WO2021234796A1 - Mobile communication system - Google Patents

Mobile communication system Download PDF

Info

Publication number
WO2021234796A1
WO2021234796A1 PCT/JP2020/019697 JP2020019697W WO2021234796A1 WO 2021234796 A1 WO2021234796 A1 WO 2021234796A1 JP 2020019697 W JP2020019697 W JP 2020019697W WO 2021234796 A1 WO2021234796 A1 WO 2021234796A1
Authority
WO
WIPO (PCT)
Prior art keywords
unit
reception
information
abnormal
received frame
Prior art date
Application number
PCT/JP2020/019697
Other languages
French (fr)
Japanese (ja)
Inventor
智也 庄司
公 小幡
雄也 下尾
信幸 内川
Original Assignee
株式会社日立国際電気
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立国際電気 filed Critical 株式会社日立国際電気
Priority to JP2022523775A priority Critical patent/JP7394984B2/en
Priority to PCT/JP2020/019697 priority patent/WO2021234796A1/en
Publication of WO2021234796A1 publication Critical patent/WO2021234796A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud

Definitions

  • the present invention relates to a mobile communication system applied to a mobile network, and more particularly to a mobile communication system capable of discriminating abnormal communication and unauthorized communication to ensure the security and quality of communication.
  • FIG. 9 is a block diagram of a conventional mobile communication system. As shown in FIG. 9, the conventional mobile communication system includes a communication device 10, a communication terminal 2, and a control terminal 40.
  • the conventional communication device 10 includes a network unit 110, a wireless access control unit 12, a wireless signal processing unit 13, a high frequency unit 14, and an antenna 15.
  • the network unit 110 has a QoS (Quality of Service) function unit 1101, a frame transmission / reception unit 1102, and a communication method function unit 1103.
  • the wireless access control unit 12 includes a transmission / reception counter 12a. Further, the control terminal 40 has a statistical display unit 45.
  • the network unit 110 mainly serves as an interface with a communication terminal 2 such as an IP (Internet Protocol) telephone terminal or a PC (Personal Computer) or a control terminal 40, and exchanges IP (Internet Protocol) packets with the wireless access control unit 12. Set the communication method, etc.
  • a communication terminal 2 such as an IP (Internet Protocol) telephone terminal or a PC (Personal Computer) or a control terminal 40, and exchanges IP (Internet Protocol) packets with the wireless access control unit 12. Set the communication method, etc.
  • the communication method function unit 1103 When the communication method from the control terminal 40 is set, the communication method function unit 1103 notifies the QoS function unit 1101, the wireless access control unit 12, the radio signal processing unit 13, and the high frequency unit 14 of the communication method. , Switch the settings, and input and acquire the status from each part.
  • the QoS function unit 1101 selects an IP packet to be preferentially transmitted according to the communication method and outputs the IP packet to the frame transmission / reception unit 1102. Further, the QoS function unit 1101 outputs an IP packet from the frame transmission / reception unit 1102 to the communication terminal 2.
  • the frame transmission / reception unit 1102 incorporates the IP packet input from the QoS function unit 1101 into the communication frame to generate a transmission frame, and outputs the transmission frame to the wireless access control unit 12.
  • the frame transmission / reception unit 1102 takes out an IP packet using the communication data from the wireless access control unit 12 as a reception frame and outputs the IP packet to the QoS function unit 1101.
  • the wireless access control unit 12 determines whether or not the wireless line is in use, and outputs the transmission frame input from the network unit 110 to the wireless signal processing unit 13 when the line is not in use. Further, the wireless access control unit 12 outputs the error-corrected and decoded communication data (received frame) from the wireless signal processing unit 13 to the network unit 110. Further, the wireless access control unit 12 determines whether or not the data has reliably reached the other party during the wireless communication, and performs retransmission control or the like as necessary.
  • the transmission / reception counter 12a in the wireless access control unit 12 counts the transmission / reception of IP packets, and outputs the transmission / reception count value to the communication method function unit 1103 of the network unit 110.
  • the communication method function unit 1103 grasps the transmission / reception status based on the count value from the transmission / reception counter 12a.
  • the wireless signal processing unit 13 errors-corrects and encodes the communication data from the wireless access control unit 12 and outputs it to the high-frequency unit 14. Further, the radio signal processing unit 13 error-corrects and decodes the demodulated signal from the high-frequency unit 14, and outputs the demodulated signal to the radio access control unit 12.
  • the high frequency unit 14 modulates the error correction coded communication data from the radio signal processing unit 13 for transmission and outputs it to the antenna 15. Further, the high frequency unit 14 demodulates the signal input from the antenna 15 for reception and outputs the signal to the radio signal processing unit 13.
  • the antenna 15 emits a transmission signal from the high frequency unit 14 into the air, and outputs the signal from the air to the high frequency unit 14.
  • the network unit 110 exchanges packets between the communication terminal 2 and the wireless access control unit 12, and the frame transmission / reception unit 1102 assigns control information to the IP packet. Is generated, and the wireless access control unit 12 determines, based on the transmission frame received from the network unit 110, whether the frequency resource, that is, the so-called wireless line, is not in use, or whether it is the transmittable time of its own station, and can transmit. If it is determined that the packet is determined to be, the packet is encrypted and transferred to the wireless signal processing unit 13.
  • the radio signal processing unit 13 After the radio signal processing unit 13 encodes and interleaves to correct a communication error, it performs modulation to make it a carrier wave, adds a synchronization signal, a control signal, and the like, and transfers the signal to the high frequency unit 14.
  • the high frequency unit 14 converts the input carrier wave into a high frequency with a high frequency, amplifies it to a specified power, and transmits it from the antenna 15.
  • reception processing radio waves are input from the antenna 15, high-frequency signals are converted into carrier waves by the high-frequency unit 14, and output to the radio signal processing unit 13.
  • the wireless signal processing unit 13 demodulates the carrier wave, detects a synchronization signal, a control signal, and the like, and restores the digital information. Then, the wireless signal processing unit 13 corrects the erroneous information and outputs it to the wireless access control unit 12.
  • the wireless access control unit 12 decodes the encrypted digital information, determines whether or not the received digital information is a frame, and if the digital information is determined to be a frame, according to the control information stored in the frame. Perform response processing and adjust the transmittable time.
  • the wireless access control unit 12 outputs the received frame to the network unit 110.
  • the network unit 110 extracts an IP packet from the received frame input from the wireless access control unit 12 by the frame transmission / reception unit 1102, determines whether or not the packet is for the communication terminal 2 to be connected, and uses the packet for the communication terminal 2. If so, the packet is forwarded to the communication terminal 2. Further, the control terminal 40 sets the communication device 10, monitors the communication status and the device status, and displays the communication status and the device status on the statistical display unit 45.
  • TDMA Time Division Multiple Access
  • CSMA / CA Carrier Sense Multiple Access / Collision Avoidance: carrier sense multiple access / Collision avoidance method
  • Patent Document 1 discloses a communication device that determines the number of connected IP packets according to the usage rate of a subcarrier when transmitting using any one of a plurality of communication methods in a mobile communication system. ing.
  • Patent Document 1 does not describe a technique for detecting malicious communication or unauthorized communication and blocking those communications.
  • the present invention has been made in view of the above circumstances, and detects malicious wireless communication as abnormal wireless communication to block the communication, avoids unauthorized occupation of the wireless line, and improves the security and quality of the communication.
  • the purpose is to provide a mobile communication system to be secured.
  • the present invention for solving the problems of the above-mentioned conventional example is a mobile communication system used for a mobile network, and outputs received frame information for extracting the feature amount of the frame from the control information of the received frame.
  • the communication device that blocks reception by the access control information of reception prohibition and cancels reception by the access control information of reception prohibition is input, and the reception frame information is input, and the reception frame information is normal or not. Whether it is abnormal is determined based on the normal or abnormal list of received frame information stored in advance, and when it is determined to be abnormal, the access control information for which reception is prohibited is output to the communication device, and when it is determined to be normal. It has a control terminal that outputs access control information for canceling reception prohibition to a communication device.
  • a relay device is provided between a communication device and a communication terminal, and the control terminal outputs access control information for prohibiting reception or access control information for canceling reception prohibition to the relay device and relays the information.
  • the device blocks reception by the access control information of reception prohibition, and cancels reception by the access control information of cancellation of reception prohibition.
  • the control terminal extracts feature amount data from received frame information, learns it as normal feature amount data if the received frame information is normal, and learns it as normal feature amount data if the received frame information is abnormal. It is trained as anomalous feature data, and the list of normal or abnormal is updated using the learning result.
  • the control terminal uses a self-encoder for learning, inputs feature quantity data about received frames to the self-encoder as input data, and outputs data from the self-encoder.
  • the normality or abnormality of the frame is determined based on the difference between the input data and the input data.
  • the present invention updates the list of normal or abnormal with the received frame information of the determined frame.
  • the control terminal calculates the correlation of a plurality of parameters related to reception by a statistical method to obtain feature data.
  • the control terminal clusters feature data from a plurality of parameters related to reception and obtains feature data for each cluster.
  • the received frame information for extracting the feature amount of the frame is output from the control information of the received frame, and the reception is blocked by the access control information for prohibiting reception, and the access control information for releasing the reception prohibition is released.
  • the communication device that cancels the reception interruption and the received frame information are input, and whether the received frame information is or is abnormal is determined based on the normal or abnormal list of the received frame information stored in advance.
  • it is a mobile communication system that has a control terminal that outputs reception prohibition access control information to the communication device when it is determined to be abnormal, and outputs access control information to the communication device when it is determined to be normal. Therefore, even if there is no error in the control information used for communication, it has the effect of detecting malicious wireless communication as abnormal wireless communication, preventing unauthorized occupation of the wireless line, and ensuring the security and quality of communication. ..
  • a relay device is provided between a communication device and a communication terminal, the control terminal outputs access control information for which reception is prohibited or access control information for canceling reception prohibition to the relay device, and the relay device receives. Since the above mobile communication system uses the access control information for prohibiting access to block reception and the access control information for canceling reception prohibition to cancel reception, the feature amount data is learned and the normal or abnormal list is updated for reception. It has the effect of improving the accuracy of determining whether the frame information is normal or abnormal.
  • the mobile communication system (this system) according to the embodiment of the present invention is used for a mobile network, and a communication device controls received frame information for extracting a feature amount of the frame from the control information of the received frame. It is output to the terminal, and the control terminal determines whether the received frame information is normal or abnormal based on the list of normal information (white) or abnormal information (black), and if it is determined to be abnormal, the communication device and the relay device.
  • the access control information for which reception is prohibited is output to, and when it is determined to be normal, the access control information for canceling reception prohibition is output to the communication device and the relay device, and reception is blocked or reception is canceled. Even if there is no error in the control information used, malicious wireless communication can be detected as abnormal wireless communication, unauthorized occupation of the wireless line can be prevented, and communication security and quality can be ensured.
  • the control terminal extracts feature amount data from the received frame information, and if the received frame information is normal, it is trained as normal feature amount data, and if the received frame information is abnormal, the feature amount is abnormal. It is trained as data and the list of normal or abnormal is updated using the learning result. The feature quantity data is trained and the list of normal or abnormal is updated to determine the normal or abnormal determination accuracy of the received frame information. It can be improved.
  • FIG. 1 is a block diagram of the configuration of this system. As shown in FIG. 1, this system includes a communication device 1, a communication terminal 2, a relay device 3, and a control terminal 4. Since the communication terminal 2 is the same as the conventional communication terminal shown in FIG. 9, a specific description thereof will be omitted.
  • the communication device 1 includes a network unit 11, a wireless access control unit 12, a wireless signal processing unit 13, a high frequency unit 14, and an antenna 15. Since the wireless access control unit 12, the wireless signal processing unit 13, the high frequency unit 14, and the antenna 15 have the same configuration as the conventional configuration shown in FIG. 9, description thereof will be omitted.
  • the network unit 11 in the communication device 1 of this system includes a QoS function unit 111, a frame transmission / reception unit 112, a communication method function unit 113, and a frame information output unit 114.
  • the QoS function unit 111, the frame transmission / reception unit 112, and the communication method function unit 113 execute the same processing as the QoS function unit 1101, the frame transmission / reception unit 1102, and the communication method function unit 1103 of the conventional network unit 110 of FIG. be.
  • the frame transmission / reception unit 112 outputs information (control information in the frame format) of the transmission frame and the reception frame (transmission / reception frame) to the frame information output unit 114. The details of the control information will be described later.
  • the newly provided frame information output unit 114 is necessary for inputting transmission / reception frame information from the frame transmission / reception unit 112, acquiring related control information (control information) from the frame format, and extracting feature quantities.
  • the received frame information is output to the feature extraction unit 42 of the control terminal 4.
  • normal / abnormal is determined for received frame information and access control is performed.
  • this system can be used. It is possible to prevent the communication device from becoming a transmitter for attacks.
  • the transmission / reception frame format and reception frame information will be described later.
  • the relay device 3 is a device such as a router that relays, and relays an IP packet between the communication device 1, particularly the QoS function unit 111 of the network unit 11 and the communication terminal 2. Further, the relay device 3 inputs control information (access control information) for prohibiting or canceling communication from the control terminal 4, controls access such as communication interruption, and outputs normal or abnormal access control information to the host device. Output to the communication terminal 2 to detect an abnormality.
  • control information access control information
  • the details of the access control information will be described later, but the relay device 3 prohibits (blocks) reception according to the access control information, and cancels the prohibition.
  • control terminal 4 As shown in FIG. 1, the control terminal 4 includes a statistical display / control unit 41, a feature extraction unit 42, a normal learning unit 43, and an abnormal learning unit 44. Unlike the control terminal 40 of FIG. 9, the control terminal 4 has an additional configuration, and the statistical display / control unit 41 also has an additional function. Hereinafter, a specific description will be given.
  • the statistical display / control unit 41 sets a communication method in the communication method function unit 113 of the network unit 11 of the communication device 1, monitors the communication status and the device status, and displays the communication status and the device status. Further, the statistical display / control unit 41 determines whether the received frame is a normal received frame or an abnormal received frame based on the detection results input from the normal learning unit 43 and the abnormal learning unit 44, and determines whether the received frame is a normal receiving frame or an abnormal receiving frame. If it is a normal reception frame, reception is prohibited, and if it is a normal reception frame, access control information for canceling reception is output to the relay device 3 and the frame transmission / reception unit 112.
  • the statistical display / control unit 41 of this system determines that the received frame is malicious and abnormal from the reception interval, the received data size, the number of received numbers, the transmission waiting time, and the like. Then, the control for limiting the reception is performed.
  • the statistical display / control unit 41 stores a list of normal received frame information (white list) and a list of abnormal received frame information (black list). Then, the statistical display / control unit 41 inputs the received frame information from the frame information output unit 114, refers to the white list or the black list, and the received frame information is white (normal) or black. Determine if it is (abnormal).
  • the statistical display / control unit 41 determines that the received frame information is white, the statistical display / control unit 41 outputs the access control information for canceling reception prohibition to the relay device 3 and the frame transmission / reception unit 112, and outputs the feature data from the feature extraction unit 42. A learning instruction to be learned by the normal learning unit 43 is output. Further, when the statistical display / control unit 41 determines that the received frame information is black, the access control information for which reception is prohibited is output to the relay device 3 and the frame transmission / reception unit 112, and the feature data from the feature extraction unit 42 is output. Is output to the abnormality learning unit 44 to learn. A more specific configuration and processing of the statistical display / control unit 41 will be described later.
  • the feature extraction unit 42 extracts parameters (target parameters of single time incremental statistics) from the received frame information from the frame information output unit 114, performs incremental statistical processing, and performs clustering processing using the parameters of the clustering classification.
  • the feature amount data corresponding to the cluster is output to the normal learning unit 43 or the abnormal learning unit 44.
  • the specific configuration, processing, parameters, etc. of the feature extraction unit 42 will be described later.
  • Normal learning unit 43, Abnormal learning unit 44 The normal learning unit 43 and the abnormal learning unit 44 input feature data from the feature extraction unit 42, extract an error through a learned self-encoder, and output the error to the statistical display / control unit 41 as a detection result. ..
  • the self-encoder is learning to encode the input data and decode it into the same data as the input data.
  • the self-encoder in the normal learning unit 43 is learning the normal data
  • the abnormal learning unit 44 is learning the abnormal data. Then, the difference between the input data and the decoded data is extracted as an error.
  • the feature data when the feature data is input to the normal learning unit 43 and the error in the self-encoder is extracted, it can be determined whether the data is normal or not depending on the magnitude of the error. Further, when the feature data is input to the abnormality learning unit 44 and the error in the self-encoder is extracted, it can be determined whether or not the feature data is abnormal data depending on the magnitude of the error.
  • the error from the normal learning unit 43 and the abnormal learning unit 44 is output to the statistical display / control unit 41 as a detection result, and the statistical display / control unit 41 determines whether the feature data is normal or abnormal based on the detection result. And update the white list or blacklist.
  • the normal learning unit 43 and the abnormal learning unit 44 learn the feature data from the feature extraction unit 42 according to the learning instruction from the statistical display / control unit 41. Learning of feature data will also be described later.
  • FIG. 2 is a schematic diagram showing transmission / reception frames and upper layer protocol data.
  • the transmission / reception frame format includes a frame (WLAN Frame [QoS Frame]) such as a wireless LAN (WLAN: Wireless Local Aera Network), and IP Packet (IP Packet) and TCP (Transmission) as higher-level protocol data.
  • WLAN Frame WLAN: Wireless Local Aera Network
  • IP Packet IP Packet
  • TCP Transmission Control Protocol
  • TCP Segments User Datagram Protocol segments
  • OLSR Adhoc Routing Message
  • the "Duration" field of the WLAN frame of FIG. 2 contains the time required for transmission, and the time specified in this field must wait for transmission.
  • FIG. 3 is a schematic diagram showing the target parameters of the single time incremental statistics
  • FIG. 4 is a schematic diagram showing the parameters of the clustering classification.
  • the control information shown in FIG. 2 is subjected to incremental statistics in a fixed time interval, that is, in a single time, and communication information is performed using the classification parameters shown in FIG. Need to be categorized by cluster as a unit of logical connection.
  • FIG. 3 a WLAN frame "WLAN Frame” and an ad hoc routing control message "Ad hoc Routing Message” are adopted as data, and two fields in the data are used as usage parameters 1 and 2, and the usage parameters 1 and 2 are combined.
  • the feature parameter name is defined. There are five feature parameter names, "FCBySrc”, “DurBySrc”, “SeqBySrc”, “AdcSseqByOrg", and "AdcMTByOrg”.
  • the parameters of the clustering classification adopt the WLAN frame "WLAN Frame", the upper layer protocol data “IP Protocol””TCP / UDP Protocol", and the adhoc routing control message "Adhoc Routing Message”.
  • the feature parameter names are defined corresponding to the combination of the usage parameters 1 and 2 with the two fields in the data as the usage parameters 1 and 2. In some cases, the feature parameter name is defined only by the parameter 1 used. There are six feature parameter names: "MacSrc”, “MacSrcDst”, “SeqBySrc”, “NetSrcDst", “TLSrcDst", and "AdcOrg".
  • FIG. 5 is a schematic diagram showing the contents of application of the analysis method.
  • the analysis method is applied to the four statistical parameters of "reception interval", “reception data size”, “number of receptions", and “transmission waiting time”, and the statistical methods are "average” and "standard deviation”.
  • the feature parameters are associated with four types of "covariance” and "product-moment correlation coefficient".
  • the feature parameter the feature parameter name of the target parameter in FIG. 3 is used.
  • the last two feature parameters omit the letters "Adc”.
  • FIGS. 3 to 5 will be specifically described with reference to FIG.
  • the analysis method calculates the correlation using the feature parameters by the available statistical method for the four statistical parameters "reception interval", “reception data size”, “number of receptions”, and “transmission waiting time”, and the calculated correlation.
  • the value is the feature amount data for each cluster.
  • the "reception interval” is calculated for the feature parameters "FCBySrc”, “SseqByOrg”, and “MTByOrg” by the available statistical method "mean” or "standard deviation”, and the features of the clustering classification.
  • Classification is performed by calculating using the usage parameters 1 and 2 corresponding to the parameter name, the correlation with the value of the feature parameter already stored in the classified cluster is calculated, and the feature amount data in the cluster is calculated based on the correlation. Output.
  • the feature parameters corresponding to the received data size are not shown in FIG. 5, the calculation of the statistical method is performed by other parameters and the like.
  • FIG. 6 is a block diagram of the feature amount extraction unit.
  • the feature amount extraction unit 42 includes a parameter extraction unit 422, an incremental statistical processing unit 423, and a clustering processing unit 424.
  • the parameter extraction unit 422 extracts the target parameter of the single time incremental statistics in the frame shown in FIG. 3 from the received frame information input from the frame information output unit 114, and outputs the target parameter to the incremental statistics processing unit 423.
  • the target parameters in FIG. 3 are suitable for measuring the increment of received frames.
  • the incremental statistic processing unit 423 calculates the increment of the target parameter in a certain period and performs a process of calculating the statistic of the incremental tendency.
  • the statistical method as shown in FIG. 5, a method applicable to each statistical parameter among the mean, standard deviation, covariance, and product moment correlation coefficient is used for the four statistical parameters.
  • the incremental statistical processing unit 423 performs statistical processing for the statistical parameter "reception interval" in FIG. 5 in a fixed time using the statistical method "mean” or “standard deviation”
  • the feature parameters "FCBySrc” and “SseqByOrg” are used.
  • MT by Org statistical processing is performed according to the usage parameters 1 and 2 corresponding to the parameter names shown in FIG. 3, and the parameters after statistical processing are calculated.
  • the clustering processing unit 424 inputs the parameters after statistical processing (parameters after statistical processing), classifies the clustering based on the parameters shown in FIG. 4, and obtains the feature amount data (feature data) depending on the number of clusters. It is output to the normal learning unit 43 and the abnormal learning unit 44. Specifically, the clustering processing unit 424 uses parameter 1 based on the feature parameter name of FIG. 4 for the four post-statistical processing parameters of "reception interval", "reception data size”, “reception number”, and "transmission waiting time”. Performs a clustering classification using ..
  • FIG. 7 is a partial block diagram of the control terminal.
  • a partial configuration of the control terminal 4 shows a statistical display / control unit 41, a normal learning unit 43, and an abnormal learning unit 44.
  • the statistical display / control unit 41 includes an output control unit 411, a display unit 412, a white / blacklist control unit 413, and a router / communication device control unit 414.
  • the output control unit 411 has a learning / abnormality detection switching unit 4111, a white / black determination unit 4112, a white list storage unit 4113, and a blacklist storage unit 4114.
  • the learning / abnormality detection switching unit 4111 inputs the received frame information from the frame information output unit 114 and outputs it to the white / black determination unit 4112, and the reception frame is normal (white) based on the determination result from the white / black determination unit 4112. ) Or abnormality (black) is detected, received frame information is output to the display unit 412, and the detection result is output to the normal learning unit 43 and the abnormality learning unit 44 as output switching. However, when neither normal nor abnormal is detected, the learning / abnormality detection switching unit 4111 outputs only the received frame information to the display unit 412 without outputting the detection result.
  • the learning / abnormality detection switching unit 4111 determines that the input received frame information is white (normal)
  • the learning / abnormality detection switching unit 4111 uses an instruction (learning instruction) for learning the input feature data to the normal learning unit 43 as output switching for normal learning. Output to unit 43.
  • the learning / abnormality detection switching unit 4111 determines that the input received frame information is black (abnormal)
  • the learning / abnormality detection switching unit 4111 uses an instruction (learning instruction) for learning the input feature data to the abnormality learning unit 44 as output switching for abnormality learning.
  • the learning / abnormality detection switching unit 4111 outputs the output switching (learning instruction) to either the normal learning unit 43 or the abnormality learning unit 44 for each input received frame information.
  • the white / black determination unit 4112 inputs the received frame information from the learning / abnormality detection switching unit 4111, refers to the white list storage unit 4113 and the black list storage unit 4114, and the received frame information is the white list storage unit 4113. It is determined whether it is stored in the blacklist storage unit 4114 or the determination result is output to the learning / abnormality detection switching unit 4111. The determination result is "normal” if it is stored in the white list storage unit 4113, and "abnormal” if it is stored in the blacklist storage unit 4114.
  • the white list storage unit 4113 stores a plurality of normal (white) received frame information as a list, and when the received frame information for updating the white list is input from the white / blacklist control unit 413, the white list storage unit 4113 stores the white list. Update part 4113. That is, the received frame information for updating the white list from the white / blacklist control unit 413 is stored in the whitelist storage unit 4113.
  • the blacklist storage unit 4114 stores a plurality of abnormal (black) received frame information as a list, and when the received frame information for blacklist update is input from the white / blacklist control unit 413, the blacklist storage unit 4114 stores the blacklist. Part 4114 is updated. That is, the received frame information for updating the blacklist from the white / blacklist control unit 413 is stored in the blacklist storage unit 4114.
  • Display unit 412 The display unit 412 inputs the received frame information from the learning / abnormality detection switching unit 4111 of the output control unit 411, inputs the error output from the normal learning unit 43, inputs the error output from the abnormality learning unit 44, and manages communication. Display the reception error for normal or abnormal reception frame information to the person or the like. Further, the display unit 412 outputs the input received frame information to the white / blacklist control unit 413. When outputting the received frame information, a normal error output or an abnormal error output may be output together.
  • the white / blacklist control unit 413 stores a threshold value for an error in determining whether reception is permitted or prohibited (permitted / prohibited) with respect to the received frame information, and the input normal received frame information is input.
  • a normal (white) or abnormal (black) determination is made based on the error between the error and the abnormality, and the determination result and the received frame information are output to the white list storage unit 4113 or the blacklist storage unit 4114.
  • the normal or abnormal error output input from the display unit 412 is referred to in the normal or abnormal determination process.
  • the white / black list control unit 413 determines that the input received frame information is normal, the white / black list control unit 413 outputs the received frame information to the white list storage unit 4113 as received frame information for updating the white list. If the input received frame information is determined to be abnormal, the received frame information is output to the black list storage unit 4114 as received frame information for updating the black list.
  • the white / blacklist control unit 413 changes and adjusts the threshold value for determining permission / prohibition based on the registration of permission / prohibition from the communication administrator or the like.
  • the white / blacklist control unit 413 does not determine whether reception is permitted / prohibited by the threshold value, but determines all by the permission / prohibition registration instruction from the communication administrator or the like, and determines the whitelist storage unit 4113 or the blacklist storage.
  • the unit 4114 may be updated to control access to the router / communication device control unit 414. This is a manual control operation.
  • the white / blacklist control unit 413 determines whether the received frame information is normal / abnormal, the white / blacklist control unit 413 outputs access control information to the router / communication device control unit 414. If the received frame information is abnormal, it is the access control information for which reception is prohibited, and if the received frame information is normal, it is the access information for canceling the reception prohibition.
  • the router / communication device control unit 414 inputs access control information for reception prohibition or reception prohibition cancellation from the white / blacklist control unit 413, and outputs the access control information to the relay device 3 such as a router and the communication device 1. ..
  • access control information is output particularly to the frame transmission / reception unit 112 of the network unit 11. In the relay device 3 and the communication device 1 in which the access control information is input, the process of prohibiting or canceling reception is performed.
  • FIG. 8 is a block diagram showing a normal learning unit / abnormal learning unit.
  • the normal learning unit 43 has a self-encoder 431, an error extraction / difference detection unit 432, and an output determination unit 433.
  • the abnormality learning unit 44 has a self-encoder 441, an error extraction / difference detection unit 442, and an output determination unit 443.
  • the autoencoder 431 is trained so that when only normal feature data is input as teacher data, the input data is encoded, and the encoded data is decoded, the input data and the decoded data are the same. It is an encoder (Autoencoder) having a model (learning model), and input data and decoded data are output to the error extraction / difference detection unit 432.
  • the self-encoder 431 decodes the learning model so that the learning model becomes the normal feature data when the normal feature data is input, and the error between the input data and the decoded data is small.
  • the error between the input data and the decoded data becomes large because the learning model does not learn about the feature amount data that is not normal.
  • the self-encoder 441 is trained so that when only abnormal feature amount data is input as teacher data, the input data is encoded, and the encoded data is decoded, the input data and the decoded data are the same. It is a encoder having a learning model, and input data and decoding data are output to the error extraction / difference detection unit 442.
  • the self-encoder 441 decodes the learning model so that the learning model becomes the abnormal feature amount data when the abnormal feature amount data is input, and the error between the input data and the decoded data is small.
  • the error between the input data and the decoded data becomes large because the learning model does not learn about the feature amount data that is not abnormal.
  • the error extraction / difference detection unit 432,442 inputs the feature amount data and the decoding data from the self-encoder 431, 441, extracts the error for both data, detects the difference, and the information of the difference (difference). Information) is output to the output determination units 433 and 443.
  • the output determination 433 and 443 input the difference information from the error extraction / difference detection unit 432 and 442, and output the difference information to the display unit 412 as an error. Further, when the output switching instruction from the learning / abnormality detection switching unit 4111 of the output control unit 411 is input to the output determination 433 and 443, the gradient information for correcting the difference is transmitted to the self-encoder 431 and 441. Feed back and reflect the gradient.
  • the output determination unit 433 inputs an output switching instruction when the received frame information from the learning / abnormality detection switching unit 4111 is in the white list storage unit 4113. That is, since the feature amount data is that of a normal reception frame in the white list, the feature amount data is learned as normal teacher data by reflecting the gradient on the self-encoder 431.
  • the output determination unit 443 inputs an output switching instruction when the received frame information from the learning / abnormality detection switching unit 4111 is in the blacklist storage unit 4114. That is, since the feature amount data is for an abnormal reception frame in the blacklist, the self-encoder 441 reflects the gradient and trains the feature amount data as abnormal teacher data.
  • the frame information output unit 114 generates received frame information for extracting a feature amount from the control information related to the received frame, and outputs the received frame information to the control terminal 4.
  • the control terminal 4 extracts feature amount data (feature data) from the received frame information and outputs the feature amount data (feature data) to the normal learning unit 43 or the abnormal learning unit 44.
  • the normal learning unit 43 and the abnormal learning unit 44 learn normal received frame information and abnormal received frame information based on the feature data.
  • the statistical display / control unit 41 of the control terminal 4 determines whether the input received frame information is normal or abnormal based on the learning results of the normal learning unit 43 and the abnormal learning unit 44, and if it is abnormal, relays.
  • the device 3 and the frame transmission / reception unit 112 are instructed to prohibit reception, the reception of the reception frame is blocked, and if normal, the relay device 3 and the frame transmission / reception unit 112 are instructed to cancel the reception prohibition, and the reception frame is received.
  • this system can detect abnormal wireless communication (malicious wireless communication), block the communication, avoid unauthorized occupation of the wireless line, and ensure the security and quality of the communication. be.
  • the frame transmission / reception unit 112 of the communication device 1 outputs the control information of the received frame to the frame information output unit 114, and the frame information output unit 114 receives the reception frame for extracting the feature amount of the frame.
  • Information is output to the control terminal 4, and the control terminal 4 determines whether the received frame information is normal or abnormal based on the white list or the black list, and if it is determined to be abnormal, the frame transmission / reception unit 112 of the communication device 1 and the relay.
  • the feature extraction unit 42 of the control terminal 4 extracts the feature amount data from the received frame information, and the statistical display / control unit 41 is normal as normal feature amount data if the received frame information is normal. Since the mobile communication system is such that the learning unit 43 is made to learn, and if the received frame information is abnormal, the abnormal learning unit 44 is made to learn as abnormal feature amount data, and the white list or the black list is updated using the learning result. , The feature amount data can be learned and the white list or the black list can be updated to improve the normality or abnormality determination accuracy of the received frame information.
  • the present invention is suitable for a mobile communication system that detects malicious wireless communication as abnormal wireless communication, blocks the communication, avoids unauthorized occupation of the wireless line, and secures the security and quality of the communication.
  • White / black list control unit 414 ... Router / Communication device control unit, 422 ... parameter extraction unit, 423 ... incremental statistical processing unit, 424 ... clustering processing unit, 431,441 ... self-encoder, 432,442 ... error extraction / difference detection unit, 433,443 ... output judgment Unit, 4111 ... Learning / abnormality detection switching unit, 4112 ... White / black judgment unit, 4113 ... White list storage unit, 4114 ... Black list storage unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

