CN101193430A - Access permission control device and method for mobile communication network based on secure status of mobile terminal - Google Patents
Access permission control device and method for mobile communication network based on secure status of mobile terminal Download PDFInfo
- Publication number
- CN101193430A CN101193430A CNA2006101458703A CN200610145870A CN101193430A CN 101193430 A CN101193430 A CN 101193430A CN A2006101458703 A CNA2006101458703 A CN A2006101458703A CN 200610145870 A CN200610145870 A CN 200610145870A CN 101193430 A CN101193430 A CN 101193430A
- Authority
- CN
- China
- Prior art keywords
- terminal
- portable terminal
- mobile
- access
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a device for controlling an access of a mobile communication network based on safety state of a mobile terminal and a method thereof. In the current mobile communication network, a specific realizing method does not exists to find virus origin in time and rapidly prevent the disaster from diffusing in the early period of the disaster occurrence like the virus etc. In order to solve the problem, as for the device for controlling the access of the mobile communication network based on the safety state of the mobile terminal and the method thereof provide by the invention, a security proxy collects safety information in the mobile terminal and transmits the information to a terminal server for evaluating the safety state; the terminal server for evaluating the safety state evaluates the safety state of the mobile terminal according to the safety information and the evaluation result of the safety state is transmitted to an access strategy server; the access strategy server generates an access control strategy and transmits the strategy to the device for controlling the access of the mobile communication network; the device for controlling the access of the mobile communication network controls access of the mobile terminal to the mobile network according to the access control strategy. The invention is applicable to the mobile network.
Description
Technical field
The present invention relates to a kind of mobile radio communication access permission control device and method based on secure status of mobile terminal
Background technology
Following 3G portable terminal will have the stronger operating system of disposal ability, bigger access bandwidth, and these make it can carry out rich data and multimedia service.Yet, the trend that this portable terminal and internet terminal (PC) merge has mutually caused following portable terminal also will face the security threat that internet terminal faces, and the virus that is similar on the Internet also will be the key factor that the following mobile service of influence is carried out.
Whether mainly be to have the ability of using mobile network resource (as whether having the validated user sign, whether having sufficient telephone expenses remaining sum, communication signal and whether satisfy conditions such as qos requirement) to implement the access control to the portable terminal access to mobile network according to the user at mobile network's access control at present, the safe condition of portable terminal is not as the condition of implementing access control.
On the other hand, in the 3G network, the mobile terminal data ability strengthens, and the worm-type virus (as the mail worm) of network very likely takes place, and takies a large amount of Internet resources.Usually the method for handling this situation is after worm-type virus takes place, and by adopting the method for virus filtration, prevents the diffusion of virus.At present in mobile communications network, also do not have a kind ofly at disaster early period of originations such as viruses, can in time find viral source, and the specific implementation method of the diffusion that prevents disasters rapidly.
Summary of the invention
Defective and deficiency at the prior art existence; the invention provides a kind of mobile radio communication access permission control device and method based on secure status of mobile terminal; can effectively prevent unsafe portable terminal access to mobile network; reduce the influence that network is subjected to threats such as virus; the protection mobile network resource guarantees carrying out of normal mobile service.
In order to reach the foregoing invention purpose, the present invention is based on the mobile radio communication admittance control method of secure status of mobile terminal, may further comprise the steps:
(1) TSM Security Agent is collected the security information of portable terminal, and described security information is sent to the security state of terminal evaluating server by mobile network's access control equipment;
(2) the security state of terminal evaluating server is assessed the safe condition of this portable terminal according to described security information, and the state evaluating result of this portable terminal is sent to the access strategic server;
(3) the access strategic server is followed according to the secure status of mobile terminal assessment result and is generated this portable terminal access control strategy, and this access control strategy is sent to mobile network's access control equipment;
(4) mobile network's access control equipment enters the mobile network according to this access control policy control portable terminal.
In the above-mentioned mobile radio communication admittance control method based on secure status of mobile terminal, described step (4) also comprises afterwards:
(5) TSM Security Agent is uploaded to the security state of terminal evaluating server with the portable terminal present flow rate information of collecting by mobile network's access control equipment;
(6) if the security state of terminal evaluating server is " normal condition " to the state evaluating result of this portable terminal, step finishes; If the state evaluating result to this portable terminal of security state of terminal evaluating server is " precarious position ", then sends " precarious position " sign and give the access strategic server;
(7) the access strategic server generates the access control strategy at this portable terminal according to " precarious position " sign, and notifies mobile network's access control equipment to carry out the access control operation.
