KR20170081491A - Method and communication system for providing dynamic messaging security in asymmetric multi mobile data network - Google Patents

Method and communication system for providing dynamic messaging security in asymmetric multi mobile data network Download PDF

Info

Publication number
KR20170081491A
KR20170081491A KR1020160000585A KR20160000585A KR20170081491A KR 20170081491 A KR20170081491 A KR 20170081491A KR 1020160000585 A KR1020160000585 A KR 1020160000585A KR 20160000585 A KR20160000585 A KR 20160000585A KR 20170081491 A KR20170081491 A KR 20170081491A
Authority
KR
South Korea
Prior art keywords
message
keyword
security
data
network
Prior art date
Application number
KR1020160000585A
Other languages
Korean (ko)
Other versions
KR102011403B1 (en
Inventor
유치훈
Original Assignee
주식회사 케이티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 케이티 filed Critical 주식회사 케이티
Priority to KR1020160000585A priority Critical patent/KR102011403B1/en
Publication of KR20170081491A publication Critical patent/KR20170081491A/en
Application granted granted Critical
Publication of KR102011403B1 publication Critical patent/KR102011403B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/07User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail characterised by the inclusion of specific contents
    • H04L51/18Commands or executable codes
    • H04L51/12
    • H04L51/38
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/12Messaging; Mailboxes; Announcements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/04Masking or blinding

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A dynamic messaging security providing method and a communication system implementing the same are provided. Here, the dynamic messaging security providing method includes a private network providing a transmission / reception path of company business related data, a public network providing a private data transmission / reception path, an IMS network providing a call and message service, And a communication system of an asymmetric multi-mobile data network including a plurality of networks having different scales and roles, wherein the communication system generates and stores task type data for each user from a packet transmitted and received in the dedicated network, Determining whether data included in the message is included in the task type data when the message transmission is requested from the calling terminal, performing security processing specified in the message if the message is included in the task type data, Transmitting a message to the called terminal It includes.

Figure P1020160000585

Description

TECHNICAL FIELD [0001] The present invention relates to a dynamic messaging security providing method in an asymmetric multi-mobile data network, and a communication system implementing the method.

The present invention relates to a method for providing dynamic messaging security in an asymmetric multi-mobile data network and a communication system implementing the same.

Mobile networks have rapidly evolved into 3G and Long Term Evolution (LTE), and many mobile services are now available on LTE networks to most mobile users.

In recent years, a mobile network has been separated from the network to form a private network, and a user has provided a mobile access service according to the connected network. If the mobile network is established at the corporate headquarters or business sites, it is possible to separate the data from the data used by the individual in the separated network, and it has many merits in security from the physical network separation do.

The mobile network is divided into a base station, an evolved packet core (EPC), and a data network. Alternatively, base stations and EPCs use existing public network facilities and separate data networks to separate billing for mobile data and seek security enhancement. Such a scheme is configured to interwork with multiple data networks through a plurality of packet gateways (P-gateways) on an LTE network. As a structure in which data networks accessed according to the situation are different, for example, a company uses a public data network at a normal time and uses a private network of a company whose security is enhanced in the company.

However, because the LTE network only defines packet data exchange, the messaging service will be based on IMS (IP Multimedia Subsystem) based IP data like RCS (Rich Communication Service). In the LTE terminals, messaging is performed in the form of an IM (Instant Message) through the IMS, and the existing SMS (Short Message Service) / MMS (Multimedia Messaging Service) is interworked with the message system of the 3G network.

IMS-based data networks are used for messages and voice over LTE (VoLTE) services, and are often operated separately from the mobile data networks used by users. It can provide services such as message and VoLTE even when data network is not connected through separate operation, and control of data packet and separate billing becomes possible.

Thus, in a situation where a mobile service is provided through various asymmetric mobile data networks of different sizes and roles such as a private network, a public network, and an IMS network, Through the public network, the company's business is usually through private networks, and messages and calls are made through the IMS network.

If a private LTE network is to be provided to a company, the network operating company needs to construct and operate asymmetric mobile data networks of different sizes and roles. In this situation, the security of the enterprise using the dedicated LTE network access service Strengthening is needed. In other words, for a company using a dedicated mobile network access service through a network separation, business data transmitted through a private network is a major security object related to a company's secret, .

However, it is not easy to block specific IPs in the public data network or to block messages for specific keywords on the message network in situations where the individual's work content changes from time to time.

SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and it is an object of the present invention to perform deep packet inspection (DPI) on a private small network data on a mobile network composed of asymmetrical data networks having different roles and sizes And extracts the user's data, analyzes the extracted data to dynamically classify the work of the individual, and performs security processing so as not to be transmitted on the message network to the content deemed important in the task, And to provide a dynamic messaging security providing method capable of enhancing security and a communication system implementing the same.