[Problem] To provide a mobile communication system which detects and blocks malicious wireless communication as abnormal wireless communication, so as to avoid unauthorized occupation of a wireless channel and secure the communication security and quality. [Solution] A mobile communication system in which: a frame transmitter-receiver unit 112 of a communication device 1 outputs control information of a received frame to a frame information output unit 114; the frame information output unit 114 outputs received frame information for extracting the feature amount of the frame to a control terminal 4; the control terminal 4 determines whether the received frame information is normal or abnormal on the basis of a white list or a black list; to the frame transmitter-receiver unit 112 of the communication device 1 and a relay device 3, access control information for prohibiting reception is output upon the abnormality determination and access control information for cancelling prohibition of reception is output upon the normality determination, so as to block or unblock the reception.

Description

移動通信システムMobile communication system
 本発明は、移動体ネットワークに適用される移動通信システムに係り、特に、異常な通信、不正な通信を判別して、通信のセキュリティと品質を確保できる移動通信システムに関する。 The present invention relates to a mobile communication system applied to a mobile network, and more particularly to a mobile communication system capable of discriminating abnormal communication and unauthorized communication to ensure the security and quality of communication.
[従来の技術]
 従来の移動通信システムは、移動体ネットワークにおいて、移動通信局間で自律的に端末を検知し、自律的に経路の最適化を実施し、その場限りの無線ネットワークを構築して、遅延量を少なくしながら回線の負荷を抑制した通信を実現するものである。 [Conventional technology]
In a conventional mobile communication system, in a mobile network, terminals are autonomously detected between mobile communication stations, routes are optimized autonomously, an ad hoc wireless network is constructed, and the amount of delay is reduced. It realizes communication that suppresses the load on the line while reducing the amount.
[従来の移動通信システム:図9]
 従来の移動通信システムについて図9を参照しながら説明する。図9は、従来の移動通信システムの構成ブロック図である。
 従来の移動通信システムは、図9に示すように、通信装置10と、通信端末2と、制御端末40とを備えている。 [Conventional mobile communication system: Fig. 9]
A conventional mobile communication system will be described with reference to FIG. FIG. 9 is a block diagram of a conventional mobile communication system.
As shown in FIG. 9, the conventional mobile communication system includes a communication device 10, a communication terminal 2, and a control terminal 40.
 従来の通信装置10は、ネットワーク部110と、無線アクセス制御部12と、無線信号処理部13と、高周波部14と、アンテナ15とを備えている。
 ネットワーク部110は、QoS(Quality of Service:サービス品質保証)機能部1101と、フレーム送受信部1102と、通信方式機能部1103とを有している。
 無線アクセス制御部12は、送受信カウンタ12aを備えている。
 また、制御端末40は、統計表示部45を有している。 The conventional communication device 10 includes a network unit 110, a wireless access control unit 12, a wireless signal processing unit 13, a high frequency unit 14, and an antenna 15.
The network unit 110 has a QoS (Quality of Service) function unit 1101, a frame transmission / reception unit 1102, and a communication method function unit 1103.
The wireless access control unit 12 includes a transmission / reception counter 12a.
Further, the control terminal 40 has a statistical display unit 45.
 ネットワーク部110は、主にIP(Internet Protocol)電話端末又はPC(Personal Computer)などの通信端末2や制御端末40とのインタフェースとなり、無線アクセス制御部12とのIP(Internet Protocol)パケットのやりとり、通信方式の設定等を行う。 The network unit 110 mainly serves as an interface with a communication terminal 2 such as an IP (Internet Protocol) telephone terminal or a PC (Personal Computer) or a control terminal 40, and exchanges IP (Internet Protocol) packets with the wireless access control unit 12. Set the communication method, etc.
 通信方式機能部1103は、制御端末40からの通信方式が設定されると、QoS機能部1101と、無線アクセス制御部12と、無線信号処理部13と、高周波部14に当該通信方式を通知し、設定の切り替えを行わせ、それら各部からの状態を入力して取得する。
 QoS機能部1101は、通信方式機能部1103から通信方式が設定されると、当該通信方式に従い優先的に送信するIPパケットを選択してフレーム送受信部1102に出力する。
 また、QoS機能部1101は、フレーム送受信部1102からのIPパケットを通信端末2に出力する。 When the communication method from the control terminal 40 is set, the communication method function unit 1103 notifies the QoS function unit 1101, the wireless access control unit 12, the radio signal processing unit 13, and the high frequency unit 14 of the communication method. , Switch the settings, and input and acquire the status from each part.
When the communication method is set from the communication method function unit 1101, the QoS function unit 1101 selects an IP packet to be preferentially transmitted according to the communication method and outputs the IP packet to the frame transmission / reception unit 1102.
Further, the QoS function unit 1101 outputs an IP packet from the frame transmission / reception unit 1102 to the communication terminal 2.
 フレーム送受信部1102は、QoS機能部1101から入力されたIPパケットを通信フレームに組み込んで送信フレームを生成し、送信フレームを無線アクセス制御部12に出力する。ここで、同じ宛先のIPパケットであれば、複数のIPパケットを送信フレームとして無線アクセス制御部12に渡すことができる。
 また、フレーム送受信部1102は、無線アクセス制御部12からの通信データを受信フレームとしてIPパケットを取り出し、QoS機能部1101に出力する。 The frame transmission / reception unit 1102 incorporates the IP packet input from the QoS function unit 1101 into the communication frame to generate a transmission frame, and outputs the transmission frame to the wireless access control unit 12. Here, if the IP packets have the same destination, a plurality of IP packets can be passed to the wireless access control unit 12 as transmission frames.
Further, the frame transmission / reception unit 1102 takes out an IP packet using the communication data from the wireless access control unit 12 as a reception frame and outputs the IP packet to the QoS function unit 1101.
 無線アクセス制御部12は、ネットワーク部110から入力された送信フレームを、無線回線が使用中かどうかを判定して、回線が未使用の場合に無線信号処理部13に出力する。
 また、無線アクセス制御部12は、無線信号処理部13からの誤り訂正復号された通信データ(受信フレーム)をネットワーク部110に出力する。
 更に、無線アクセス制御部12は、無線通信間でデータが相手に確実に届いた否かを判定し、必要に応じて再送制御等を行う。 The wireless access control unit 12 determines whether or not the wireless line is in use, and outputs the transmission frame input from the network unit 110 to the wireless signal processing unit 13 when the line is not in use.
Further, the wireless access control unit 12 outputs the error-corrected and decoded communication data (received frame) from the wireless signal processing unit 13 to the network unit 110.
Further, the wireless access control unit 12 determines whether or not the data has reliably reached the other party during the wireless communication, and performs retransmission control or the like as necessary.
 無線アクセス制御部12における送受信カウンタ12aは、IPパケットの送受信をカウントしており、送受信のカウント値をネットワーク部110の通信方式機能部1103に出力する。通信方式機能部1103は、送受信カウンタ12aからのカウント値を基に送受信の状況を把握している。 The transmission / reception counter 12a in the wireless access control unit 12 counts the transmission / reception of IP packets, and outputs the transmission / reception count value to the communication method function unit 1103 of the network unit 110. The communication method function unit 1103 grasps the transmission / reception status based on the count value from the transmission / reception counter 12a.
 無線信号処理部13は、無線アクセス制御部12からの通信データを誤り訂正符号化して高周波部14に出力する。
 また、無線信号処理部13は、高周波部14からの復調された信号を誤り訂正復号化して無線アクセス制御部12に出力する。 The wireless signal processing unit 13 errors-corrects and encodes the communication data from the wireless access control unit 12 and outputs it to the high-frequency unit 14.
Further, the radio signal processing unit 13 error-corrects and decodes the demodulated signal from the high-frequency unit 14, and outputs the demodulated signal to the radio access control unit 12.
 高周波部14は、無線信号処理部13からの誤り訂正符号化された通信データを送信用に変調してアンテナ15に出力する。
 また、高周波部14は、アンテナ15から入力された信号を受信用に復調して無線信号処理部13に出力する。
 アンテナ15は、高周波部14からの送信用の信号を空中に放出し、空中から信号を高周波部14に出力する。 The high frequency unit 14 modulates the error correction coded communication data from the radio signal processing unit 13 for transmission and outputs it to the antenna 15.
Further, the high frequency unit 14 demodulates the signal input from the antenna 15 for reception and outputs the signal to the radio signal processing unit 13.
The antenna 15 emits a transmission signal from the high frequency unit 14 into the air, and outputs the signal from the air to the high frequency unit 14.
[従来の移動通信システムでの処理]
 [送信処理]
 従来の移動通信システムでは、送信処理として、ネットワーク部110が、通信端末2と無線アクセス制御部12との間でパケットのやりとりを行い、フレーム送受信部1102でIPパケットに制御情報を付与した送信フレームを生成し、無線アクセス制御部12が、ネットワーク部110から受け取った送信フレームを元に、周波数資源、いわゆる無線回線が使用中でないこと、若しくは自局の送信可能時間かどうかを判定し、送信可能と判定した場合に、暗号化等を行って無線信号処理部13に転送する。 [Processing in conventional mobile communication systems]
[Send processing]
In the conventional mobile communication system, as a transmission process, the network unit 110 exchanges packets between the communication terminal 2 and the wireless access control unit 12, and the frame transmission / reception unit 1102 assigns control information to the IP packet. Is generated, and the wireless access control unit 12 determines, based on the transmission frame received from the network unit 110, whether the frequency resource, that is, the so-called wireless line, is not in use, or whether it is the transmittable time of its own station, and can transmit. If it is determined that the packet is determined to be, the packet is encrypted and transferred to the wireless signal processing unit 13.
 無線信号処理部13が、通信の誤りを訂正するための符号化やインタリーブを行った後に、搬送波にするための変調を行い、同期信号・制御信号等を付与して高周波部14に転送する。
 高周波部14が、入力された搬送波を周波数の高い高周波に変換し、規定の電力に増幅してアンテナ15から送信する。 After the radio signal processing unit 13 encodes and interleaves to correct a communication error, it performs modulation to make it a carrier wave, adds a synchronization signal, a control signal, and the like, and transfers the signal to the high frequency unit 14.
The high frequency unit 14 converts the input carrier wave into a high frequency with a high frequency, amplifies it to a specified power, and transmits it from the antenna 15.
 [受信処理]
 次に受信処理として、アンテナ15から電波を入力し、高周波部14で高周波信号を搬送波に変換して無線信号処理部13に出力する。
 無線信号処理部13が、搬送波を復調し、同期信号・制御信号等を検出し、デジタル情報に復元する。そして、無線信号処理部13が、誤った情報の訂正処理を行い、無線アクセス制御部12に出力する。 [Reception processing]
Next, as reception processing, radio waves are input from the antenna 15, high-frequency signals are converted into carrier waves by the high-frequency unit 14, and output to the radio signal processing unit 13.
The wireless signal processing unit 13 demodulates the carrier wave, detects a synchronization signal, a control signal, and the like, and restores the digital information. Then, the wireless signal processing unit 13 corrects the erroneous information and outputs it to the wireless access control unit 12.
 無線アクセス制御部12が、暗号化されたデジタル情報を復号し、受信したデジタル情報がフレームかどうかを判定し、デジタル情報がフレームと判定した場合には、フレーム内に格納された制御情報に従って、応答処理や送信可能時間の調整等を行う。
 また、受信したフレーム(受信フレーム)にIPパケットが格納されている場合には、無線アクセス制御部12は、受信フレームをネットワーク部110に出力する。 The wireless access control unit 12 decodes the encrypted digital information, determines whether or not the received digital information is a frame, and if the digital information is determined to be a frame, according to the control information stored in the frame. Perform response processing and adjust the transmittable time.
When the IP packet is stored in the received frame (received frame), the wireless access control unit 12 outputs the received frame to the network unit 110.
 ネットワーク部110が、無線アクセス制御部12から入力された受信フレームからフレーム送受信部1102でIPパケットを抽出し、接続する通信端末2向けのパケットか否かを判定し、通信端末2向けのパケットであれば、通信端末2にパケットを転送する。
 また、制御端末40が、通信装置10の設定を行い、通信状況や装置状態を監視し、通信状況や装置状態を統計表示部45に表示する。 The network unit 110 extracts an IP packet from the received frame input from the wireless access control unit 12 by the frame transmission / reception unit 1102, determines whether or not the packet is for the communication terminal 2 to be connected, and uses the packet for the communication terminal 2. If so, the packet is forwarded to the communication terminal 2.
Further, the control terminal 40 sets the communication device 10, monitors the communication status and the device status, and displays the communication status and the device status on the statistical display unit 45.
 従来の移動通信システムは、自律分散アクセスを実現して、無線からネットワーク接続を容易とする特性から、ネットワークに関するサイバー攻撃を受けやすい環境にある。
 無線ネットワークでは、1つの周波数資源を複数の移動通信局間で共有する方式が多い。具体的には、多元接続アクセスである時分割(TDMA:Time Division Multiple Access:時分割多元接続方式)やキャリアセンスによる競合回避(CSMA/CA:Carrier Sense Multiple Access/Collision Avoidance:搬送波感知多重アクセス/衝突回避方式)が用いられる。 Conventional mobile communication systems are in an environment vulnerable to cyber attacks related to networks because of their characteristics of realizing autonomous distributed access and facilitating network connection from wireless.
In wireless networks, there are many methods in which one frequency resource is shared among a plurality of mobile communication stations. Specifically, time division (TDMA: Time Division Multiple Access), which is multiple access, and conflict avoidance by carrier sense (CSMA / CA: Carrier Sense Multiple Access / Collision Avoidance: carrier sense multiple access / Collision avoidance method) is used.
 これらの共有方式では、悪意のある通信が発生した場合に、通信に用いられる制御情報の内容に誤りがない限り、正常と判別して通信を行うことが多いため、悪意のある通信の検出、遮断が容易ではないものとなっていた。 In these sharing methods, when malicious communication occurs, unless there is an error in the content of the control information used for communication, it is often determined that the communication is normal, so malicious communication is detected. It was not easy to shut off.
[関連技術]
 尚、関連する先行技術として、特許第5848956号公報「通信装置」(特許文献1)がある。
 特許文献1には、移動通信システムにおいて、複数の通信方式の内のいずれかを使用して送信する際に、IPパケットの連結数をサブキャリアの使用率に応じて決定する通信装置が示されている。 [Related technology]
As a related prior art, there is Japanese Patent No. 5848956 "Communication Device" (Patent Document 1).
Patent Document 1 discloses a communication device that determines the number of connected IP packets according to the usage rate of a subcarrier when transmitting using any one of a plurality of communication methods in a mobile communication system. ing.
特許第5848956号公報Japanese Patent No. 5848956
 しかしながら、従来の移動通信システムでは、制御情報が誤っている場合等には異常な通信と判断し、無線通信やネットワーク接続に関する情報の破棄等を実施するが、無線回線を故意に占有しようとする通信や、受信した信号を再生して悪用する通信等については、制御情報の内容が正常な場合には、異常な通信と判断するのは難しく、ネットワーク接続における遅延が発生し、通信のセキュリティと品質を確保できないという問題点があった。 However, in the conventional mobile communication system, when the control information is incorrect, it is determined that the communication is abnormal, and the information related to the wireless communication or the network connection is discarded, but the wireless line is intentionally occupied. Regarding communication and communication that reproduces and misuses received signals, if the content of the control information is normal, it is difficult to judge that it is abnormal communication, delay in network connection occurs, and communication security There was a problem that quality could not be ensured.