Wherein, TSM Security Agent regularly is uploaded to the security state of terminal evaluating server with the portable terminal present flow rate information of collecting by mobile network's access control equipment in the described step (5).
The another kind of scheme arranged side by side with the preceding paragraph be, the flow information when TSM Security Agent is collected the mobile terminal network Traffic Anomaly in the described step (5), and this flow information is uploaded to the security state of terminal evaluating server by mobile network's access control equipment.
Further, described access control strategy comprises:
Allow strategy: allow the portable terminal access to mobile network, and use the overall network resource;
Warning strategy: allow the portable terminal access to mobile network, and send the associated safety warning message, and advise that this portable terminal upgrades or upgrades to this portable terminal;
Isolate strategy: only allow portable terminal to use mobile voice service;
Refusal strategy: refuse the access of this portable terminal.
A kind of mobile radio communication access permission control device based on secure status of mobile terminal comprises:
TSM Security Agent: be installed in the portable terminal, be used to collect the security information of portable terminal;
Mobile network's access control equipment: be in the mobile network border, be used to control portable terminal and enter the mobile network, and the communication switching of portable terminal and interior each equipment of mobile network;
Security state of terminal evaluating server: be in the mobile network, the safety state information of portable terminal is carried out security state evaluation, generate the secure status of mobile terminal assessment result;
Access strategic server: be in the mobile network, generate this portable terminal access control strategy according to the secure status of mobile terminal assessment result;
Wherein, TSM Security Agent is collected the security information of portable terminal, and described security information sent to the security state of terminal evaluating server by mobile network's access control equipment, the security state of terminal evaluating server is assessed the safe condition of this portable terminal according to described security information, and the state evaluating result of this portable terminal sent to the access strategic server, the access strategic server is followed according to the secure status of mobile terminal assessment result and is generated this portable terminal access control strategy, and this access control strategy sent to mobile network's access control equipment, mobile network's access control equipment enters the mobile network according to this access control policy control portable terminal.
Adopt the method for the invention and device, can isolate unsafe portable terminal to a certain extent, reduction virus etc. threatens the influence to mobile network resource.On the other hand, the 3G mobile network can monitor dynamically that all insert the safe condition of portable terminal, and the associated safety states such as flow of phase-split network, dynamically adjust accessing terminal of 3G mobile network, can when threats such as virus take place, dynamically control the access state of particular terminal, guarantee the safety of 3G mobile network resource.
Description of drawings
Fig. 1 is the mobile network's access control system schematic diagram based on secure status of mobile terminal;
Fig. 2 is the 3G mobile network admittance control method flow chart based on secure status of mobile terminal;
Fig. 3 is the method flow diagram of 3G mobile network dynamic implementation access control strategy.
Embodiment
The present invention is described in further detail below in conjunction with accompanying drawing:
Portable terminal for fear of infective virus enters the mobile network, and the mobile radio communication access permission control device based on secure status of mobile terminal of the present invention as shown in Figure 1, comprises following four parts:
Be installed on the TSM Security Agent in the portable terminal, be used to collect the security information of portable terminal.These information comprise operation system information, the associated patch version are installed, virus base version, network are uploaded flow etc.TSM Security Agent can be mounted in the software on the portable terminal, also can be software and hardware combining.TSM Security Agent can send safe condition message to mobile network's access device by portable terminal.
Be in mobile network's access control equipment on mobile network border, be used to control portable terminal and enter the mobile network, and the communication switching of portable terminal and interior each equipment of mobile network.In the 3G network system, mobile network's access control equipment can be SGSN/HSS.
Be in the security state of terminal evaluating server in the mobile network, the safety state information of portable terminal is carried out security state evaluation, generate the secure status of mobile terminal assessment result.
Be in the access strategic server in the mobile network, generate this portable terminal access control strategy according to the secure status of mobile terminal assessment result.
Wherein, TSM Security Agent is collected the security information of portable terminal, and described security information sent to the security state of terminal evaluating server by mobile network's access control equipment, the security state of terminal evaluating server is assessed the safe condition of this portable terminal according to described security information, and the state evaluating result of this portable terminal sent to the access strategic server, the access strategic server is followed according to the secure status of mobile terminal assessment result and is generated this portable terminal access control strategy, and this access control strategy sent to mobile network's access control equipment, mobile network's access control equipment enters the mobile network according to this access control policy control portable terminal.
