF, the session management function SMF, the policy control function PCF, the operation, maintenance and management OAM, or the application function AF.
74. An NWDAF comprising a second processor and a second transceiver, wherein,
the second transceiver is used for sending the grouping information to a second target network device; wherein the second target network device comprises a UDR and/or a UDM; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information.
75. An NWDAF comprising a third processor and a third transceiver, wherein,
the third transceiver is used for sending a detection result to a third target network device; the detection result is obtained by performing anomaly detection on the current behavior data of the target terminal based on the grouping information; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information; the third target network device includes: at least one of UDR, UDM, UPF, AMF, SMF, PCF, OAM, or AF.
76. An NWDAF comprising a fourth processor and a fourth transceiver, wherein,
the fourth processor is used for carrying out anomaly detection on the target terminal corresponding to the primary anomaly identification through the primary anomaly identification and the grouping information to obtain a detection result; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information.
77. A network device comprising a fifth processor and a fifth transceiver, wherein,
the fifth transceiver is configured to receive a detection result of the target terminal sent by the first network device, where the detection result is obtained by performing, by the first network device, abnormality detection on current behavior data of the target terminal based on packet information; the grouping information is obtained by grouping the terminals based on the terminal behavior data, and the terminals belonging to the same group have the same feature description information.
78. A network device comprising a transceiver, a memory, a processor, and a computer program stored on the memory and executable on the processor; characterized in that the processor implements the terminal behavior data processing method according to any one of claims 1 to 14, or implements the terminal behavior data processing method according to any one of claims 15 to 27, or implements the terminal behavior data processing method according to any one of claims 28 to 40, or implements the terminal behavior data processing method according to any one of claims 41 to 54, or implements the terminal behavior data processing method according to any one of claims 55 to 72 when executing the computer program.
79. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps in the terminal behavior data processing method according to any one of claims 1 to 14, or the steps in the terminal behavior data processing method according to any one of claims 15 to 27, or the steps in the terminal behavior data processing method according to any one of claims 28 to 40, or the steps in the terminal behavior data processing method according to any one of claims 41 to 54, or the steps in the terminal behavior data processing method according to any one of claims 55 to 72.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810911341.2A CN110830422B (en) | 2018-08-10 | 2018-08-10 | Terminal behavior data processing method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810911341.2A CN110830422B (en) | 2018-08-10 | 2018-08-10 | Terminal behavior data processing method and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110830422A true CN110830422A (en) | 2020-02-21 |
| CN110830422B CN110830422B (en) | 2022-04-01 |
Family
ID=69541451
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810911341.2A Active CN110830422B (en) | 2018-08-10 | 2018-08-10 | Terminal behavior data processing method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110830422B (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112134730A (en) * | 2020-09-07 | 2020-12-25 | 广州爱浦路网络技术有限公司 | Network data acquisition method and device |
| WO2021204199A1 (en) * | 2020-04-09 | 2021-10-14 | 中国移动通信有限公司研究院 | Terminal mobility monitoring method and device |
| WO2021212990A1 (en) * | 2020-04-20 | 2021-10-28 | 华为技术有限公司 | Authentication event processing method and apparatus, and system |
| CN113613279A (en) * | 2021-08-06 | 2021-11-05 | 中国电信股份有限公司 | Routing strategy generation method and related equipment |