 尚、特許文献1には、悪意のある通信、不正な通信を検出して、それらの通信を遮断する技術についての記載がない。 Note that Patent Document 1 does not describe a technique for detecting malicious communication or unauthorized communication and blocking those communications.
 本発明は上記実情に鑑みて為されたもので、悪意のある無線通信を異常な無線通信として検出して通信を遮断し、無線回線の不正な占有を回避して、通信のセキュリティと品質を確保する移動通信システムを提供することを目的とする。 The present invention has been made in view of the above circumstances, and detects malicious wireless communication as abnormal wireless communication to block the communication, avoids unauthorized occupation of the wireless line, and improves the security and quality of the communication. The purpose is to provide a mobile communication system to be secured.
 上記従来例の問題点を解決するための本発明は、移動体ネットワークに用いられる移動通信システムであって、受信したフレームの制御情報から当該フレームの特徴量を抽出するための受信フレーム情報を出力すると共に、受信禁止のアクセス制御情報により受信を遮断し、受信禁止解除のアクセス制御情報により受信の遮断を解除する通信装置と、受信フレーム情報を入力し、当該受信フレーム情報が正常であるか又は異常であるかを、予め記憶された受信フレーム情報の正常又は異常のリストに基づいて判定し、異常と判定した場合に通信装置に受信禁止のアクセス制御情報を出力し、正常と判定した場合に通信装置に受信禁止解除のアクセス制御情報を出力する制御端末とを有するものである。 The present invention for solving the problems of the above-mentioned conventional example is a mobile communication system used for a mobile network, and outputs received frame information for extracting the feature amount of the frame from the control information of the received frame. At the same time, the communication device that blocks reception by the access control information of reception prohibition and cancels reception by the access control information of reception prohibition is input, and the reception frame information is input, and the reception frame information is normal or not. Whether it is abnormal is determined based on the normal or abnormal list of received frame information stored in advance, and when it is determined to be abnormal, the access control information for which reception is prohibited is output to the communication device, and when it is determined to be normal. It has a control terminal that outputs access control information for canceling reception prohibition to a communication device.
 本発明は、上記移動通信システムにおいて、通信装置と通信端末との間に中継装置を設け、制御端末が、受信禁止のアクセス制御情報又は受信禁止解除のアクセス制御情報を中継装置に出力し、中継装置が、受信禁止のアクセス制御情報により受信を遮断し、受信禁止解除のアクセス制御情報により受信の遮断を解除するものである。 INDUSTRIAL APPLICABILITY In the above mobile communication system, a relay device is provided between a communication device and a communication terminal, and the control terminal outputs access control information for prohibiting reception or access control information for canceling reception prohibition to the relay device and relays the information. The device blocks reception by the access control information of reception prohibition, and cancels reception by the access control information of cancellation of reception prohibition.
 本発明は、上記移動通信システムにおいて、制御端末が、受信フレーム情報から特徴量データを抽出し、受信フレーム情報が正常であれば正常な特徴量データとして学習し、受信フレーム情報が異常であれば異常な特徴量データとして学習し、当該学習結果を用いて正常又は異常のリストを更新するものである。 According to the present invention, in the mobile communication system, the control terminal extracts feature amount data from received frame information, learns it as normal feature amount data if the received frame information is normal, and learns it as normal feature amount data if the received frame information is abnormal. It is trained as anomalous feature data, and the list of normal or abnormal is updated using the learning result.
 本発明は、上記移動通信システムにおいて、制御端末が、学習では自己符号器を用い、受信したフレームについての特徴量データを入力データとして自己符号化器に入力し、自己符号化器からの出力データと入力データとの差分に基づいてフレームの正常又は異常を判定するものである。 According to the present invention, in the mobile communication system, the control terminal uses a self-encoder for learning, inputs feature quantity data about received frames to the self-encoder as input data, and outputs data from the self-encoder. The normality or abnormality of the frame is determined based on the difference between the input data and the input data.
 本発明は、上記移動通信システムにおいて、制御端末が、受信したフレームの正常又は異常を判別すると、当該判別したフレームの受信フレーム情報で正常又は異常のリストを更新するものである。 INDUSTRIAL APPLICABILITY In the above mobile communication system, when the control terminal determines whether the received frame is normal or abnormal, the present invention updates the list of normal or abnormal with the received frame information of the determined frame.
 本発明は、上記移動通信システムにおいて、制御端末が、受信に関する複数のパラメータを統計手法により相関を演算して特徴量データを求めるものである。 In the present invention, in the mobile communication system, the control terminal calculates the correlation of a plurality of parameters related to reception by a statistical method to obtain feature data.
 本発明は、上記移動通信システムにおいて、制御端末が、受信に関する複数のパラメータから特徴量データをクラスタリングし、クラスタ毎に特徴量データを得るものである。 According to the present invention, in the mobile communication system, the control terminal clusters feature data from a plurality of parameters related to reception and obtains feature data for each cluster.
 本発明によれば、受信したフレームの制御情報から当該フレームの特徴量を抽出するための受信フレーム情報を出力すると共に、受信禁止のアクセス制御情報により受信を遮断し、受信禁止解除のアクセス制御情報により受信の遮断を解除する通信装置と、受信フレーム情報を入力し、当該受信フレーム情報がであるか又は異常であるかを、予め記憶された受信フレーム情報の正常又は異常のリストに基づいて判定し、異常と判定した場合に通信装置に受信禁止のアクセス制御情報を出力し、正常と判定した場合に通信装置に受信禁止解除のアクセス制御情報を出力する制御端末とを有する移動通信システムとしているので、通信に用いられる制御情報に誤りがなくても悪意のある無線通信を異常な無線通信として検出し、無線回線の不正な占有を防止して、通信のセキュリティと品質を確保できる効果がある。 According to the present invention, the received frame information for extracting the feature amount of the frame is output from the control information of the received frame, and the reception is blocked by the access control information for prohibiting reception, and the access control information for releasing the reception prohibition is released. The communication device that cancels the reception interruption and the received frame information are input, and whether the received frame information is or is abnormal is determined based on the normal or abnormal list of the received frame information stored in advance. However, it is a mobile communication system that has a control terminal that outputs reception prohibition access control information to the communication device when it is determined to be abnormal, and outputs access control information to the communication device when it is determined to be normal. Therefore, even if there is no error in the control information used for communication, it has the effect of detecting malicious wireless communication as abnormal wireless communication, preventing unauthorized occupation of the wireless line, and ensuring the security and quality of communication. ..
 本発明によれば、通信装置と通信端末との間に中継装置を設け、制御端末が、受信禁止のアクセス制御情報又は受信禁止解除のアクセス制御情報を中継装置に出力し、中継装置が、受信禁止のアクセス制御情報により受信を遮断し、受信禁止解除のアクセス制御情報により受信の遮断を解除する上記移動通信システムとしているので、特徴量データを学習させて正常又は異常のリストを更新して受信フレーム情報の正常又は異常の判定精度を向上させることができる効果がある。 According to the present invention, a relay device is provided between a communication device and a communication terminal, the control terminal outputs access control information for which reception is prohibited or access control information for canceling reception prohibition to the relay device, and the relay device receives. Since the above mobile communication system uses the access control information for prohibiting access to block reception and the access control information for canceling reception prohibition to cancel reception, the feature amount data is learned and the normal or abnormal list is updated for reception. It has the effect of improving the accuracy of determining whether the frame information is normal or abnormal.
本システムの構成ブロック図である。It is a block diagram of the structure of this system. 送受信フレーム及び上位プロトコルデータを示す概略図である。It is a schematic diagram which shows the transmission / reception frame and the upper layer protocol data. 単一時間増分統計の対象パラメータを示す概略図である。It is a schematic diagram which shows the target parameter of a single time incremental statistic. クラスタリング分類のパラメータを示す概略図である。It is a schematic diagram which shows the parameter of a clustering classification. 分析手法適用内容を示す概略図である。It is a schematic diagram which shows the content of application of an analysis method. 特徴量抽出部の構成ブロック図である。It is a block diagram of the feature quantity extraction part. 制御端末の一部構成ブロック図である。It is a partial block diagram of a control terminal. 正常学習部/異常学習部を示す構成ブロック図である。It is a block diagram which shows the normal learning part / abnormal learning part. 従来の移動通信システムの構成ブロック図である。It is a block diagram of the structure of the conventional mobile communication system.
 本発明の実施の形態について図面を参照しながら説明する。
[実施の形態の概要]
 本発明の実施の形態に係る移動通信システム(本システム)は、移動体ネットワークに用いられ、通信装置が、受信したフレームの制御情報から当該フレームの特徴量を抽出するための受信フレーム情報を制御端末に出力し、制御端末が、受信フレーム情報が正常又は異常かを正常な情報(ホワイト)又は異常な情報(ブラック)のリストに基づいて判定し、異常と判定した場合に通信装置及び中継装置に受信禁止のアクセス制御情報を出力し、正常と判定した場合に通信装置及び中継装置に受信禁止解除のアクセス制御情報を出力し、受信の遮断又は受信の遮断解除を行うものであり、通信に用いられる制御情報に誤りがなくても悪意のある無線通信を異常な無線通信として検出し、無線回線の不正な占有を防止して、通信のセキュリティと品質を確保できるものである。 An embodiment of the present invention will be described with reference to the drawings.
[Outline of Embodiment]
The mobile communication system (this system) according to the embodiment of the present invention is used for a mobile network, and a communication device controls received frame information for extracting a feature amount of the frame from the control information of the received frame. It is output to the terminal, and the control terminal determines whether the received frame information is normal or abnormal based on the list of normal information (white) or abnormal information (black), and if it is determined to be abnormal, the communication device and the relay device. The access control information for which reception is prohibited is output to, and when it is determined to be normal, the access control information for canceling reception prohibition is output to the communication device and the relay device, and reception is blocked or reception is canceled. Even if there is no error in the control information used, malicious wireless communication can be detected as abnormal wireless communication, unauthorized occupation of the wireless line can be prevented, and communication security and quality can be ensured.
 また、本システムは、制御端末が、受信フレーム情報から特徴量データを抽出し、受信フレーム情報が正常であれば正常な特徴量データとして学習させ、受信フレーム情報が異常であれば異常な特徴量データとして学習させ、当該学習結果を用いて正常又は異常のリストを更新するものであり、特徴量データを学習させて正常又は異常のリストを更新して受信フレーム情報の正常又は異常の判定精度を向上させることができるものである。 In addition, in this system, the control terminal extracts feature amount data from the received frame information, and if the received frame information is normal, it is trained as normal feature amount data, and if the received frame information is abnormal, the feature amount is abnormal. It is trained as data and the list of normal or abnormal is updated using the learning result. The feature quantity data is trained and the list of normal or abnormal is updated to determine the normal or abnormal determination accuracy of the received frame information. It can be improved.
[本システム:図1]
 本システムについて図1を参照しながら説明する。図1は、本システムの構成ブロック図である。
 本システムは、図1に示すように、通信装置1と、通信端末2と、中継装置3と、制御端末4とを有している。
 尚、通信端末2は、図9に示した従来の通信端末と同様であるので、具体的説明は省略する。 [This system: Fig. 1]
This system will be described with reference to FIG. FIG. 1 is a block diagram of the configuration of this system.
As shown in FIG. 1, this system includes a communication device 1, a communication terminal 2, a relay device 3, and a control terminal 4.
Since the communication terminal 2 is the same as the conventional communication terminal shown in FIG. 9, a specific description thereof will be omitted.
[本システムの各部]
 本システムの各部について具体的に説明する。
 [通信装置1]
 通信装置1は、図1に示すように、ネットワーク部11と、無線アクセス制御部12と、無線信号処理部13と、高周波部14と、アンテナ15とを備えている。無線アクセス制御部12、無線信号処理部13、高周波部14及びアンテナ15は、図9に示した従来の構成と同様であるので、説明を省略する。 [Each part of this system]
Each part of this system will be described in detail.
[Communication device 1]
As shown in FIG. 1, the communication device 1 includes a network unit 11, a wireless access control unit 12, a wireless signal processing unit 13, a high frequency unit 14, and an antenna 15. Since the wireless access control unit 12, the wireless signal processing unit 13, the high frequency unit 14, and the antenna 15 have the same configuration as the conventional configuration shown in FIG. 9, description thereof will be omitted.
 本システムの通信装置1におけるネットワーク部11は、QoS機能部111と、フレーム送受信部112と、通信方式機能部113と、フレーム情報出力部114とを有している。
 QoS機能部111、フレーム送受信部112及び通信方式機能部113は、図9の従来のネットワーク部110のQoS機能部1101、フレーム送受信部1102及び通信方式機能部1103と同様の処理を実行するものである。
 但し、フレーム送受信部112は、送信フレーム及び受信フレーム(送受信フレーム)の情報(フレームフォーマットにおける制御情報)をフレーム情報出力部114に出力するようになっている。制御情報の詳細については後述する。 The network unit 11 in the communication device 1 of this system includes a QoS function unit 111, a frame transmission / reception unit 112, a communication method function unit 113, and a frame information output unit 114.
The QoS function unit 111, the frame transmission / reception unit 112, and the communication method function unit 113 execute the same processing as the QoS function unit 1101, the frame transmission / reception unit 1102, and the communication method function unit 1103 of the conventional network unit 110 of FIG. be.
However, the frame transmission / reception unit 112 outputs information (control information in the frame format) of the transmission frame and the reception frame (transmission / reception frame) to the frame information output unit 114. The details of the control information will be described later.
 新しく設けられたフレーム情報出力部114は、フレーム送受信部112から送受信フレームの情報を入力し、フレームフォーマットから関連する制御用の情報(制御情報)を取得し、特徴量を抽出するために必要な受信フレーム情報を制御端末4の特徴抽出部42に出力する。
 尚、本システムでは、受信フレーム情報について正常/異常を判別し、アクセス制御を行うことを主として説明するが、送信フレーム情報についても正常/異常を判別し、アクセス制御を行うようにすれば、本通信装置が攻撃用の発信装置とならないようにすることができるものである。
 送受信フレームフォーマットと受信フレーム情報については後述する。 The newly provided frame information output unit 114 is necessary for inputting transmission / reception frame information from the frame transmission / reception unit 112, acquiring related control information (control information) from the frame format, and extracting feature quantities. The received frame information is output to the feature extraction unit 42 of the control terminal 4.
In this system, it is mainly described that normal / abnormal is determined for received frame information and access control is performed. However, if normal / abnormal is also determined for transmitted frame information and access control is performed, this system can be used. It is possible to prevent the communication device from becoming a transmitter for attacks.
The transmission / reception frame format and reception frame information will be described later.
 [中継装置3]
 中継装置3は、中継を行うルータ等の装置であり、通信装置1、特にネットワーク部11のQoS機能部111と通信端末2との間でのIPパケットの中継を行う。
 また、中継装置3は、制御端末4からの通信の禁止又は解除の制御情報(アクセス制御情報)を入力し、通信遮断等のアクセスの制御を行うと共に正常又は異常に関するアクセス制御情報を上位装置の通信端末2に出力して異常検知を行わせる。
 アクセス制御情報についての詳細は後述するが、中継装置3は、アクセス制御情報に従って、受信を禁止(遮断)し、その禁止を解除する。 [Relay device 3]
The relay device 3 is a device such as a router that relays, and relays an IP packet between the communication device 1, particularly the QoS function unit 111 of the network unit 11 and the communication terminal 2.
Further, the relay device 3 inputs control information (access control information) for prohibiting or canceling communication from the control terminal 4, controls access such as communication interruption, and outputs normal or abnormal access control information to the host device. Output to the communication terminal 2 to detect an abnormality.
The details of the access control information will be described later, but the relay device 3 prohibits (blocks) reception according to the access control information, and cancels the prohibition.
 [制御端末4]
 制御端末4は、図1に示すように、統計表示・制御部41と、特徴抽出部42と、正常学習部43と、異常学習部44とを備えている。
 制御端末4は、図9の制御端末40とは異なり、構成が追加され、統計表示・制御部41も機能が追加されている。以下、具体的に説明する。 [Control terminal 4]
As shown in FIG. 1, the control terminal 4 includes a statistical display / control unit 41, a feature extraction unit 42, a normal learning unit 43, and an abnormal learning unit 44.
Unlike the control terminal 40 of FIG. 9, the control terminal 4 has an additional configuration, and the statistical display / control unit 41 also has an additional function. Hereinafter, a specific description will be given.
 [統計表示・制御部41]
 統計表示・制御部41は、通信装置1のネットワーク部11の通信方式機能部113に通信方式を設定し、通信状況や装置状態を監視し、通信状況や装置状態を表示する。
 また、統計表示・制御部41は、正常学習部43、異常学習部44から入力される検出結果に基づいて、受信フレームが正常な受信フレームなのか、異常な受信フレームなのかを判定し、異常な受信フレームであれば受信禁止、正常な受信フレームであれば受信禁止解除のアクセス制御情報を中継装置3とフレーム送受信部112に出力する。 [Statistical display / control unit 41]
The statistical display / control unit 41 sets a communication method in the communication method function unit 113 of the network unit 11 of the communication device 1, monitors the communication status and the device status, and displays the communication status and the device status.
Further, the statistical display / control unit 41 determines whether the received frame is a normal received frame or an abnormal received frame based on the detection results input from the normal learning unit 43 and the abnormal learning unit 44, and determines whether the received frame is a normal receiving frame or an abnormal receiving frame. If it is a normal reception frame, reception is prohibited, and if it is a normal reception frame, access control information for canceling reception is output to the relay device 3 and the frame transmission / reception unit 112.
 ここで、本システムの統計表示・制御部41は、受信フレームの制御情報に誤りがなくても、受信間隔、受信データサイズ、受信数、送信待機時間等から悪意のある異常な受信フレームと判定して、受信を制限する制御を行うものである。 Here, even if there is no error in the control information of the received frame, the statistical display / control unit 41 of this system determines that the received frame is malicious and abnormal from the reception interval, the received data size, the number of received numbers, the transmission waiting time, and the like. Then, the control for limiting the reception is performed.
 また、統計表示・制御部41は、正常な受信フレーム情報のリスト(ホワイトリスト)と異常な受信フレーム情報のリスト(ブラックリスト)を記憶している。
 そして、統計表示・制御部41は、フレーム情報出力部114からの受信フレーム情報を入力し、ホワイトリスト又はブラックリストを参照して当該受信フレーム情報がホワイトである(正常である)か又はブラックである(異常である)かを判定する。 Further, the statistical display / control unit 41 stores a list of normal received frame information (white list) and a list of abnormal received frame information (black list).
Then, the statistical display / control unit 41 inputs the received frame information from the frame information output unit 114, refers to the white list or the black list, and the received frame information is white (normal) or black. Determine if it is (abnormal).
 統計表示・制御部41は、受信フレーム情報をホワイトと判定した場合には、受信禁止解除のアクセス制御情報を中継装置3及びフレーム送受信部112に出力すると共に、特徴抽出部42からの特徴データを正常学習部43に学習させる学習指示を出力する。
 また、統計表示・制御部41は、受信フレーム情報をブラックと判定した場合には、受信禁止のアクセス制御情報を中継装置3及びフレーム送受信部112に出力すると共に、特徴抽出部42からの特徴データを異常学習部44に学習させる学習指示を出力する。
 統計表示・制御部41の更に具体的構成及び処理については後述する。 When the statistical display / control unit 41 determines that the received frame information is white, the statistical display / control unit 41 outputs the access control information for canceling reception prohibition to the relay device 3 and the frame transmission / reception unit 112, and outputs the feature data from the feature extraction unit 42. A learning instruction to be learned by the normal learning unit 43 is output.
Further, when the statistical display / control unit 41 determines that the received frame information is black, the access control information for which reception is prohibited is output to the relay device 3 and the frame transmission / reception unit 112, and the feature data from the feature extraction unit 42 is output. Is output to the abnormality learning unit 44 to learn.
A more specific configuration and processing of the statistical display / control unit 41 will be described later.
 [特徴抽出部42]
 特徴抽出部42は、フレーム情報出力部114からの受信フレーム情報からパラメータ(単一時間増分統計の対象パラメータ)を抽出し、増分統計処理を行い、クラスタリング分類のパラメータを用いてクラスタリング処理を行い、クラスタに応じた特徴量データを正常学習部43又は異常学習部44に出力する。
 特徴抽出部42の具体的な構成及び処理、パラメータ等については後述する。 [Feature extraction unit 42]
The feature extraction unit 42 extracts parameters (target parameters of single time incremental statistics) from the received frame information from the frame information output unit 114, performs incremental statistical processing, and performs clustering processing using the parameters of the clustering classification. The feature amount data corresponding to the cluster is output to the normal learning unit 43 or the abnormal learning unit 44.
The specific configuration, processing, parameters, etc. of the feature extraction unit 42 will be described later.
 [正常学習部43、異常学習部44]
 正常学習部43、異常学習部44は、特徴抽出部42から特徴データを入力し、学習済みの自己符号化器を通して誤差を抽出し、検出結果として当該誤差を統計表示・制御部41に出力する。自己符号化器は、入力データを符号化し、そして入力データと同じデータに復号化するよう学習しているものである。正常学習部43における自己符号化器は、正常データを学習しており、異常学習部44は、異常データを学習している。そして、入力データと復号データの差を誤差として抽出する。 [Normal learning unit 43, Abnormal learning unit 44]
The normal learning unit 43 and the abnormal learning unit 44 input feature data from the feature extraction unit 42, extract an error through a learned self-encoder, and output the error to the statistical display / control unit 41 as a detection result. .. The self-encoder is learning to encode the input data and decode it into the same data as the input data. The self-encoder in the normal learning unit 43 is learning the normal data, and the abnormal learning unit 44 is learning the abnormal data. Then, the difference between the input data and the decoded data is extracted as an error.
 従って、特徴データが、正常学習部43に入力されて自己符号化器での誤差が抽出されると、誤差の大小によって正常データか否かが判別できる。
 また、特徴データが、異常学習部44に入力されて自己符号化器での誤差が抽出されると、誤差の大小によって異常データか否かが判別できる。 Therefore, when the feature data is input to the normal learning unit 43 and the error in the self-encoder is extracted, it can be determined whether the data is normal or not depending on the magnitude of the error.
Further, when the feature data is input to the abnormality learning unit 44 and the error in the self-encoder is extracted, it can be determined whether or not the feature data is abnormal data depending on the magnitude of the error.
 つまり、正常学習部43、異常学習部44からの誤差を検出結果として統計表示・制御部41に出力し、統計表示・制御部41は、その検出結果に基づいて、特徴データが正常か異常かを判別すると共に、ホワイトリスト又はブラックリストを更新する。 That is, the error from the normal learning unit 43 and the abnormal learning unit 44 is output to the statistical display / control unit 41 as a detection result, and the statistical display / control unit 41 determines whether the feature data is normal or abnormal based on the detection result. And update the white list or blacklist.
 更に、正常学習部43、異常学習部44は、統計表示・制御部41からの学習指示に従い、特徴抽出部42からの特徴データの学習を行う。特徴データの学習についても後述する。 Further, the normal learning unit 43 and the abnormal learning unit 44 learn the feature data from the feature extraction unit 42 according to the learning instruction from the statistical display / control unit 41. Learning of feature data will also be described later.
[送受信フレーム、上位プロトコルデータ:図2]
 次に、本システムで用いられる送受信フレーム及び上位プロトコルデータの一例について図2を参照しながら説明する。図2は、送受信フレーム及び上位プロトコルデータを示す概略図である。
 送受信フレームフォーマットは、図2に示すように、無線LAN(WLAN:Wireless Local Aera Network)等のフレーム(WLAN Frame[QoS Frame])と、上位プロトコルデータとして、IPパケット(IP Packet)、TCP(Transmission Control Protocol)セグメント(TCP Segment)、UDP(User Datagram Protocol)セグメント(UDP Segment)他、アドホックルーティングで使用する制御メッセージ(Adhoc Routing Message[OLSR])等がある。 [Transmission / reception frame, upper layer protocol data: Fig. 2]
Next, an example of the transmission / reception frame and the upper layer protocol data used in this system will be described with reference to FIG. FIG. 2 is a schematic diagram showing transmission / reception frames and upper layer protocol data.
As shown in FIG. 2, the transmission / reception frame format includes a frame (WLAN Frame [QoS Frame]) such as a wireless LAN (WLAN: Wireless Local Aera Network), and IP Packet (IP Packet) and TCP (Transmission) as higher-level protocol data. There are Control Protocol) segments (TCP Segments), UDP (User Datagram Protocol) segments (UDP Segments), and control messages (Adhoc Routing Message [OLSR]) used in adhoc routing.
 これらフレームフォーマットと上位プロトコルデータには、それぞれ制御用の情報が付与されており、それらには、時間の概念や、通信順序、論理的な接続の概念が示されている。例えば、図2のWLANフレームの「Duration」フィールドは、送信に要する時間が含まれており、このフィールドに指定された時間は、送信を待機しなければならない。 Information for control is attached to each of these frame formats and upper layer protocol data, and the concept of time, the communication order, and the concept of logical connection are shown in them. For example, the "Duration" field of the WLAN frame of FIG. 2 contains the time required for transmission, and the time specified in this field must wait for transmission.
[受信フレーム情報:図3,4]
 フレーム情報出力部114から制御端末4の特徴抽出部42に出力される受信フレーム情報について図3,4を参照しながら説明する。図3は、単一時間増分統計の対象パラメータを示す概略図であり、図4は、クラスタリング分類のパラメータを示す概略図である。
 特徴抽出部42で特徴量を抽出するためには、図2に示した制御情報を一定時間の区間、つまり単一時間で増分統計を実施し、図4に示す分類のパラメータを用いて通信情報をクラスタにより論理的な接続の単位で分類化する必要がある。 [Received frame information: Figures 3 and 4]
The received frame information output from the frame information output unit 114 to the feature extraction unit 42 of the control terminal 4 will be described with reference to FIGS. 3 and 4. FIG. 3 is a schematic diagram showing the target parameters of the single time incremental statistics, and FIG. 4 is a schematic diagram showing the parameters of the clustering classification.
In order to extract the feature amount by the feature extraction unit 42, the control information shown in FIG. 2 is subjected to incremental statistics in a fixed time interval, that is, in a single time, and communication information is performed using the classification parameters shown in FIG. Need to be categorized by cluster as a unit of logical connection.
 [単一時間増分の対象パラメータ:図3]
 ここで、送受信フレームにおける通信情報の増分統計を実施するための対象とするパラメータの一例について図3を参照しながら説明する。これらパラメータは、悪意のある異常な通信を検出するために選択されたものである。
 単一時間で増分統計を実施するために、図3に示すように、単一時間増分統計の対象とするパラメータを定義する。
 図3では、データとしてWLANフレーム「WLAN Frame」とアドホックルーティングの制御メッセージ「Adhoc Routing Message」を採用し、それらのデータにおける2つのフィールドを使用パラメータ1,2として、使用パラメータ1,2の組み合わせに対応して特徴パラメータ名を定義している。
 特徴パラメータ名は、「FCBySrc」「DurBySrc」「SeqBySrc」「AdcSseqByOrg」「AdcMTByOrg」の5つとしている。 [Parameters subject to single time increment: Fig. 3]
Here, an example of a target parameter for performing incremental statistics of communication information in a transmission / reception frame will be described with reference to FIG. These parameters were selected to detect malicious and anomalous communications.
To perform incremental statistics in a single time, we define the parameters that are the subject of the single time incremental statistics, as shown in FIG.
In FIG. 3, a WLAN frame "WLAN Frame" and an ad hoc routing control message "Ad hoc Routing Message" are adopted as data, and two fields in the data are used as usage parameters 1 and 2, and the usage parameters 1 and 2 are combined. Correspondingly, the feature parameter name is defined.
There are five feature parameter names, "FCBySrc", "DurBySrc", "SeqBySrc", "AdcSseqByOrg", and "AdcMTByOrg".
 [クラスタリング分類のパラメータ:図4]
 次に、クラスタリングの分類に用いるパラメータの一例について図4を参照しながら説明する。
 クラスタリングによる分類は、受信フレームについていくつかの類型化されたパターンがあるので、それらの類型化された分類のグループ(クラスタ)の範囲内で、そのクラスタに応じた特徴量を抽出する方が、適正な特徴量が得られるために行うものである。
 特に、悪意のある異常な受信フレームには、類型化されたパターンがあり、そのクラスタの範囲内で、他の悪意ある異常な受信フレームとの対比で特徴量を抽出しようとするものである。 [Parameters for clustering classification: Fig. 4]
Next, an example of the parameters used for the classification of clustering will be described with reference to FIG.
Since there are several categorized patterns for received frames in the classification by clustering, it is better to extract the features according to the cluster within the group (cluster) of those categorized classifications. This is done to obtain an appropriate amount of features.
In particular, malicious anomalous received frames have a typified pattern, and an attempt is made to extract features within the cluster in comparison with other malicious anomalous received frames.
 クラスタリング分類のパラメータは、図4に示すように、WLANフレーム「WLAN Frame」、上位プロトコルデータ「IP Protocol」「TCP/UDP Protocol」とアドホックルーティングの制御メッセージ「Adhoc Routing Message」を採用し、それらのデータにおける2つのフィールドを使用パラメータ1,2として、使用パラメータ1,2の組み合わせに対応して特徴パラメータ名を定義している。使用パラメータ1だけで特徴パラメータ名を定義するものもある。
 特徴パラメータ名は、「MacSrc」「MacSrcDst」「SeqBySrc」「NetSrcDst」「TLSrcDst」「AdcOrg」の6つとしている。 As shown in FIG. 4, the parameters of the clustering classification adopt the WLAN frame "WLAN Frame", the upper layer protocol data "IP Protocol""TCP / UDP Protocol", and the adhoc routing control message "Adhoc Routing Message". The feature parameter names are defined corresponding to the combination of the usage parameters 1 and 2 with the two fields in the data as the usage parameters 1 and 2. In some cases, the feature parameter name is defined only by the parameter 1 used.
There are six feature parameter names: "MacSrc", "MacSrcDst", "SeqBySrc", "NetSrcDst", "TLSrcDst", and "AdcOrg".
[分析手法適用内容:図5]
 次に、特徴量を分析するための分析手法適用内容の一例について図5を参照しながら説明する。図5は、分析手法適用内容を示す概略図である。
 分析手法適用内容は、図5に示すように、統計パラメータとして、「受信間隔」「受信データサイズ」「受信数」「送信待機時間」の4つについて、統計手法が「平均」「標準偏差」「共分散」「積率相関係数」の4種類で、特徴パラメータを対応付けている。
 特徴パラメータは、図3の対象パラメータの特徴パラメータ名が利用される。尚、特徴パラメータの最後の2つは「Adc」の文字を省略している。
 尚、図3~5の関係については、図6で具体的に説明する。 [Analysis method application content: Fig. 5]
Next, an example of application contents of the analysis method for analyzing the feature amount will be described with reference to FIG. FIG. 5 is a schematic diagram showing the contents of application of the analysis method.
As shown in FIG. 5, the analysis method is applied to the four statistical parameters of "reception interval", "reception data size", "number of receptions", and "transmission waiting time", and the statistical methods are "average" and "standard deviation". The feature parameters are associated with four types of "covariance" and "product-moment correlation coefficient".
As the feature parameter, the feature parameter name of the target parameter in FIG. 3 is used. The last two feature parameters omit the letters "Adc".
The relationship of FIGS. 3 to 5 will be specifically described with reference to FIG.
 本システムでは、統計パラメータとして、悪意のある通信の場合に特徴的な値を示すものが選択されている。たとえば、無線回線を故意に占有しようとする通信の場合、受信間隔が短い、受信データサイズが大きい、受信数が多い、送信待機時間が短い、といった特徴があると考えられる。 In this system, statistical parameters that show characteristic values in the case of malicious communication are selected. For example, in the case of communication that intentionally occupies a wireless line, it is considered that there are features such as a short reception interval, a large reception data size, a large number of receptions, and a short transmission standby time.
 分析手法は、統計パラメータの「受信間隔」「受信データサイズ」「受信数」「送信待機時間」の4つについて、利用可能な統計手法により特徴パラメータを用いて相関を算出し、演算された相関値をクラスタ毎の特徴量データとする。
 例えば、「受信間隔」については、特徴パラメータ「FCBySrc」「SseqByOrg」「MTByOrg」について、単一時間における増分を利用可能な統計手法「平均」又は「標準偏差」により算出し、更にクラスタリング分類の特徴パラメータ名に対応する使用パラメータ1,2を用いて演算して分類を行い、分類されたクラスタで既に記憶する特徴パラメータの値との相関を演算し、その相関に基づいてクラスタにおける特徴量データを出力する。
 尚、図5で、受信データサイズについて対応する特徴パラメータが示されていないが、その他のパラメータ等によって統計手法の演算を行うものである。 The analysis method calculates the correlation using the feature parameters by the available statistical method for the four statistical parameters "reception interval", "reception data size", "number of receptions", and "transmission waiting time", and the calculated correlation. The value is the feature amount data for each cluster.
For example, the "reception interval" is calculated for the feature parameters "FCBySrc", "SseqByOrg", and "MTByOrg" by the available statistical method "mean" or "standard deviation", and the features of the clustering classification. Classification is performed by calculating using the usage parameters 1 and 2 corresponding to the parameter name, the correlation with the value of the feature parameter already stored in the classified cluster is calculated, and the feature amount data in the cluster is calculated based on the correlation. Output.
Although the feature parameters corresponding to the received data size are not shown in FIG. 5, the calculation of the statistical method is performed by other parameters and the like.
[特徴量抽出部42:図6]
 次に、制御端末4における特徴量抽出部42の具体的な構成について図6を参照しながら説明する。図6は、特徴量抽出部の構成ブロック図である。
 特徴量抽出部42は、図6に示すように、パラメータ抽出部422と、増分統計処理部423と、クラスタリング処理部424とを備えている。 [Feature quantity extraction unit 42: FIG. 6]
Next, a specific configuration of the feature amount extraction unit 42 in the control terminal 4 will be described with reference to FIG. FIG. 6 is a block diagram of the feature amount extraction unit.
As shown in FIG. 6, the feature amount extraction unit 42 includes a parameter extraction unit 422, an incremental statistical processing unit 423, and a clustering processing unit 424.
 [パラメータ抽出部422]
 パラメータ抽出部422は、フレーム情報出力部114から入力された受信フレーム情報から図3に示すフレーム内の単一時間増分統計の対象パラメータを抽出し、増分統計処理部423に出力する。図3の対象パラメータは受信フレームの増分を測定するのに適したものである。 [Parameter extraction unit 422]
The parameter extraction unit 422 extracts the target parameter of the single time incremental statistics in the frame shown in FIG. 3 from the received frame information input from the frame information output unit 114, and outputs the target parameter to the incremental statistics processing unit 423. The target parameters in FIG. 3 are suitable for measuring the increment of received frames.
 [増分統計処理部423]
 増分統計処理部423は、対象パラメータについて一定期間における増分を算出し、増分傾向の統計を演算する処理を行う。
 統計手法は、図5に示したように、4つの統計パラメータについて、平均、標準偏差、共分散、積率相関係数の内、各統計パラメータに適用可能な手法を用いる。 [Incremental statistical processing unit 423]
The incremental statistic processing unit 423 calculates the increment of the target parameter in a certain period and performs a process of calculating the statistic of the incremental tendency.
As the statistical method, as shown in FIG. 5, a method applicable to each statistical parameter among the mean, standard deviation, covariance, and product moment correlation coefficient is used for the four statistical parameters.
 増分統計処理部423は、例えば、図5の統計パラメータ「受信間隔」について、統計手法「平均」又は「標準偏差」を用いて一定時間における統計処理を行う場合、特徴パラメータ「FCBySrc」「SseqByOrg」「MTbyOrg」を用い、図3に示す当該パラメータ名に対応する使用パラメータ1,2により統計処理を行い、統計処理後のパラメータを算出する。 For example, when the incremental statistical processing unit 423 performs statistical processing for the statistical parameter "reception interval" in FIG. 5 in a fixed time using the statistical method "mean" or "standard deviation", the feature parameters "FCBySrc" and "SseqByOrg" are used. Using "MT by Org", statistical processing is performed according to the usage parameters 1 and 2 corresponding to the parameter names shown in FIG. 3, and the parameters after statistical processing are calculated.
 [クラスタリング処理部424]
 クラスタリング処理部424は、統計処理後のパラメータ(統計処理後パラメータ)を入力して、図4に示したパラメータに基づいてクラスタリングの分類を行い、クラスタ数に依存した特徴量データ(特徴データ)を正常学習部43と異常学習部44に出力する。
 具体的には、クラスタリング処理部424は、「受信間隔」「受信データサイズ」「受信数」「送信待機時間」の4つの統計処理後パラメータについて、図4の特徴パラメータ名を元に使用パラメータ1,2を用いて演算してクラスタリング分類し、既に分類されて蓄積された特徴パラメータの値との相関を演算し、当該相関の値に基づいて当該クラスタにおける特徴量データ(特徴データ)を出力する。 [Clustering processing unit 424]
The clustering processing unit 424 inputs the parameters after statistical processing (parameters after statistical processing), classifies the clustering based on the parameters shown in FIG. 4, and obtains the feature amount data (feature data) depending on the number of clusters. It is output to the normal learning unit 43 and the abnormal learning unit 44.
Specifically, the clustering processing unit 424 uses parameter 1 based on the feature parameter name of FIG. 4 for the four post-statistical processing parameters of "reception interval", "reception data size", "reception number", and "transmission waiting time". Performs a clustering classification using ..
[制御端末4の一部構成:図7]
 次に、制御端末4の具体的な構成ついて図7を参照しながら説明する。図7は、制御端末の一部構成ブロック図である。
 制御端末4の一部構成は、図7に示すように、統計表示・制御部41と、正常学習部43と、異常学習部44が示されている。
 統計表示・制御部41は、図7に示すように、出力制御部411と、表示部412と、ホワイト/ブラックリスト制御部413と、ルータ/通信装置制御部414とを備えている。 [Partial configuration of control terminal 4: FIG. 7]
Next, a specific configuration of the control terminal 4 will be described with reference to FIG. 7. FIG. 7 is a partial block diagram of the control terminal.
As shown in FIG. 7, a partial configuration of the control terminal 4 shows a statistical display / control unit 41, a normal learning unit 43, and an abnormal learning unit 44.
As shown in FIG. 7, the statistical display / control unit 41 includes an output control unit 411, a display unit 412, a white / blacklist control unit 413, and a router / communication device control unit 414.
 [出力制御部411]
 出力制御部411は、学習・異常検出切替部4111と、ホワイト/ブラック判定部4112と、ホワイトリスト記憶部4113と、ブラックリスト記憶部4114とを有している。 [Output control unit 411]
The output control unit 411 has a learning / abnormality detection switching unit 4111, a white / black determination unit 4112, a white list storage unit 4113, and a blacklist storage unit 4114.
  [学習・異常検出切替部4111]
 学習・異常検出切替部4111は、フレーム情報出力部114からの受信フレーム情報を入力してホワイト/ブラック判定部4112に出力し、ホワイト/ブラック判定部4112からの判定結果により受信フレームの正常(ホワイト)又は異常(ブラック)を検出し、表示部412には受信フレーム情報を出力すると共に検出結果を出力切替として正常学習部43と異常学習部44に出力する。
 但し、学習・異常検出切替部4111は、正常又は異常のいずれも検出されない場合には、検出結果を出力せずに、受信フレーム情報のみを表示部412に出力する。 [Learning / abnormality detection switching unit 4111]
The learning / abnormality detection switching unit 4111 inputs the received frame information from the frame information output unit 114 and outputs it to the white / black determination unit 4112, and the reception frame is normal (white) based on the determination result from the white / black determination unit 4112. ) Or abnormality (black) is detected, received frame information is output to the display unit 412, and the detection result is output to the normal learning unit 43 and the abnormality learning unit 44 as output switching.
However, when neither normal nor abnormal is detected, the learning / abnormality detection switching unit 4111 outputs only the received frame information to the display unit 412 without outputting the detection result.
 また、学習・異常検出切替部4111は、入力された受信フレーム情報がホワイト(正常)と判定すると、入力された特徴データを正常学習部43に学習させる指示(学習指示)を出力切替として正常学習部43に出力する。
 更に、学習・異常検出切替部4111は、入力された受信フレーム情報がブラック(異常)と判定すると、入力された特徴データを異常学習部44に学習させる指示(学習指示)を出力切替として異常学習部44に出力する。
 つまり、学習・異常検出切替部4111は、入力された受信フレーム情報毎に、出力切替(学習指示)を正常学習部43又は異常学習部44のいずれか一方に出力する。 Further, when the learning / abnormality detection switching unit 4111 determines that the input received frame information is white (normal), the learning / abnormality detection switching unit 4111 uses an instruction (learning instruction) for learning the input feature data to the normal learning unit 43 as output switching for normal learning. Output to unit 43.
Further, when the learning / abnormality detection switching unit 4111 determines that the input received frame information is black (abnormal), the learning / abnormality detection switching unit 4111 uses an instruction (learning instruction) for learning the input feature data to the abnormality learning unit 44 as output switching for abnormality learning. Output to unit 44.
That is, the learning / abnormality detection switching unit 4111 outputs the output switching (learning instruction) to either the normal learning unit 43 or the abnormality learning unit 44 for each input received frame information.
  [ホワイト/ブラック判定部4112]
 ホワイト/ブラック判定部4112は、学習・異常検出切替部4111からの受信フレーム情報を入力し、ホワイトリスト記憶部4113とブラックリスト記憶部4114を参照して、当該受信フレーム情報がホワイトリスト記憶部4113に記憶されているか、ブラックリスト記憶部4114に記憶されているかを判定し、判定結果を学習・異常検出切替部4111に出力する。
 判定結果は、ホワイトリスト記憶部4113に記憶されていれば「正常」となり、ブラックリスト記憶部4114に記憶されていれば「異常」となる。 [White / Black determination unit 4112]
The white / black determination unit 4112 inputs the received frame information from the learning / abnormality detection switching unit 4111, refers to the white list storage unit 4113 and the black list storage unit 4114, and the received frame information is the white list storage unit 4113. It is determined whether it is stored in the blacklist storage unit 4114 or the determination result is output to the learning / abnormality detection switching unit 4111.
The determination result is "normal" if it is stored in the white list storage unit 4113, and "abnormal" if it is stored in the blacklist storage unit 4114.
  [ホワイトリスト記憶部4113]
 ホワイトリスト記憶部4113は、複数の正常(ホワイト)な受信フレーム情報をリストとして記憶しており、ホワイト/ブラックリスト制御部413からホワイトリスト更新用の受信フレーム情報が入力されると、ホワイトリスト記憶部4113の更新を行う。
 つまり、ホワイト/ブラックリスト制御部413からのホワイトリスト更新用の受信フレーム情報がホワイトリスト記憶部4113に蓄積される。 [White list storage unit 4113]
The white list storage unit 4113 stores a plurality of normal (white) received frame information as a list, and when the received frame information for updating the white list is input from the white / blacklist control unit 413, the white list storage unit 4113 stores the white list. Update part 4113.
That is, the received frame information for updating the white list from the white / blacklist control unit 413 is stored in the whitelist storage unit 4113.
  [ブラックリスト記憶部4114]
 ブラックリスト記憶部4114は、複数の異常(ブラック)な受信フレーム情報をリストとして記憶しており、ホワイト/ブラックリスト制御部413からブラックリスト更新用の受信フレーム情報が入力されると、ブラックリスト記憶部4114の更新を行う。
 つまり、ホワイト/ブラックリスト制御部413からのブラックリスト更新用の受信フレーム情報がブラックリスト記憶部4114に蓄積される。 [Blacklist storage unit 4114]
The blacklist storage unit 4114 stores a plurality of abnormal (black) received frame information as a list, and when the received frame information for blacklist update is input from the white / blacklist control unit 413, the blacklist storage unit 4114 stores the blacklist. Part 4114 is updated.
That is, the received frame information for updating the blacklist from the white / blacklist control unit 413 is stored in the blacklist storage unit 4114.
 [表示部412]
 表示部412は、出力制御部411の学習・異常検出切替部4111からの受信フレーム情報を入力し、正常学習部43から誤差出力を入力し、異常学習部44から誤差出力を入力し、通信管理者等に正常又は異常な受信フレーム情報に対する受信誤差表示を行う。
 また、表示部412は、入力された受信フレーム情報をホワイト/ブラックリスト制御部413に出力する。受信フレーム情報の出力に際して、正常の誤差出力又は異常の誤差出力を併せて出力してもよい。 [Display unit 412]
The display unit 412 inputs the received frame information from the learning / abnormality detection switching unit 4111 of the output control unit 411, inputs the error output from the normal learning unit 43, inputs the error output from the abnormality learning unit 44, and manages communication. Display the reception error for normal or abnormal reception frame information to the person or the like.
Further, the display unit 412 outputs the input received frame information to the white / blacklist control unit 413. When outputting the received frame information, a normal error output or an abnormal error output may be output together.
 [ホワイト/ブラックリスト制御部413]
 ホワイト/ブラックリスト制御部413は、受信フレーム情報に対して受信の許可又は禁止(許可/禁止)の判断を行う誤差に対する閾値を記憶しており、入力される受信フレーム情報について入力される正常の誤差と異常の誤差に基づき正常(ホワイト)又は異常(ブラック)の判定を行い、その判定結果と受信フレーム情報をホワイトリスト記憶部4113又はブラックリスト記憶部4114に出力する。
 尚、正常又は異常の判定処理に、表示部412から入力される正常又は異常の誤差出力が参考にされる。 [White / Blacklist Control Unit 413]
The white / blacklist control unit 413 stores a threshold value for an error in determining whether reception is permitted or prohibited (permitted / prohibited) with respect to the received frame information, and the input normal received frame information is input. A normal (white) or abnormal (black) determination is made based on the error between the error and the abnormality, and the determination result and the received frame information are output to the white list storage unit 4113 or the blacklist storage unit 4114.
The normal or abnormal error output input from the display unit 412 is referred to in the normal or abnormal determination process.
 具体的には、ホワイト/ブラックリスト制御部413は、入力された受信フレーム情報を正常と判定した場合には、当該受信フレーム情報をホワイトリスト記憶部4113にホワイトリスト更新用の受信フレーム情報として出力し、入力された受信フレーム情報を異常と判定した場合には、当該受信フレーム情報をブラックリスト記憶部4114にブラックリスト更新用の受信フレーム情報として出力する。 Specifically, when the white / black list control unit 413 determines that the input received frame information is normal, the white / black list control unit 413 outputs the received frame information to the white list storage unit 4113 as received frame information for updating the white list. If the input received frame information is determined to be abnormal, the received frame information is output to the black list storage unit 4114 as received frame information for updating the black list.
 また、ホワイト/ブラックリスト制御部413は、通信管理者等からの許可/禁止の登録に基づいて、許可/禁止の判定の閾値を変更して調整する。
 尚、ホワイト/ブラックリスト制御部413は、閾値による受信の許可/禁止の判断を行わず、全て通信管理者等からの許可/禁止の登録指示で判別し、ホワイトリスト記憶部4113又はブラックリスト記憶部4114への更新を行い、ルータ/通信装置制御部414へのアクセス制御を行うようにしてもよい。これはマニュアルによる制御動作となる。 Further, the white / blacklist control unit 413 changes and adjusts the threshold value for determining permission / prohibition based on the registration of permission / prohibition from the communication administrator or the like.
The white / blacklist control unit 413 does not determine whether reception is permitted / prohibited by the threshold value, but determines all by the permission / prohibition registration instruction from the communication administrator or the like, and determines the whitelist storage unit 4113 or the blacklist storage. The unit 4114 may be updated to control access to the router / communication device control unit 414. This is a manual control operation.
 また、ホワイト/ブラックリスト制御部413は、受信フレーム情報の正常/異常を判断すると、ルータ/通信装置制御部414にアクセス制御の情報を出力する。
 受信フレーム情報が異常の場合は、受信禁止のアクセス制御情報となり、受信フレーム情報が正常の場合は、受信禁止解除のアクセス情報となる。 Further, when the white / blacklist control unit 413 determines whether the received frame information is normal / abnormal, the white / blacklist control unit 413 outputs access control information to the router / communication device control unit 414.
If the received frame information is abnormal, it is the access control information for which reception is prohibited, and if the received frame information is normal, it is the access information for canceling the reception prohibition.
 [ルータ/通信装置制御部414]
 ルータ/通信装置制御部414は、ホワイト/ブラックリスト制御部413から受信禁止又は受信禁止解除のアクセス制御情報を入力し、それらのアクセス制御情報をルータ等の中継装置3及び通信装置1に出力する。通信装置1では、特にネットワーク部11のフレーム送受信部112にアクセス制御情報が出力される。アクセス制御情報を入力した中継装置3及び通信装置1では、受信の禁止又は解除の処理が為される。 [Router / Communication device control unit 414]
The router / communication device control unit 414 inputs access control information for reception prohibition or reception prohibition cancellation from the white / blacklist control unit 413, and outputs the access control information to the relay device 3 such as a router and the communication device 1. .. In the communication device 1, access control information is output particularly to the frame transmission / reception unit 112 of the network unit 11. In the relay device 3 and the communication device 1 in which the access control information is input, the process of prohibiting or canceling reception is performed.
[正常学習部43、異常学習部44:図8]
 次に、正常学習部43と異常学習部44について図8を参照しながら説明する。図8は、 正常学習部/異常学習部を示す構成ブロック図である。
 正常学習部43は、図8(a)に示すように、自己符号化器431と、誤差抽出/差分検出部432と、出力判定部433とを有している。
 また、異常学習部44は、図8(b)に示すように、自己符号化器441と、誤差抽出/差分検出部442と、出力判定部443とを有している。 [Normal learning unit 43, Abnormal learning unit 44: FIG. 8]
Next, the normal learning unit 43 and the abnormal learning unit 44 will be described with reference to FIG. FIG. 8 is a block diagram showing a normal learning unit / abnormal learning unit.
As shown in FIG. 8A, the normal learning unit 43 has a self-encoder 431, an error extraction / difference detection unit 432, and an output determination unit 433.
Further, as shown in FIG. 8B, the abnormality learning unit 44 has a self-encoder 441, an error extraction / difference detection unit 442, and an output determination unit 443.
 [自己符号化器431]
 自己符号化器431は、正常な特徴量データだけを教師データとして入力し、入力データを符号化し、符号化されたデータを復号化した場合に、入力データと復号データが同じになるよう学習されたモデル(学習モデル)を有する符号化器(Autoencoder)であり、誤差抽出/差分検出部432には入力データと復号データが出力される。 [Self-encoder 431]
The autoencoder 431 is trained so that when only normal feature data is input as teacher data, the input data is encoded, and the encoded data is decoded, the input data and the decoded data are the same. It is an encoder (Autoencoder) having a model (learning model), and input data and decoded data are output to the error extraction / difference detection unit 432.
 従って、自己符号化器431は、正常な特徴量データが入力されると、学習モデルが正常な特徴量データとなるよう復号するものであり、入力データと復号データとの誤差は小さいものとなるが、正常ではない特徴量データが入力されると、学習モデルが正常でない特徴量データについて学習していないから、入力データと復号データとの誤差は大きいものとなる。 Therefore, the self-encoder 431 decodes the learning model so that the learning model becomes the normal feature data when the normal feature data is input, and the error between the input data and the decoded data is small. However, when the feature amount data that is not normal is input, the error between the input data and the decoded data becomes large because the learning model does not learn about the feature amount data that is not normal.
 [自己符号化器441]
 自己符号化器441は、異常な特徴量データだけを教師データとして入力し、入力データを符号化し、符号化されたデータを復号化した場合に、入力データと復号データが同じになるよう学習された学習モデルを有する符号化器であり、誤差抽出/差分検出部442には入力データと復号データが出力される。 [Self-encoder 441]
The self-encoder 441 is trained so that when only abnormal feature amount data is input as teacher data, the input data is encoded, and the encoded data is decoded, the input data and the decoded data are the same. It is a encoder having a learning model, and input data and decoding data are output to the error extraction / difference detection unit 442.
 従って、自己符号化器441は、異常な特徴量データが入力されると、学習モデルが異常な特徴量データとなるよう復号するものであり、入力データと復号データとの誤差は小さいものとなるが、異常ではない特徴量データが入力されると、学習モデルが異常ではない特徴量データについて学習していないから、入力データと復号データとの誤差は大きいものとなる。 Therefore, the self-encoder 441 decodes the learning model so that the learning model becomes the abnormal feature amount data when the abnormal feature amount data is input, and the error between the input data and the decoded data is small. However, when the feature amount data that is not abnormal is input, the error between the input data and the decoded data becomes large because the learning model does not learn about the feature amount data that is not abnormal.
 [誤差抽出/差分検出部432,442]
 誤差抽出/差分検出部432,442は、自己符号化器431,441からの特徴量データと復号データとを入力し、両データについて誤差を抽出し、差分を検出して当該差分の情報(差分情報)を出力判定部433,443に出力する。 [Error extraction / difference detection unit 432,442]
The error extraction / difference detection unit 432,442 inputs the feature amount data and the decoding data from the self- encoder 431, 441, extracts the error for both data, detects the difference, and the information of the difference (difference). Information) is output to the output determination units 433 and 443.
 [出力判定433,443]
 出力判定433,443は、誤差抽出/差分検出部432,442からの差分情報を入力し、その差分情報を表示部412に誤差出力する。
 また、出力判定433,443は、出力制御部411の学習・異常検出切替部4111からの出力切替の指示が入力されると、差分を訂正するための勾配情報を自己符号化器431,441にフィードバックして勾配反映を行う。 [Output determination 433,443]
The output determination 433 and 443 input the difference information from the error extraction / difference detection unit 432 and 442, and output the difference information to the display unit 412 as an error.
Further, when the output switching instruction from the learning / abnormality detection switching unit 4111 of the output control unit 411 is input to the output determination 433 and 443, the gradient information for correcting the difference is transmitted to the self- encoder 431 and 441. Feed back and reflect the gradient.
 具体的には、出力判定部433は、学習・異常検出切替部4111からの受信フレーム情報がホワイトリスト記憶部4113にある場合に出力切替の指示が入力される。つまり、特徴量データはホワイトリストにある正常な受信フレームのものであるので、自己符号化器431に勾配反映させて当該特徴量データを正常な教師データとして学習させる。 Specifically, the output determination unit 433 inputs an output switching instruction when the received frame information from the learning / abnormality detection switching unit 4111 is in the white list storage unit 4113. That is, since the feature amount data is that of a normal reception frame in the white list, the feature amount data is learned as normal teacher data by reflecting the gradient on the self-encoder 431.
 また、出力判定部443は、学習・異常検出切替部4111からの受信フレーム情報がブラックリスト記憶部4114にある場合に出力切替の指示が入力される。つまり、特徴量データはブラックリストにある異常な受信フレームのものであるので、自己符号化器441に勾配反映させて当該特徴量データを異常な教師データとして学習させる。 Further, the output determination unit 443 inputs an output switching instruction when the received frame information from the learning / abnormality detection switching unit 4111 is in the blacklist storage unit 4114. That is, since the feature amount data is for an abnormal reception frame in the blacklist, the self-encoder 441 reflects the gradient and trains the feature amount data as abnormal teacher data.
[本システムにおける処理動作:図1]
 次に、本システムの特徴的な処理動作について図1を参照しながら説明する。
 本システムでは、アンテナ15、高周波部14、無線信号処理部13、無線アクセス制御部12を経由して受信された通信データ(受信フレーム)がネットワーク部11に入力され、ネットワーク部11におけるフレーム送受信部112が受信フレームから受信フレームに関する制御情報を取得してフレーム情報出力部114に出力する。 [Processing operation in this system: Fig. 1]
Next, the characteristic processing operation of this system will be described with reference to FIG.
In this system, communication data (reception frame) received via the antenna 15, high frequency unit 14, wireless signal processing unit 13, and wireless access control unit 12 is input to the network unit 11, and the frame transmission / reception unit in the network unit 11 112 acquires control information about the received frame from the received frame and outputs it to the frame information output unit 114.
 フレーム情報出力部114が、受信フレームに関する制御情報から特徴量を抽出するための受信フレーム情報を生成し、制御端末4に出力する。
 制御端末4は、受信フレーム情報から特徴量データ(特徴データ)を抽出し、正常学習部43又は異常学習部44に出力する。
 正常学習部43と異常学習部44は、特徴データに基づき正常な受信フレーム情報と異常な受信フレーム情報の学習を行う。 The frame information output unit 114 generates received frame information for extracting a feature amount from the control information related to the received frame, and outputs the received frame information to the control terminal 4.
The control terminal 4 extracts feature amount data (feature data) from the received frame information and outputs the feature amount data (feature data) to the normal learning unit 43 or the abnormal learning unit 44.
The normal learning unit 43 and the abnormal learning unit 44 learn normal received frame information and abnormal received frame information based on the feature data.
 また、制御端末4の統計表示・制御部41は、入力された受信フレーム情報の正常又は異常を正常学習部43及び異常学習部44での学習結果を基にして判定し、異常であれば中継装置3及びフレーム送受信部112に受信禁止を指示し、当該受信フレームの受信を遮断し、正常であれば中継装置3及びフレーム送受信部112に受信禁止解除を指示し、受信フレームの受信を行う。
 これにより、本システムは、異常な無線通信(悪意のあるような無線通信)を検出して通信を遮断し、無線回線の不正な占有を回避して、通信のセキュリティと品質を確保できるものである。 Further, the statistical display / control unit 41 of the control terminal 4 determines whether the input received frame information is normal or abnormal based on the learning results of the normal learning unit 43 and the abnormal learning unit 44, and if it is abnormal, relays. The device 3 and the frame transmission / reception unit 112 are instructed to prohibit reception, the reception of the reception frame is blocked, and if normal, the relay device 3 and the frame transmission / reception unit 112 are instructed to cancel the reception prohibition, and the reception frame is received.
As a result, this system can detect abnormal wireless communication (malicious wireless communication), block the communication, avoid unauthorized occupation of the wireless line, and ensure the security and quality of the communication. be.
[実施の形態の効果]
 本システムによれば、通信装置1のフレーム送受信部112が、受信したフレームの制御情報をフレーム情報出力部114に出力し、フレーム情報出力部114が、フレームの特徴量を抽出するための受信フレーム情報を制御端末4に出力し、制御端末4が、受信フレーム情報が正常又は異常かをホワイトリスト又はブラックリストに基づいて判定し、異常と判定した場合に通信装置1のフレーム送受信部112及び中継装置3に受信禁止のアクセス制御情報を出力し、正常と判定した場合にフレーム送受信部112及び中継装置3に受信禁止解除のアクセス制御情報を出力し、受信の遮断又は受信の遮断解除を行う移動通信システムとしているので、通信に用いられる制御情報に誤りがなくても悪意のある無線通信を異常な無線通信として検出し、無線回線の不正な占有を防止して、通信のセキュリティと品質を確保できる効果がある。 [Effect of embodiment]
According to this system, the frame transmission / reception unit 112 of the communication device 1 outputs the control information of the received frame to the frame information output unit 114, and the frame information output unit 114 receives the reception frame for extracting the feature amount of the frame. Information is output to the control terminal 4, and the control terminal 4 determines whether the received frame information is normal or abnormal based on the white list or the black list, and if it is determined to be abnormal, the frame transmission / reception unit 112 of the communication device 1 and the relay. A movement that outputs reception prohibition access control information to the device 3 and outputs reception prohibition release access control information to the frame transmission / reception unit 112 and the relay device 3 when it is determined to be normal, and blocks or cancels reception. Since it is a communication system, even if there is no error in the control information used for communication, malicious wireless communication is detected as abnormal wireless communication, unauthorized occupation of the wireless line is prevented, and communication security and quality are ensured. There is an effect that can be done.
 また、本システムは、制御端末4の特徴抽出部42が、受信フレーム情報から特徴量データを抽出し、統計表示・制御部41が、受信フレーム情報が正常であれば正常な特徴量データとして正常学習部43に学習させ、受信フレーム情報が異常であれば異常な特徴量データとして異常学習部44に学習させ、当該学習結果を用いてホワイトリスト又はブラックリストを更新する上記移動通信システムとしているので、特徴量データを学習させてホワイトリスト又はブラックリストを更新して受信フレーム情報の正常又は異常の判定精度を向上させることができるものである。 Further, in this system, the feature extraction unit 42 of the control terminal 4 extracts the feature amount data from the received frame information, and the statistical display / control unit 41 is normal as normal feature amount data if the received frame information is normal. Since the mobile communication system is such that the learning unit 43 is made to learn, and if the received frame information is abnormal, the abnormal learning unit 44 is made to learn as abnormal feature amount data, and the white list or the black list is updated using the learning result. , The feature amount data can be learned and the white list or the black list can be updated to improve the normality or abnormality determination accuracy of the received frame information.
 本発明は、悪意のある無線通信を異常な無線通信として検出して通信を遮断し、無線回線の不正な占有を回避して、通信のセキュリティと品質を確保する移動通信システムに好適である。 The present invention is suitable for a mobile communication system that detects malicious wireless communication as abnormal wireless communication, blocks the communication, avoids unauthorized occupation of the wireless line, and secures the security and quality of the communication.
 1…通信装置、 2…通信端末、 3…中継装置、 4,40…制御端末、 10…通信装置、 11,110…ネットワーク部、 12…無線アクセス制御部、12a…送受信カウンタ、 13…無線信号処理部、 14…高周波部、 15…アンテナ、 41…統計表示・制御部、 42…特徴抽出部、 43…正常学習部、 44…異常学習部、 45…統計表示部、 111,1101…QoS機能部、 112,1102…フレーム送受信部、 113,1103…通信方式機能部、 114…フレーム情報出力部、 411…出力制御部、 412…表示部、 413…ホワイト/ブラックリスト制御部、 414…ルータ/通信装置制御部、 422…パラメータ抽出部、 423…増分統計処理部、 424…クラスタリング処理部、 431,441…自己符号化器、 432,442…誤差抽出/差分検出部、 433,443…出力判定部、 4111…学習・異常検出切替部、 4112…ホワイト/ブラック判定部、 4113…ホワイトリスト記憶部、 4114…ブラックリスト記憶部 1 ... communication device, 2 ... communication terminal, 3 ... relay device, 4,40 ... control terminal, 10 ... communication device, 11,110 ... network unit, 12 ... wireless access control unit, 12a ... transmission / reception counter, 13 ... wireless signal Processing unit, 14 ... high frequency unit, 15 ... antenna, 41 ... statistical display / control unit, 42 ... feature extraction unit, 43 ... normal learning unit, 44 ... abnormal learning unit, 45 ... statistical display unit, 111, 1101 ... QoS function Unit, 112, 1102 ... Frame transmission / reception unit, 113, 1103 ... Communication method function unit, 114 ... Frame information output unit, 411 ... Output control unit, 412 ... Display unit, 413 ... White / black list control unit, 414 ... Router / Communication device control unit, 422 ... parameter extraction unit, 423 ... incremental statistical processing unit, 424 ... clustering processing unit, 431,441 ... self-encoder, 432,442 ... error extraction / difference detection unit, 433,443 ... output judgment Unit, 4111 ... Learning / abnormality detection switching unit, 4112 ... White / black judgment unit, 4113 ... White list storage unit, 4114 ... Black list storage unit