In the 3G mobile communications network, carry out after portable terminal and 3G mobile network finish authentication based on the access control flow process of mobile network's admittance control method of secure status of mobile terminal, may further comprise the steps:
(1) TSM Security Agent is collected the security information of portable terminal, and described security information is sent to the security state of terminal evaluating server by mobile network's access control equipment;
(2) the security state of terminal evaluating server is assessed the safe condition of this portable terminal according to described security information, and the state evaluating result of this portable terminal is sent to the access strategic server;
(3) the access strategic server is followed according to the secure status of mobile terminal assessment result and is generated this portable terminal access control strategy, and this access control strategy is sent to mobile network's access control equipment;
(4) mobile network's access control equipment enters the mobile network according to this access control policy control portable terminal.
Wherein, described access control strategy comprises:
Allow strategy: allow the portable terminal access to mobile network, and use the overall network resource;
Warning strategy: allow the portable terminal access to mobile network, and send the associated safety warning message, and advise that this portable terminal upgrades or upgrades to this portable terminal;
Isolate strategy: only allow portable terminal to use mobile voice service;
Refusal strategy: refuse the access of this portable terminal.
Safe condition by the assessment portable terminal; and the portable terminal at different safe conditions is carried out different access control strategies on the access control strategy; like this, under the prerequisite that does not as far as possible influence the portable terminal access, protected whole mobile network's safety effectively.
The preferred embodiment of this method as shown in Figure 2, after terminal and network side were finished authentication, the access control idiographic flow was as follows:
1, be installed in the safety state information that the TSM Security Agent in the portable terminal is collected in advance good this portable terminal, these information comprise the associated patch version information, virus base version of install software on mobile terminal operating system information, the operating system etc.
2, portable terminal sends by TSM Security Agent to SGSN/HSS and collects good secure status of mobile terminal information in advance.
3, SGSN/HSS is transmitted to the security state of terminal evaluating server with the secure status of mobile terminal information of receiving.
4, the security state of terminal evaluating server is assessed the safe condition of this terminal according to the safety state information of this terminal of input, generates the secure status of mobile terminal assessment result.
5, the security state of terminal evaluating server sends to the access strategic server with this secure status of mobile terminal assessment result.
6, the access strategic server generates the access control strategy of this terminal according to the security evaluation result of this portable terminal.
7, the access strategic server sends to SGSN/HSS with the access strategy that generates.
8, SGSN/HSS generates corresponding access fill order and carries out access control operation (permission, isolation etc.) according to the access strategy of receiving.
So just finished mobile network's access control flow process based on secure status of mobile terminal.
In addition, in portable terminal and 3G network communication process, can regularly send current flow status information, judge whether safety of terminal, and whether need being in the terminal enforcement corresponding control strategies of " precarious position " according to portable terminal to 3G network.In the above-mentioned mobile radio communication admittance control method based on secure status of mobile terminal, described step (4) can also comprise afterwards:
(5) portable terminal can be uploaded to the security state of terminal evaluating server by mobile network's access control equipment with the portable terminal present flow rate information that certain hour is regularly collected TSM Security Agent at interval, can simplify setting program like this, also can work as the mobile terminal network Traffic Anomaly when (as above the amount of spreading exceeds certain threshold value), startup can be saved system resource like this with the regular upload function of abnormal flow.
(6), then do not carry out any operation if the assessment result of security state of terminal evaluating server is " normal condition "; If the assessment result of security state of terminal evaluating server is " precarious position " (as, the situation of a large amount of upstream bandwidths of E-mail Worm Virus occupied terminal), then sends " precarious position " sign and give the access strategic server.
(7) the access strategic server generates the access control strategy of this terminal according to " precarious position " sign of importing into, and notifies mobile network's accessing control server to carry out the access control operation.
Security state of terminal evaluating server and access strategic server can be realized on an entity, also can realize respectively that on different entities they just logically separate.
Be example with terminal generation E-mail Worm Virus below, the 3G mobile network adopts " isolating strategy " (only allow to use basic voice mobile service, do not allow to use other business such as data service) control terminal, and as shown in Figure 3, idiographic flow is as follows:
1, portable terminal regularly is uploaded to the security state of terminal evaluating server with the terminal present flow rate information that TSM Security Agent is collected by SGSN/HSS.For example current terminal generation E-mail Worm Virus, the flow of uploading of terminal mail service increases so.