| WO2022001555A1 (en) * | 2020-06-30 | 2022-01-06 | 中兴通讯股份有限公司 | Wireless resource management method, storage medium, and electronic device |
| WO2022027492A1 (en) * | 2020-08-06 | 2022-02-10 | 华为技术有限公司 | Communication method, device and system |
| CN114338392A (en) * | 2020-09-29 | 2022-04-12 | 中国电信股份有限公司 | Network data analysis method and network data analysis functional entity |
| WO2022083226A1 (en) * | 2020-10-21 | 2022-04-28 | 中兴通讯股份有限公司 | Anomaly identification method and system, storage medium and electronic device |
| WO2022089130A1 (en) * | 2020-10-30 | 2022-05-05 | 华为技术有限公司 | Method and apparatus for controlling abnormal terminal |
| US20220247779A1 (en) * | 2021-02-04 | 2022-08-04 | Oracle International Corporation | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR MITIGATING DENIAL OF SERVICE (DoS) ATTACKS AT NETWORK FUNCTIONS (NFs) |
| WO2022206252A1 (en) * | 2021-04-02 | 2022-10-06 | 腾讯科技(深圳)有限公司 | Network attack processing method and apparatus, and device, computer-readable storage medium and computer program product |
| WO2022228417A1 (en) * | 2021-04-26 | 2022-11-03 | 中国移动通信有限公司研究院 | User data disaster tolerance method and apparatus, network element device, and storage medium |
| WO2024012542A1 (en) * | 2022-07-14 | 2024-01-18 | 中兴通讯股份有限公司 | Subscription information processing method and apparatus, device, and storage medium |
| WO2024027427A1 (en) * | 2022-07-30 | 2024-02-08 | 华为技术有限公司 | Anomaly detection method and communication apparatus |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102427409A (en) * | 2012-01-31 | 2012-04-25 | 迈普通信技术股份有限公司 | Configuration data submission method based on network configuration (NETCONF) protocol and server thereof |
| CN104144069A (en) * | 2013-05-10 | 2014-11-12 | 中国电信股份有限公司 | Method and device for correlating wireless side call data records and user service behaviors |
| US20160088540A1 (en) * | 2013-06-03 | 2016-03-24 | Huawei Technologies Co., Ltd. | Method for Handover Without Default Bearer and Device |
| CN105813079A (en) * | 2016-05-17 | 2016-07-27 | 工业和信息化部电信研究院 | Terminal access method |
| CN106937323A (en) * | 2015-12-30 | 2017-07-07 | 华为技术有限公司 | The monitoring method and relevant device of a kind of user terminal quantity |
| CN107295499A (en) * | 2016-04-01 | 2017-10-24 | 中兴通讯股份有限公司 | Mobile communcations system and paging method |
| CN107888498A (en) * | 2016-09-29 | 2018-04-06 | 中兴通讯股份有限公司 | Realize the method and device and network element and device of user plane functions management |
| US20180227743A1 (en) * | 2017-02-06 | 2018-08-09 | Qualcomm Incorporated | Mechanism to enable optimized user plane anchoring for minimization of user plane relocation due to user equipment mobility |
-
2018
- 2018-08-10 CN CN201810911341.2A patent/CN110830422B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102427409A (en) * | 2012-01-31 | 2012-04-25 | 迈普通信技术股份有限公司 | Configuration data submission method based on network configuration (NETCONF) protocol and server thereof |
| CN104144069A (en) * | 2013-05-10 | 2014-11-12 | 中国电信股份有限公司 | Method and device for correlating wireless side call data records and user service behaviors |
| US20160088540A1 (en) * | 2013-06-03 | 2016-03-24 | Huawei Technologies Co., Ltd. | Method for Handover Without Default Bearer and Device |
| CN106937323A (en) * | 2015-12-30 | 2017-07-07 | 华为技术有限公司 | The monitoring method and relevant device of a kind of user terminal quantity |
| CN107295499A (en) * | 2016-04-01 | 2017-10-24 | 中兴通讯股份有限公司 | Mobile communcations system and paging method |
| CN105813079A (en) * | 2016-05-17 | 2016-07-27 | 工业和信息化部电信研究院 | Terminal access method |
| CN107888498A (en) * | 2016-09-29 | 2018-04-06 | 中兴通讯股份有限公司 | Realize the method and device and network element and device of user plane functions management |
| US20180227743A1 (en) * | 2017-02-06 | 2018-08-09 | Qualcomm Incorporated | Mechanism to enable optimized user plane anchoring for minimization of user plane relocation due to user equipment mobility |
Non-Patent Citations (1)
| Title |
|---|
| 3RD GENERATION PARTNERSHIP PROJECT: "《System architecture for the 5G System》", 《3GPP TS 23.501 V15.1.0》 * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021204199A1 (en) * | 2020-04-09 | 2021-10-14 | 中国移动通信有限公司研究院 | Terminal mobility monitoring method and device |
| WO2021212990A1 (en) * | 2020-04-20 | 2021-10-28 | 华为技术有限公司 | Authentication event processing method and apparatus, and system |