Claims (7)

  1.  移動体ネットワークに用いられる移動通信システムであって、
     受信したフレームの制御情報から当該フレームの特徴量を抽出するための受信フレーム情報を出力すると共に、受信禁止のアクセス制御情報により受信を遮断し、受信禁止解除のアクセス制御情報により受信の遮断を解除する通信装置と、
     前記受信フレーム情報を入力し、当該受信フレーム情報が正常であるか又は異常であるかを、予め記憶された受信フレーム情報の正常又は異常のリストに基づいて判定し、異常と判定した場合に前記通信装置に受信禁止のアクセス制御情報を出力し、正常と判定した場合に前記通信装置に受信禁止解除のアクセス制御情報を出力する制御端末とを有する移動通信システム。     A mobile communication system used in mobile networks.
    Received frame information for extracting the feature amount of the frame from the control information of the received frame is output, reception is blocked by the access control information of reception prohibition, and reception is canceled by the access control information of reception prohibition cancellation. Communication device and
    When the received frame information is input, whether the received frame information is normal or abnormal is determined based on a list of normal or abnormal received frame information stored in advance, and when it is determined to be abnormal, the above-mentioned A mobile communication system having a control terminal that outputs reception-prohibited access control information to a communication device and outputs access control information for canceling reception prohibition to the communication device when it is determined to be normal.
  2.  通信装置と通信端末との間に中継装置を設け、
     制御端末は、受信禁止のアクセス制御情報又は受信禁止解除のアクセス制御情報を前記中継装置に出力し、
     前記中継装置は、受信禁止のアクセス制御情報により受信を遮断し、受信禁止解除のアクセス制御情報により受信の遮断を解除する請求項1記載の移動通信システム。     A relay device is installed between the communication device and the communication terminal.
    The control terminal outputs the reception prohibition access control information or the reception prohibition release access control information to the relay device.
    The mobile communication system according to claim 1, wherein the relay device blocks reception by using access control information for which reception is prohibited, and cancels reception by using access control information for releasing reception prohibition.
  3.  制御端末が、受信フレーム情報から特徴量データを抽出し、前記受信フレーム情報が正常であれば正常な特徴量データとして学習し、前記受信フレーム情報が異常であれば異常な特徴量データとして学習し、当該学習結果を用いて正常又は異常のリストを更新する請求項1又は2記載の移動通信システム。 The control terminal extracts feature amount data from the received frame information, learns it as normal feature amount data if the received frame information is normal, and learns it as abnormal feature amount data if the received frame information is abnormal. The mobile communication system according to claim 1 or 2, wherein the list of normal or abnormal is updated by using the learning result.
  4.  制御端末は、学習では自己符号器を用い、受信したフレームについての特徴量データを入力データとして前記自己符号化器に入力し、前記自己符号化器からの出力データと前記入力データとの差分に基づいて前記フレームの正常又は異常を判定する請求項3記載の移動通信システム。 The control terminal uses a self-encoder in learning, inputs the feature amount data about the received frame to the self-encoder as input data, and uses the difference between the output data from the self-encoder and the input data. The mobile communication system according to claim 3, wherein the normality or abnormality of the frame is determined based on the above.
  5.  制御端末は、受信したフレームの正常又は異常を判別すると、当該判別したフレームの受信フレーム情報で正常又は異常のリストを更新する請求項4記載の移動通信システム。 The mobile communication system according to claim 4, wherein when the control terminal determines whether the received frame is normal or abnormal, the list of normal or abnormal is updated with the received frame information of the determined frame.
  6.  制御端末は、受信に関する複数のパラメータを統計手法により相関を演算して特徴量データを求める請求項1乃至5のいずれか記載の移動通信システム。 The mobile communication system according to any one of claims 1 to 5, wherein the control terminal calculates feature amount data by calculating a correlation between a plurality of parameters related to reception by a statistical method.
  7.  制御端末は、受信に関する複数のパラメータから特徴量データをクラスタリングし、クラスタ毎に特徴量データを得る請求項1乃至6のいずれか記載の移動通信システム。 The mobile communication system according to any one of claims 1 to 6, wherein the control terminal clusters feature amount data from a plurality of parameters related to reception and obtains feature amount data for each cluster.
PCT/JP2020/019697 2020-05-18 2020-05-18 Mobile communication system WO2021234796A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2022523775A JP7394984B2 (en) 2020-05-18 2020-05-18 mobile communication system
PCT/JP2020/019697 WO2021234796A1 (en) 2020-05-18 2020-05-18 Mobile communication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/019697 WO2021234796A1 (en) 2020-05-18 2020-05-18 Mobile communication system