If the assessment result of 2 security state of terminal evaluating server is " normal condition ", then do not carry out any operation; If the assessment result of security state of terminal evaluating server is " precarious position " (as, the situation of a large amount of upstream bandwidths of E-mail Worm Virus occupied terminal), then sends " precarious position " sign and give the access strategic server.
3, the access strategic server generates the access control strategy (as isolating strategy) of this terminal according to " precarious position " sign of importing into, and notice accessing control server SGSN/HSS.
4, SGSN/HSS generates the associative operation of corresponding instruction execution as " isolation " according to access control strategy (as isolating strategy).
Claims (6)
1. mobile radio communication admittance control method based on secure status of mobile terminal is characterized in that: may further comprise the steps:
(1) TSM Security Agent is collected the security information of portable terminal, and described security information is sent to the security state of terminal evaluating server by mobile network's access control equipment;
(2) the security state of terminal evaluating server is assessed the safe condition of this portable terminal according to described security information, and the state evaluating result of this portable terminal is sent to the access strategic server;
(3) the access strategic server is followed according to the secure status of mobile terminal assessment result and is generated this portable terminal access control strategy, and this access control strategy is sent to mobile network's access control equipment;
(4) mobile network's access control equipment enters the mobile network according to this access control policy control portable terminal.
2. the mobile radio communication admittance control method based on secure status of mobile terminal according to claim 1 is characterized in that: described step (4) also comprises afterwards:
(5) TSM Security Agent is uploaded to the security state of terminal evaluating server with the portable terminal present flow rate information of collecting by mobile network's access control equipment;
(6) if the security state of terminal evaluating server is " normal condition " to the state evaluating result of this portable terminal, step finishes; If the state evaluating result to this portable terminal of security state of terminal evaluating server is " precarious position ", then sends " precarious position " sign and give the access strategic server;
(7) the access strategic server generates the access control strategy at this portable terminal according to " precarious position " sign, and notifies mobile network's access control equipment to carry out the access control operation.
3. the mobile radio communication admittance control method based on secure status of mobile terminal according to claim 2 is characterized in that: TSM Security Agent regularly is uploaded to the security state of terminal evaluating server with the portable terminal present flow rate information of collecting by mobile network's access control equipment in the described step (5).
4. the mobile radio communication admittance control method based on secure status of mobile terminal according to claim 2, it is characterized in that: the flow information when TSM Security Agent is collected the mobile terminal network Traffic Anomaly in the described step (5), and this flow information is uploaded to the security state of terminal evaluating server by mobile network's access control equipment.
5. the mobile radio communication admittance control method based on secure status of mobile terminal according to claim 1 is characterized in that: described access control strategy comprises:
Allow strategy: allow the portable terminal access to mobile network, and use the overall network resource;
Warning strategy: allow the portable terminal access to mobile network, and send the associated safety warning message, and advise that this portable terminal upgrades or upgrades to this portable terminal;
Isolate strategy: only allow portable terminal to use mobile voice service;
Refusal strategy: refuse the access of this portable terminal.
6. mobile radio communication access permission control device based on secure status of mobile terminal is characterized in that: comprising:
TSM Security Agent: be installed in the portable terminal, be used to collect the security information of portable terminal;
Mobile network's access control equipment: be in the mobile network border, be used to control portable terminal and enter the mobile network, and the communication switching of portable terminal and interior each equipment of mobile network;
Security state of terminal evaluating server: be in the mobile network, the safety state information of portable terminal is carried out security state evaluation, generate the secure status of mobile terminal assessment result;
Access strategic server: be in the mobile network, generate this portable terminal access control strategy according to the secure status of mobile terminal assessment result;
Wherein, TSM Security Agent is collected the security information of portable terminal, and described security information sent to the security state of terminal evaluating server by mobile network's access control equipment, the security state of terminal evaluating server is assessed the safe condition of this portable terminal according to described security information, and the state evaluating result of this portable terminal sent to the access strategic server, the access strategic server is followed according to the secure status of mobile terminal assessment result and is generated this portable terminal access control strategy, and this access control strategy sent to mobile network's access control equipment, mobile network's access control equipment enters the mobile network according to this access control policy control portable terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006101458703A CN101193430A (en) | 2006-11-21 | 2006-11-21 | Access permission control device and method for mobile communication network based on secure status of mobile terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006101458703A CN101193430A (en) | 2006-11-21 | 2006-11-21 | Access permission control device and method for mobile communication network based on secure status of mobile terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101193430A true CN101193430A (en) | 2008-06-04 |
Family
ID=39488107
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2006101458703A Pending CN101193430A (en) | 2006-11-21 | 2006-11-21 | Access permission control device and method for mobile communication network based on secure status of mobile terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101193430A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101917404A (en) * | 2010-07-15 | 2010-12-15 | 优视科技有限公司 | Safety defense method for browser of mobile terminal |
| CN101883017B (en) * | 2009-05-04 | 2012-02-01 | 北京启明星辰信息技术股份有限公司 | System and method for evaluating network safe state |
| CN103442064A (en) * | 2013-08-29 | 2013-12-11 | 北京网秦天下科技有限公司 | Mobile terminal, server and methods |
| CN103916858A (en) * | 2012-12-31 | 2014-07-09 | 中国移动通信集团广东有限公司 | Mobile terminal health degree judgment method and apparatus |
| CN110324274A (en) * | 2018-03-28 | 2019-10-11 | 华为技术有限公司 | The method and network element of controlling terminal access network |
-
2006
- 2006-11-21 CN CNA2006101458703A patent/CN101193430A/en active Pending
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101883017B (en) * | 2009-05-04 | 2012-02-01 | 北京启明星辰信息技术股份有限公司 | System and method for evaluating network safe state |
| CN101917404A (en) * | 2010-07-15 | 2010-12-15 | 优视科技有限公司 | Safety defense method for browser of mobile terminal |
| CN101917404B (en) * | 2010-07-15 | 2016-03-16 | 优视科技有限公司 | The safety defense method for browser of mobile terminal |
| CN103916858A (en) * | 2012-12-31 | 2014-07-09 | 中国移动通信集团广东有限公司 | Mobile terminal health degree judgment method and apparatus |
| CN103916858B (en) * | 2012-12-31 | 2017-08-11 | 中国移动通信集团广东有限公司 | A kind of mobile terminal health degree decision method and device |
| CN103442064A (en) * | 2013-08-29 | 2013-12-11 | 北京网秦天下科技有限公司 | Mobile terminal, server and methods |
| CN110324274A (en) * | 2018-03-28 | 2019-10-11 | 华为技术有限公司 | The method and network element of controlling terminal access network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2080317B1 (en) | Apparatus and a security node for use in determining security attacks | |
| US7716727B2 (en) | Network security device and method for protecting a computing device in a networked environment | |
| CN100428689C (en) | Network safety control method and system | |
| US20070266422A1 (en) | Centralized Dynamic Security Control for a Mobile Device Network | |
| US20080229382A1 (en) | Mobile access terminal security function | |
| RU2477520C1 (en) | System and method for device configuration-based dynamic adaptation of antivirus application functional | |
| US9467858B2 (en) | On device policy enforcement to secure open platform via network and open network | |
| CN101444119A (en) | System for implementing security police on mobile communication equipment | |
| WO2006128080A2 (en) | Apparatus and methods for protecting data on a wireless device | |
| CN101257678A (en) | Method, terminal and system for realizing mobile terminal software safe detection | |
| EP3697117A1 (en) | Method and system for controlling internet browsing user security | |
| US20060236390A1 (en) | Method and system for detecting malicious wireless applications | |
| CN101193430A (en) | Access permission control device and method for mobile communication network based on secure status of mobile terminal | |
| RU2005120690A (en) | PROTECTED MEDIA TRACT AND RESOLUTION RESPONSE UNIT | |
| CN101340275B (en) | Data card, data processing and transmitting method | |
| CN103269335A (en) | Method and system for compliance audit of movable terminal | |
| KR20090035192A (en) | Apparatus and method for firewall system integrated management | |
| KR20050090640A (en) | A system and method for analyzing harmful traffic | |
| US20030229803A1 (en) | Communication systems automated security detection based on protocol cause codes | |
| KR100671044B1 (en) | A system and method for analyzing malicious traffic in internal network | |
| CN112564982A (en) | Automatic safety risk reporting method and system | |
| CN1848838B (en) | Method and system for realizing radio network business control in wireless communication system | |
| KR20200054495A (en) | Method for security operation service and apparatus therefor | |
| EP1722531B1 (en) | Method and system for detecting malicious wireless applications | |
| CN202584231U (en) | Highway toll collection network system having safety protection function |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20080604 |