According to one aspect of the present invention, a dynamic messaging security providing method includes a private network providing a transmission / reception path for company business related data, a public network providing a private data transmission / reception path, A communication system of an asymmetric multi-mobile data network including a plurality of networks having different sizes and roles including an IP Multimedia Subsystem network (IMS network) The method comprising the steps of: generating and storing task type data for each user from the originating terminal, determining whether data included in the message is included in the task type data when the message transmission is requested from the calling terminal, Performing a predetermined security process on the content, And transmitting the secured message to the called terminal.

Wherein the storing step comprises:

Extracting business related user data by performing Deep Packet Inspection (DPI) on the packets to be transmitted and received, comparing the extracted keywords with the pre-registered business group information, And for each of the users belonging to the business group in the classified business group, the business type data including the business group information, the important security keyword requiring the security processing, and the security processing application deadline is generated and stored .

The pre-registered business group information includes:

The business information pre-registered by the operator and the classification keyword corresponding to the business information,

Wherein said classifying comprises:

Extracting all the keywords from the user data in units of a predetermined analysis unit or processing task to generate respective keyword vectors, generating each keyword vector for a plurality of keywords included in the classified keyword, And classifying the tasks corresponding to the classification keywords in which the measured similarity value satisfies a predefined threshold value into tasks corresponding to the user.

The storing step may be periodically updated.

Wherein the determining step comprises:

Extracting a keyword from the message, identifying a business group to which the sender of the message belongs, and determining whether the extracted keyword corresponds to an important security keyword of the business group,

The step of performing the security processing may perform the security processing if it corresponds to the important security keyword.

The step of performing the security processing includes:

Transmitting a notification message to the calling terminal indicating that a keyword requiring security processing is included; and masking the keyword in the message transmitted by the calling terminal,

The step of transmitting the secure processed message to the called terminal may transmit the masked message.

According to another aspect of the present invention, a communication system includes a private network for providing a transmission / reception path for company-related data, a public network for providing a path for transmitting and receiving personal data, A communication system of an asymmetric multi-mobile data network including a plurality of networks having different scales and roles including an IP Multimedia Subsystem network (IMS network), the system extracting business-related user data from packets transmitted and received in the dedicated network, A DPI (Deep Packet Inspection) server for comparing the service group information with the service group information and dynamically classifying the corresponding service group for each user according to the comparison result to generate task type data for each user, Receive and store task type data, A security processing server that performs security processing specified in the message if the data included in the message transmitted by the calling terminal is included in the task type data and is included in the task type data, And a message server for delivering the processed message to the called terminal.

The deep packet inspection server comprises:

A database for storing previously registered business group information including business information pre-registered by an operator and classification keywords corresponding to the business information, Deep Packet Inspection (DPI) is performed on the transmitted and received packets A user data extracting unit for extracting business related user data and extracting all the keywords from the user data in units of an analysis unit or a processing service unit to generate respective keyword vectors, And the respective keyword vectors generated from the user data, and classifies the business groups corresponding to the users into the business groups corresponding to the classification keywords whose measured similarity values satisfy the predefined threshold , To the business group for each classified business group Dynamic classification to generate the type of data service for a user of each of the transmission processing to the secure server may include a.

The task type data includes:

Task group information, important security keywords requiring security processing, and security processing application deadline,

The security processing server comprises:

If the keyword extracted from the message corresponds to an important security keyword of a business group to which the sender of the message belongs, the message may be masked and then transmitted to the message server.

And a message pushing server for transmitting a user attention message informing that the calling terminal includes a keyword requiring security processing according to a request of the security processing server.

According to the embodiment of the present invention, in order to enhance the security of an enterprise in various asymmetric mobile data networks of different sizes and roles, it is possible to dynamically determine individual business contents and control the server IP or message contents of the public network, And can provide a private LTE network access service.

In addition, efficient and practical messaging security can be achieved by securing the confidential contents of the company secrets to be paid attention to by the duties of the duties based on the duties currently performed, instead of artificially divided duties.

Therefore, when a private LTE network (private LTE network) is provided for a company, it is possible to provide private LTE network access service more secure by minimizing the leakage of important information of the enterprise through the data channel or message channel of the individual .

1 is a block diagram of a communication system for providing dynamic message security in an asymmetric multi-mobile data network according to an embodiment of the present invention.
2 is a block diagram illustrating a detailed configuration of a DPI server according to an embodiment of the present invention.
3 is a configuration diagram of a task group information table according to an embodiment of the present invention.
4 is a block diagram of a message delivery network for providing dynamic message security according to an embodiment of the present invention.
5 is a block diagram of a message delivery network for providing dynamic message security according to another embodiment of the present invention.
6 is a flowchart illustrating a dynamic message security providing method in an asymmetric multi-mobile data network according to an embodiment of the present invention.
7 is a flowchart illustrating a dynamic message security providing method in an asymmetric multi-mobile data network according to another embodiment of the present invention.
8 is a flowchart illustrating a dynamic message security providing method in an asymmetric multi-mobile data network according to another embodiment of the present invention.
9 is a diagram illustrating a dynamic message security application of an originating terminal according to an embodiment of the present invention.
10 is a diagram illustrating an example of dynamic message security application of a called terminal according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.

Throughout the specification, when an element is referred to as "comprising ", it means that it can include other elements as well, without excluding other elements unless specifically stated otherwise.

Also, the terms of " part ", "... module" in the description mean units for processing at least one function or operation, which may be implemented by hardware or software or a combination of hardware and software.

In this specification, a terminal includes a mobile station (MS), a mobile terminal (MT), a subscriber station (SS), a portable subscriber station (PSS) An access terminal (AT), and the like, and may include all or some of functions of a mobile terminal, a subscriber station, a mobile subscriber station, a user equipment, and the like.

In this specification, a base station (BS) is an access point (AP), a radio access station (RAS), a node B, a base transceiver station (BTS) Mobile Multihop Relay) -BS, and may include all or some of the functions of an access point, a radio access station, a Node B, a base transceiver station, and an MMR-BS.

Hereinafter, a method for providing dynamic messaging security in an asymmetric multi-mobile data network according to an embodiment of the present invention and a communication system implementing the method will be described in detail with reference to the drawings.

FIG. 1 is a block diagram of a communication system for providing dynamic message security in an asymmetric multi-mobile data network according to an embodiment of the present invention, FIG. 2 is a block diagram illustrating a detailed configuration of a DPI server according to an embodiment of the present invention, 3 is a configuration diagram of a task group information table according to an embodiment of the present invention.

Referring to FIG. 1, LTE terminals 101 and 103, each of base stations 203 and 207 and a mobile management entity (Mobile (MME) 209, a Serving GateWay (S-GW) 211, a plurality of different packet data network gateways (P-GW) 213, 215 and 217, A private network 219, a public network 221, an IP multimedia subsystem network (IMS network) 223, a deep packet inspection (DPI) server 300, Server 400 and a message push server (PNS)

Here, the dedicated network 219 is a data network provided to a certain small number of users, and is established in a certain area having a predetermined service radius. At this time, the dedicated network 219 provides a transmission / reception path of company business related data. Here, the dedicated network 300 is managed by a dedicated network 301 or a dedicated P-GW (not shown) that covers a certain area having a predetermined service radius, and can be established in the enterprise's business. Private LTE networks, due to their security and limited service coverage (network coverage), allow private LTE users to establish private LTE and access only authorized employees or devices to the network.

The public network 221 is a data network provided to an unspecified number of users, and provides a private data transmission / reception path. The IMS network 223 provides call and message services.

As described above, a plurality of networks 219, 221, and 223 having different sizes and roles form an asymmetric multi-mobile data network. In the asymmetric multi-mobile data network, the company service uses the private network 219, the private data uses the public network 221, and the call and message service uses the IMS network 223.

The asymmetric multi-mobile data network includes an MME 209 for base station management and inter-base data interworking, an S-GW 211 for service routing, and a plurality of P-GWs 213, 215 and 217 To provide basic LTE network services.

At this time, the P-GWs 213, 215, and 217 form an asymmetric multi-mobile data network through a plurality of P-GWs 213, 215, and 217 for use. 217 are composed of a dedicated network P-GW 213, a public network P-GW 215, and an IMS P-GW 217.

Here, the dedicated network P-GW 213 is established for accessing a private network to provide a private LTE network (219) service to an enterprise customer. Public network P-GW 215 is configured to connect to public network 221 where users typically use a mobile network connection. The IMS P-GW 217 is configured to access an IMS network 223 used to provide RCS (Rich Communication Service) or VoLTE (Voice over LTE) services.

User terminals (UE) 101 and 103 correspond to terminals that can communicate with a counterpart such as a feature phone, a smart phone, and a PDA (Personal Digital Assistants). The UEs 101 and 103 can access the respective data networks 219, 221 and 223 with different access point names (APNs). The APN information may be provided to UEs 101 and 103 or may be provided to UEs 101 and 103 through an HSS (Home Subscriber Server) (not shown) and an MME 209 on an LTE network You may. Generally, in the case of user terminals (UE) 101 and 103 equipped with an Android OS (Operating System), information is stored in user terminals (UE) 101 and 103 before launching. In the case of an iPhone equipped with iOS, The APN information stored in the server is provided to the user terminals (UE) 101 and 103 when requested.

The DPI server 300, the security processing server 400, and the message pusher (not shown) are provided to provide dynamic messaging security in accordance with embodiments of the present invention with network entities configured to implement asymmetric multi-mobile data networks on the LTE network described above. The server (PNS) 500 is newly added.

DPI server 300 includes specialized hardware and / or software that can inspect data packets. The DPI server 300 performs data deep packet inspection (DPI) on a small scale network 219 among a plurality of networks on an asymmetric multi-mobile data network and extracts business-related data of the user. For example, when a private LTE network access service is provided to a corporation, the private network 219 is accessed in the workplace, and data for business is transmitted and received through the mobile terminals 101 and 103. These packets are analyzed to understand what tasks or projects the individual is currently performing. These types of tasks can change dynamically over time, and it is also inefficient to manually designate them individually because they can perform multiple projects, and it is efficient to manage them dynamically through data analysis methods.

Although the data in the public network 221 is not easy to implement in depth packet analysis (DPI) due to the large amount of packet data and personal information issues, the enterprise private network 219 is generally smaller than the public network 221, It is practically possible to perform packet depth analysis (DPI). In addition, the fact that the packet analysis is relatively free of personal information issues can also be an important point in providing such a service.

The DPI server 300 is located between the dedicated network P-GW 213 and the dedicated network 219 and extracts business related user data from packets transmitted and received in the dedicated network 219 and compares the extracted business related user data with already defined business group information. And classifies whether the user belongs to the group. And dynamically classifies corresponding task groups for each user to generate task type data for each user. The DPI server 300 may be implemented as shown in FIG.

Referring to FIG. 2, the DPI server 300 includes a database 301, a user data extraction unit 303, and a dynamic classification unit 305.

The database 301 stores pre-registered task group information including pre-registered task information and classification keywords corresponding to the task information. Such work group information may be configured as shown in FIG.

Referring to FIG. 3, the task group information table 309 includes a classification keyword 311, a task classification 313, an important security keyword 315, and a setting date 317. At this time, the task group information table 309 is composed of information set by a manager in charge of a company for a project that is considered to require security.

The business classification 313 represents each project or business name. The classification keyword 311 is a keyword related to a project or business name. The important security keyword 315 is set to a keyword that is considered to be important among the classification keywords.

2, the user data extracting unit 303 extracts business related user data by performing a deep packet inspection (DPI) on the packets transmitted and received in the dedicated network 219. FIG. In the private network 219, the user of the enterprise performs the business by accessing the in-house site or sending / receiving mail by using the mobile terminals 101 and 103. At this time, all the keywords are extracted for each mail unit or business page when performing business through the intra-company business site.

The dynamic classification unit 305 extracts a keyword from the packet data used by the user in the private network 219 for business and compares the extracted keyword with a classification keyword corresponding to each project or task. At this time, if a lot of classification keywords are used, it is classified as a person who performs the task or project in a stochastic manner. There can be multiple business classifications per user, which will change dynamically.

That is, the dynamic classification unit 305 generates the respective keyword vectors for all the keywords extracted from the user data by the user data extraction unit 303 in units of the analysis unit or the processing task determined by the user data. Then, similarity between each keyword vector for a plurality of keywords included in the classification keyword and each keyword vector generated from the user data is measured. And classifies the task group corresponding to the classification keyword whose measured similarity value satisfies the predefined threshold value into the task group corresponding to the user. Then, task type data for each of the users belonging to the task group is generated for each classified task group and transmitted to the security processing server 400.

Here, the task type data includes task group information, important security keywords requiring security processing, and security processing application time limit, and this information is obtained from the task group information table 309 in Fig.

The dynamic classification unit 305 measures the similarity between the keyword information vector of the classification keyword 311 of FIG. 2 and each keyword vector generated from the user data. If the similarity degree is equal to or greater than the threshold value, have.

The threshold value processing at the time of measuring the degree of similarity can be performed in a manner of determining whether the data used through the dedicated network 219 using the main keyword at a certain level or more is normalized for each day and week.

Here, the mathematical formula used in the similarity measurement is as follows. Equation (1) is a similarity degree expression for an individual task grouping.

Figure pat00001

Here, d i vector refers to a vector generated by extracting all keywords from user data as an analysis unit or a processing service unit. The d j vector is a vector generated from the classification keyword 311 of the task group information table 309.

For example, when the measured similarity value between the keyword vector extracted from the user data and the classified keyword vector related to the 15 new employee recruitment meets a predetermined threshold value, the user is classified as a user who is in charge of 15 new employee recruitment tasks.

The dynamic classification unit 305 sets important security keywords and attention periods to be paid attention to the outsourced business of the corresponding business user when business or project information to be performed by the individual is extracted. At this time, the important security keyword is obtained from the important security keyword 315 of the task group information table 309, and the attention period is obtained from the setting date 317 of the task group information table 309. [ Based on the acquired information, the dynamic classification unit 305 generates task type data.

Referring again to FIG. 1, the security processing server 400 is a server that performs security processing on an IP address or a keyword of a message to which security is to be applied according to a current task performed by an individual.

Based on the group information of the classified user, the security processing server 400 determines whether the message delivered on the message network, which is another network, is important content handled by the corresponding user group. If necessary, A security message is transmitted to inform the user that the message is a security-required message, so that a security message can be transmitted to a message of a content that should be handled by the user of the corresponding group.

That is, the security processing server 400 receives and stores the per-user task type data from the DPI server 300. If the data included in the message transmitted by the calling terminals 101 and 103 is included in the task type data after determining whether or not the data included in the task type data is included in the task type data, the security processing is performed on the message. The security processing server 111 performs security processing on the security-critical message during the attention period included in the task type data from the message server (233 in FIG. 4 and FIG. 5).

If the keyword extracted from the message corresponds to the important security keyword of the task group to which the sender of the message belongs, the security processing server 400 performs masking processing on the message and transmits the masked message to the message server 233.

In addition, security processing server 400 may send additional information to public network P-GW 215. Then, the public network P-GW 215 restricts the connection of the IPs requested to be accessed from the user terminals 101 and 103 according to the additional information received from the security processing server 400, that is, the security processing information, , It can transmit a caution message to the user terminals 101 and 103 indicating that the connection is impossible.

The message push server (PNS) 500 is a server that plays a role of asking a user whether to send a message or sending a warning message if a message is determined to have a security problem through the security processing server 400. The message push server (PNS) 500 transmits a user attention message informing that the calling terminal 101 or 103 includes a keyword requiring security processing in response to a request from the security processing server 400. [

FIG. 4 is a block diagram of a message delivery network for providing dynamic message security according to an embodiment of the present invention, and is a diagram for explaining application of dynamic message security when transmitting short messages (SMS) between LTE terminals 101 and 103.

Referring to FIG. 4, when an SMS is transmitted from an originating LTE terminal 101, an SMS is transmitted to a mobile switching center (MSC) of a 3G network 227 via a base station (203 in FIG. 1), a source MME 209-1, (229). At this time, the MMEs 209-1 and 209-3 are interworked with the MSCs 229 and 231 through the SGs interface.

In the LTE network (22%), since all messages are transmitted in the form of packet data, the message is transmitted in the form of packet data of IM (Instant Message) through the IMS network (223 in FIG. The RCS (Rich Communication Service) is a service for providing a call or a message through the IMS network 223.

However, in the case where the 3G network 227 and the LTE network 225 coexist, the SMS used in the existing mobile communication network is transmitted through the network interworking, so that it is necessary to interwork between the MME 209-1 and the MSC 229 .

Therefore, the SMS transmitted from the originating LTE terminal 101 is transmitted to the SMS Message Service Center (SMSC) which is the message server 233 via the originating MSC 229.

The message server 233 is a server for processing a message in a circuit switching network such as an SMS / MMS. The message transmitted to the message server 233 is transmitted to the security processing server 400 and secured.

The security processing server 400 extracts the keyword included in the message received from the message server 233. [ Identify the business group to which the message sender belongs. The work group confirmation can be confirmed through the telephone number of the originating LTE terminal 101, but it is not limited thereto, and various embodiments that can identify the caller are possible.

The security processing server 400 performs a masking process on the keyword corresponding to the main keyword among the keywords included in the message received from the message server 233. [ In addition, it requests the message push server 500 to transmit a message requesting attention to the user terminal 101 to confirm the origination.

Meanwhile, the secure message is transmitted to the message server 233. And is transmitted from the message server 233 to the incoming LTE terminal 103 via the called MSC 231 of the 3G network 227 and the called MME 209-3 which is the LTE network.

FIG. 5 is a block diagram of a message delivery network for providing dynamic message security according to another embodiment of the present invention. FIG. 5 is a diagram for explaining application of dynamic message security during SMS transmission between an RCS service application terminal and an RCS service non-service terminal.

At this time, the incoming LTE terminal 103 is a terminal capable of RCS service.

5, when an originating LTE terminal 101 transmits an SMS, the SMS is transmitted to a message server (not shown) via the originating MME 209 of the LTE network 225 and the originating MSC 229 of the 3G network 227 233). Then, the message server 233 requests the security processing server 400 for security processing, receives the secure processed message, and forwards the message to the IP-SM-GW 235.

The secured message (SMS) is integrated with the existing message through the IM (Instant Message) server 223 of the RCS and then transmitted to the called LTE terminal 103 via the S-GW 211. [ Lt; / RTI >

4 and 5 illustrate the propagation paths of the secure message, but they can be delivered in various forms according to the configuration of the network.

Now, the process of providing dynamic message security in an asymmetric multi-mobile data network based on the above-described configuration will be described according to an embodiment.

6 is a flowchart illustrating a dynamic message security providing method in an asymmetric multi-mobile data network according to an embodiment of the present invention.

Referring to FIG. 6, the DPI server 300 periodically extracts packets transmitted and received in the dedicated network 213 (S101), and classifies the task types for each user (S103). In other words, the extracted data is analyzed to recognize which task the user is currently performing.

The DPI server 300 performs deep packet inspection (DPI) on the packets transmitted and received to extract business related user data (S101). The keyword extracted from the user data is compared with the previously registered work group information (309 in FIG. 3), and the corresponding work group is dynamically classified for each user. For each of the users belonging to the classified business group, task group data including task group information, important security keywords requiring security processing, and security processing application deadline are generated and transmitted to the security processing server 400 ( S105). Then, the security processing server 400 stores the delivered task type data for each user (S107).

Here, the user task type data includes main keyword information that the user in charge of the task is mainly concerned with in order to communicate with the outside according to the task. These processes (S101 to S105) are periodically performed in accordance with a certain period of time, and the main keywords and the like, which are performed by an individual and thus become classified, are updated dynamically.

When the calling terminal 101 sends a message (S109), the message server 233 transmits a message to the security processing server 400 to request individual security processing for the message content (S111).

The security processing server 400 searches the task type data per user stored in step S107 and confirms the task group to which the calling terminal 101 belongs. In step S111, it is determined whether security processing is required among the contents included in the received message (S115). That is, a keyword is extracted from the message and it is determined whether there is a keyword classified as an important security keyword among the extracted keywords.

At this time, if the security processing is not required, the message server 233 is informed that no security processing is required (S117). Then, the message server 233 transmits the received message to the called terminal 103 (S119).

On the other hand, if it is determined in step S115 that the security processing is required, the important security keywords are masked in the message content (S121).

In addition, the message push server 500 is requested to perform notification processing (S123). Then, the message push server 500 transmits a notification message (or a user's attention message) indicating that the important security keyword is included in the calling terminal 101 (S125).

Next, the security processing server 400 transmits the security processing result to the message server 233 (S127). Then, the message server transmits the secured message to the called terminal 103 (S129).

In addition, the security processing server 400 can also transmit a caution message to the public network when accessing a specific IP or the like for an individual. In this case, the security processing server 400 can transmit the security processing information to the public network P-GW 215 have.

FIG. 7 is a flowchart illustrating a dynamic message security providing method in an asymmetric multi-mobile data network according to another embodiment of the present invention, which corresponds to the embodiment of FIG.

Referring to FIG. 7, when the calling terminal 101 sends a message (S201), the calling MME 209-1 transmits a message to the calling MSC 229 via the network interworking based message (S203). Here, the network interworking-based message includes an SGs interface message.

The originating MSC 229 requests the message server 233 to transmit a message (S205).

The message server 233 requests the security processing server 400 for security processing (S207).

The security processing server 400 searches the job type data of the sender (S209) and determines whether security processing is necessary (S211).

If the security processing is not required, the security processing result is transmitted to the message server 233 (S213).

The message server 233 transmits the received message as it is to the called MSC 231 (S215).

The called MSC 231 forwards the message to the called MME 209-3 (S217).

The called party MME 209-3 transmits the received message to the called terminal 103 (S219).

On the other hand, if it is determined in step S211 that security processing is necessary, the received message is securely processed (S221). Then, the message push server 500 is requested to process the notification (S223). Then, the message push server 500 transmits a notification message to the calling terminal 101 (S225).

The security processing server 400 transmits the security processing result to the message server 233 (S227).

The message server 233 transmits the secure processed message to the called MSC 231 (S229).

The called MSC 231 forwards the message to the called MME 209-3 (S231).

The called party MME 209-3 transmits the received message to the called terminal 103 (S233).

FIG. 8 is a flowchart illustrating a dynamic message security providing method in an asymmetric multi-mobile data network according to another embodiment of the present invention, which corresponds to the embodiment of FIG.

Referring to FIG. 8, when the calling terminal 101 sends a message (S301), the calling MME 209 delivers the message to the calling MSC 229 via the network interworking based message (S303).

The originating MSC 229 requests the message server 233 to transmit a message (S305).

The message server 233 requests the security processing server 400 for security processing (S307).

The security processing server 400 searches the job type data of the sender (S309) to determine whether security processing is necessary (S311).

If security processing is not required, the security processing result is transmitted to the message server 233 (S313).

The message server 233 transmits the received message as it is to the IP-SM-GW 235 (S315). The IP-SM-GW 235 transmits a message to the call session control unit (CSCF) 237 / IM (Instant Message) server 239 (S317).

The call session control unit (CSCF) 237 / IM server 239 delivers the received message to the S-GW 211 (S319). The S-GW 211 transmits the received message to the called terminal 103 (S321).

On the other hand, if it is determined in step S311 that security processing is necessary, the received message is securely processed (S323). Then, the message push server 500 is requested to process the notification (S325). Then, the message push server 500 transmits a notification message to the calling terminal 101 (S327).

The security processing server 400 transmits the security processing result to the message server 233 (S329).

The message server 233 transfers the secured message to the IP-SM-GW 235 (S331). The IP-SM-GW 235 transmits the secured message to the call session control unit (CSCF) 237 / IM server 239 (S333).

The call session control unit (CSCF) 237 / IM server 239 transfers the secured message to the S-GW 211 (S335). The S-GW 211 transmits the secure processed message to the called terminal 103 (S337).

FIG. 9 is a diagram illustrating a dynamic message security application of an originating terminal according to an exemplary embodiment of the present invention, and FIG. 10 is a diagram illustrating an exemplary dynamic message security application of a called terminal according to an exemplary embodiment of the present invention.

Referring to FIG. 9A, the other party's message P3 is received on the message screen P1, and then the sender inputs the message P5. At this time, if the message P5 is input, the user attention message P9 may be popped up as shown in FIG. 9 (b) before being transmitted to the other party. When confirmation is clicked, a message (P7) indicating "the content is masked for security" is received as shown in Fig. 9 (a).

Here, the masking processing message is not displayed on the message screen P1 of the caller, but it can be seen that the message screen P11 of the called party is masked on the caller's message P13 as shown in Fig. That is, it can be seen that the important security keywords are masked in the caller's message P13.

In this way, when a user transmits and receives a personal message using the RCS and the VoLTE service through the IMS network in connection with the work performed by the user on the private network 219, security processing such as message transmission masking is performed on the main keyword . Then, a security process is performed in which a care message for transmission of the message is transmitted and confirmation of transmission is received.

In addition, a masking process may be performed not only on the called party terminal but also on the calling party terminal after sending the message in the message application of the sender's message (P13) user terminal. That is, the masking process may be applied to the important security keywords in P5 as well.

The embodiments of the present invention described above are not implemented only by the apparatus and method, but may be implemented through a program for realizing the function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, It belongs to the scope of right.

Claims (10)

A public network that provides a personal data transmission / reception path, and an IP Multimedia Subsystem network (IMS network) that provides a call and message service. A communication system of an asymmetric multi-mobile data network including a plurality of networks having different scales and roles,
Generating and storing task type data for each user from the packets transmitted and received by the communication system in the dedicated network,
Determining whether data included in the message is included in the task type data when the message transmission is requested from the calling terminal,
Performing security processing specified in the message if the message is included in the task type data, and
Transmitting the secure processed message to the called terminal
/ RTI > A method for providing dynamic messaging security. The method according to claim 1,
Wherein the storing step comprises:
Extracting business related user data by performing deep packet inspection (DPI) on the packets to be transmitted and received,
Comparing the keyword extracted from the user data with previously registered business group information to dynamically classify the corresponding business group for each user, and
Generating and storing the task type data including the task group information, the important security keywords requiring security processing, and the security processing application deadline for each of the users belonging to the task group for each classified task group
/ RTI > A method for providing dynamic messaging security. 3. The method of claim 2,
The pre-registered business group information includes:
The business information pre-registered by the operator and the classification keyword corresponding to the business information,
Wherein said classifying comprises:
Extracting all the keywords from the user data in units of a predetermined analysis unit or processing task and generating respective keyword vectors,
Measuring the similarity between each keyword vector for a plurality of keywords included in the classification keyword and each keyword vector generated from the user data, and
Classifying the task corresponding to the classification keyword whose measured similarity value satisfies the predefined threshold into a task corresponding to the user
/ RTI > A method for providing dynamic messaging security. The method of claim 3,
And the storing step is periodically updated. 3. The method of claim 2,
Wherein the determining step comprises:
Extracting a keyword from the message,
Identifying a business group to which the sender of the message belongs, and
Determining whether the extracted keyword corresponds to an important security keyword of the business group,
The step of performing the security processing includes:
And if the security keyword is the key security keyword, performing the security processing. 6. The method of claim 5,
The step of performing the security processing includes:
Transmitting a notification message to the calling terminal indicating that a keyword requiring security processing is included, and
And masking the keyword in a message transmitted by the calling terminal,
The step of transmitting the secure message to the called terminal comprises:
A method for providing dynamic messaging security that sends a masked message. A public network that provides a personal data transmission / reception path, and an IP Multimedia Subsystem network (IMS network) that provides a call and message service. 1. A communication system in an asymmetric multi-mobile data network comprising a plurality of networks of different sizes and roles,
And extracts business-related user data from the packets transmitted and received in the dedicated network, compares the extracted business-related user data with pre-registered business group information, dynamically classifies corresponding business groups according to the comparison result to generate business type data for each user, (Deep Packet Inspection, DPI) server,
Receiving and storing the task type data from the deep packet inspection server, determining whether the data included in the message transmitted by the originating terminal is included in the task type data, and if the data is included in the task type data, , A security processing server
And a message server for delivering the secured message received from the security processing server to the called terminal
≪ / RTI > 8. The method of claim 7,
The deep packet inspection server comprises:
A database for storing previously registered business group information including business information pre-registered by an operator and a classification keyword corresponding to the business information,
A user data extracting unit for performing deep packet inspection (DPI) on the packets to be transmitted and received to extract business related user data, and
Extracting all the keywords from the user data in units of a predetermined analysis unit or processing task to generate respective keyword vectors, generating each keyword vector for a plurality of keywords included in the classification keyword, The degree of similarity between the keyword vectors is measured to classify the business groups corresponding to the business groups corresponding to the classification keywords in which the measured similarity value satisfies the predefined threshold value, and each of the users belonging to the business group And transmits the generated task type data to the security processing server
≪ / RTI > 9. The method of claim 8,
The task type data includes:
Task group information, important security keywords requiring security processing, and security processing application deadline,
The security processing server comprises:
And if the keyword extracted from the message corresponds to an important security keyword of a business group to which the sender of the message belongs, the message is masked and then delivered to the message server. 10. The method of claim 9,
A message push server for transmitting a user attention message indicating that a keyword requiring security processing is included in the calling terminal in response to a request from the security processing server
Further comprising:
KR1020160000585A 2016-01-04 2016-01-04 Method and communication system for providing dynamic messaging security in asymmetric multi mobile data network KR102011403B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020160000585A KR102011403B1 (en) 2016-01-04 2016-01-04 Method and communication system for providing dynamic messaging security in asymmetric multi mobile data network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020160000585A KR102011403B1 (en) 2016-01-04 2016-01-04 Method and communication system for providing dynamic messaging security in asymmetric multi mobile data network

Publications (2)

Publication Number Publication Date
KR20170081491A true KR20170081491A (en) 2017-07-12
KR102011403B1 KR102011403B1 (en) 2019-08-16

Family

ID=59353106

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020160000585A KR102011403B1 (en) 2016-01-04 2016-01-04 Method and communication system for providing dynamic messaging security in asymmetric multi mobile data network

Country Status (1)

Country Link
KR (1) KR102011403B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102259789B1 (en) * 2020-02-24 2021-06-02 삼정데이타서비스 주식회사 Method and apparatus for filtering of outgoing and incoming spam mail

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070008991A (en) * 2005-07-14 2007-01-18 주식회사 케이티 Text category classification apparatus and its method
KR20100133713A (en) * 2009-06-12 2010-12-22 (주)소만사 Database security system, server and method which can protect user's access to database through application
WO2014021567A1 (en) * 2012-07-31 2014-02-06 에스케이플래닛 주식회사 Method for providing message service, and device and system therefor
KR20140071744A (en) * 2012-12-04 2014-06-12 한국전자통신연구원 Method and apparatus for differentiated security control for smart communication device based on security policy negotiation

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070008991A (en) * 2005-07-14 2007-01-18 주식회사 케이티 Text category classification apparatus and its method
KR20100133713A (en) * 2009-06-12 2010-12-22 (주)소만사 Database security system, server and method which can protect user's access to database through application
WO2014021567A1 (en) * 2012-07-31 2014-02-06 에스케이플래닛 주식회사 Method for providing message service, and device and system therefor
KR20140071744A (en) * 2012-12-04 2014-06-12 한국전자통신연구원 Method and apparatus for differentiated security control for smart communication device based on security policy negotiation

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102259789B1 (en) * 2020-02-24 2021-06-02 삼정데이타서비스 주식회사 Method and apparatus for filtering of outgoing and incoming spam mail

Also Published As

Publication number Publication date
KR102011403B1 (en) 2019-08-16

Similar Documents

Publication Publication Date Title
US10129391B2 (en) Short message service spam data analysis and detection
JP5158890B2 (en) Method and apparatus for parent controlled short message service
EP2769558B1 (en) Method and system for enabling shared mobile data usage
US8620362B2 (en) Method and apparatus for selective message service blocking
US20110105084A1 (en) Back-channeled packeted data
US11546760B2 (en) Caller verification in rich communication services (RCS)
US20060068761A1 (en) System and method for prioritizing a store-and-forward message
US9973906B2 (en) Identifiers for enterprise messages
US10200852B1 (en) Method and system of enabling roaming services in a data-only network to a user equipment requiring a dual attachment to packet and circuit switched networks
US11349792B2 (en) Identification of sources of media traffic through a network
KR102011403B1 (en) Method and communication system for providing dynamic messaging security in asymmetric multi mobile data network
US10250745B2 (en) Identifying the cellular number on a cellular device capable of supporting multiple cellular numbers
KR102294713B1 (en) Apparatus And Method for Inducing Install Application
US11108914B2 (en) Method and system for revenue maximization in a communication network
CN101969620B (en) Method for charging industry short messages and short message gateway for implementing same
US20140323145A1 (en) Base station paging based on traffic content type
US20110007750A1 (en) System for communicating with a single mobile communications device having multiple ms-isdn identifiers
KR20170050321A (en) System and server for providing selectional spam blocking service and caller device
KR20220067498A (en) Method and apparatus for preventing voice phishing
KR20160089207A (en) Apparatus And Method for Inducing Install Application
KR101802563B1 (en) Simultaneous Message Transmitting Method
KR20190006672A (en) Method for screening calls or messages relating to previous user
KTONA et al. THE STUDY OF NON-TRADITIONAL SOLUTIONS FOR FINANCIAL INCLUSION
KR20120071701A (en) Method for web-to-phone message transfer'control and message gateway device

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right