Publications (1)

Publication Number Publication Date
WO2021234796A1 true WO2021234796A1 (en) 2021-11-25

Family

ID=78708408

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2020/019697 WO2021234796A1 (en) 2020-05-18 2020-05-18 Mobile communication system

Country Status (2)

Country Link
JP (1) JP7394984B2 (en)
WO (1) WO2021234796A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009520447A (en) * 2005-12-19 2009-05-21 アルカテル−ルーセント ユーエスエー インコーポレーテッド Method and apparatus for protecting a 3G wireless network from malicious attacks
JP2009253461A (en) * 2008-04-02 2009-10-29 Nec Corp Network, communication management device, wired switch, wireless controller, illegal communication disconnecting method,and program
JP2012506644A (en) * 2008-10-30 2012-03-15 日本電気株式会社 Communication method between user equipment and H (e) NB for minimizing the impact of expansion of access network
WO2020040027A1 (en) * 2018-08-23 2020-02-27 日本電信電話株式会社 Communication control system, network controller and computer program

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009520447A (en) * 2005-12-19 2009-05-21 アルカテル−ルーセント ユーエスエー インコーポレーテッド Method and apparatus for protecting a 3G wireless network from malicious attacks
JP2009253461A (en) * 2008-04-02 2009-10-29 Nec Corp Network, communication management device, wired switch, wireless controller, illegal communication disconnecting method,and program
JP2012506644A (en) * 2008-10-30 2012-03-15 日本電気株式会社 Communication method between user equipment and H (e) NB for minimizing the impact of expansion of access network
WO2020040027A1 (en) * 2018-08-23 2020-02-27 日本電信電話株式会社 Communication control system, network controller and computer program

Also Published As

Publication number Publication date
JP7394984B2 (en) 2023-12-08
JPWO2021234796A1 (en) 2021-11-25

Similar Documents

Publication Publication Date Title
Cena et al. Seamless link-level redundancy to improve reliability of industrial Wi-Fi networks
US9125130B2 (en) Blacklisting based on a traffic rule violation
US20080186932A1 (en) Approach For Mitigating The Effects Of Rogue Wireless Access Points
US20120099525A1 (en) Counter check procedure for packet data transmission
US8942131B2 (en) Method for filtering and processing data in a packet-switched communication network
EP3629636B1 (en) Wireless communication apparatus and wireless communication method
WO2008072082A2 (en) Method and system for stable throughput of cognitive radio with relaying capabilities
JP2006197045A (en) System, and terminal for transmitting radio packet signal, and method for same used therefor
EP3588826B1 (en) Transmission frame counter
US8867391B2 (en) Method and apparatus for error correction ciphering in mobile communication system
US20080037484A1 (en) Access Point, Access Point Controller and Wireless Lan System
US20060133401A1 (en) Communication apparatus, wireless communication terminal, wireless communication system, and wireless communication method
CN110381511B (en) Non-orthogonal multiple access authentication system based on shared physical layer authentication label
CN113766549B (en) Access points, media, and methods for basic service set color based restriction and mitigation
WO2013137303A1 (en) Mobile station and wireless base station
WO2021234796A1 (en) Mobile communication system
US20180338273A1 (en) Network master device and network communication method for realizing cooperative service set
KR100772369B1 (en) Method and apparatus for controlling retransmission
JP2016019031A (en) Filtering device and filtering method
GB2396081A (en) Terminating frame reception
KR20020038180A (en) An adaptation coding method based on channel status for wireless LAN system
WO2014100988A1 (en) Fountain code relay method and device
US11395178B2 (en) Communication apparatus and communication method
US9615290B1 (en) Method and apparatus for detecting a type of interference in a communication system
Fanous et al. Effect of secondary nodes on the primary's stable throughput in a cognitive wireless network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20936515

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2022523775

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20936515

Country of ref document: EP

Kind code of ref document: A1