| WO2022001555A1 (en) * | 2020-06-30 | 2022-01-06 | 中兴通讯股份有限公司 | Wireless resource management method, storage medium, and electronic device |
| WO2022027492A1 (en) * | 2020-08-06 | 2022-02-10 | 华为技术有限公司 | Communication method, device and system |
| CN112134730A (en) * | 2020-09-07 | 2020-12-25 | 广州爱浦路网络技术有限公司 | Network data acquisition method and device |
| CN114338392A (en) * | 2020-09-29 | 2022-04-12 | 中国电信股份有限公司 | Network data analysis method and network data analysis functional entity |
| WO2022083226A1 (en) * | 2020-10-21 | 2022-04-28 | 中兴通讯股份有限公司 | Anomaly identification method and system, storage medium and electronic device |
| WO2022089130A1 (en) * | 2020-10-30 | 2022-05-05 | 华为技术有限公司 | Method and apparatus for controlling abnormal terminal |
| US20220247779A1 (en) * | 2021-02-04 | 2022-08-04 | Oracle International Corporation | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR MITIGATING DENIAL OF SERVICE (DoS) ATTACKS AT NETWORK FUNCTIONS (NFs) |
| US11582258B2 (en) * | 2021-02-04 | 2023-02-14 | Oracle International Corporation | Methods, systems, and computer readable media for mitigating denial of service (DoS) attacks at network functions (NFs) |
| WO2022206252A1 (en) * | 2021-04-02 | 2022-10-06 | 腾讯科技(深圳)有限公司 | Network attack processing method and apparatus, and device, computer-readable storage medium and computer program product |
| WO2022228417A1 (en) * | 2021-04-26 | 2022-11-03 | 中国移动通信有限公司研究院 | User data disaster tolerance method and apparatus, network element device, and storage medium |
| CN113613279A (en) * | 2021-08-06 | 2021-11-05 | 中国电信股份有限公司 | Routing strategy generation method and related equipment |
| WO2024012542A1 (en) * | 2022-07-14 | 2024-01-18 | 中兴通讯股份有限公司 | Subscription information processing method and apparatus, device, and storage medium |
| WO2024027427A1 (en) * | 2022-07-30 | 2024-02-08 | 华为技术有限公司 | Anomaly detection method and communication apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110830422B (en) | 2022-04-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110830422B (en) | Terminal behavior data processing method and equipment | |
| EP3850889B1 (en) | Quality of service information notification to user equipment, users, and application server | |
| US11758416B2 (en) | System and method of network policy optimization | |
| WO2019192366A1 (en) | Method and device for managing and controlling terminal ue | |
| WO2019149080A1 (en) | Method and apparatus for acquiring link quality | |
| US11463915B2 (en) | Systems and methods for exposing custom per flow descriptor attributes | |
| US20170251385A1 (en) | Telecommunication networks | |
| US9220031B2 (en) | Access control method and device | |
| US10292152B2 (en) | Cache-based data transmission methods and apparatuses | |
| WO2016033979A1 (en) | Processing method, device and system for user service provision | |
| US11855864B2 (en) | Method and apparatus for collecting network traffic in wireless communication system | |
| KR20140046004A (en) | Mobile communications device and method | |
| CN112469044B (en) | Edge access control method and controller for heterogeneous terminal | |
| Li et al. | An MEC-based DoS attack detection mechanism for C-V2X networks | |
| US10129079B2 (en) | Telecommunications system and method | |
| Xu et al. | Toward software defined dynamic defense as a service for 5G-enabled vehicular networks | |
| CN106572482B (en) | Parameter configuration method and device and core network self-configuration self-optimization platform | |
| US20210409981A1 (en) | Adaptive network data collection and composition | |
| WO2020063661A1 (en) | Flow congestion monitoring method and device | |
| CN111277552B (en) | Method, device and storage medium for identifying direct signaling security threat | |
| US20170013524A1 (en) | Methods and system in user service enhancement for roaming in wireless mesh networks | |
| CN108882282A (en) | It is a kind of for the detection and the response method that newly flow attack in SDWSNs | |
| WO2017157255A1 (en) | Local breakout-based data interception method and device | |
| CN114079581B (en) | Service processing method, system, computing device and storage medium based on PCC | |
| WO2018092120A1 (en) | A system and method for optimizing communication between civilian and different dispatchers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |