CN106453421A - Smart identifier network service tampered DoS (denial of service) attack cooperative defense method integrating LTE (long term evolution) - Google Patents

Smart identifier network service tampered DoS (denial of service) attack cooperative defense method integrating LTE (long term evolution) Download PDF

Info

Publication number
CN106453421A
CN106453421A CN201611122590.0A CN201611122590A CN106453421A CN 106453421 A CN106453421 A CN 106453421A CN 201611122590 A CN201611122590 A CN 201611122590A CN 106453421 A CN106453421 A CN 106453421A
Authority
CN
China
Prior art keywords
sid
packet
pgw
service
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611122590.0A
Other languages
Chinese (zh)
Other versions
CN106453421B (en
Inventor
陈佳
童博
张宏科
左元钧
寸怡鹏
贾海宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiaotong University
Original Assignee
Beijing Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiaotong University filed Critical Beijing Jiaotong University
Priority to CN201611122590.0A priority Critical patent/CN106453421B/en
Publication of CN106453421A publication Critical patent/CN106453421A/en
Application granted granted Critical
Publication of CN106453421B publication Critical patent/CN106453421B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a smart identifier network service tampered DoS (denial of service) attack cooperative defense method integrating LTE (long term evolution). The method includes the steps: maintaining an abnormal SID (service identifier) reputation management table on a PGW (PND gate way) and adding check probability corresponding to an SID in a data packet into a data packet returned by a GSR (gigabit switch router); judging whether the SID in the data packet exists in the table or not when receiving the data packet by the PGW, setting the check probability in the data packet to correspond to the SID stored in the table if the SID in the data packet exists in the table, and keeping the check probability in the data packet if not; determining whether to perform signature verification for the data packet or not according to the check probability in the data packet when receiving the data packet by the PGW by an eNode B, caching and transmitting the data packet if signature verification is successfully performed, and discarding the data packet and transmitting abnormal alarm information carrying the SID to the PGW if failing in signature verification; judging whether the SID exists in the table or not when receiving the information by the PGW; increasing the check probability corresponding to the SID in the table if the SID exists in the table, and adding the SID into the table and then increasing the check probability corresponding to the SID if not. The probability of detecting tampered data packets can be increased.

Description

The wisdom merging LTE identifies the composite defense method that network distorts DoS attack to service
Technical field
The present invention relates to network communication technology field.Merge LTE (Long Term more particularly, to a kind of Evolution, Long Term Evolution) wisdom mark network service distorted with DoS (Denial of Service, refusal service) attack The composite defense method hit.
Background technology
In its long-term evolution, especially in recent years, scale drastically expands for the Internet, and it is main " triple to tie up The original design thought of cover half type " causes mode of operation relatively " static " and " ossifing ", leads to many insoluble problems.As " resource and binding positions " lead to existing the Internet to be difficult to the cloud computing of the whole network scale;" controlling data binding " is difficult to reality The energy-conservation of existing network network;" identity and position binding " is difficult to extensibility, mobility and the safety issue of effectively solving network.Again As support wretched insufficiency in terms of intelligence, perception, the wisdom mechanism such as cognitive, dynamic for the conventional internet, when user or net When network behavior changes, network is difficult to perceive and realize resource dynamic adaptation, causes Internet resources unreasonable distribution, utilization rate Low, energy consumption is big.
In order to solve the problems that existing the Internet exists, and cast aside reparation thought as continuation patch installing, in recent years Countries in the world and each network research organisations and institutions have carried out the new architecture of the network system one after another.Wherein, wisdom mark network It is that Next Generation Internet interconnection equipment national engineering laboratory of Beijing Jiaotong University relies on state key basic research development plan (973 plan) " wisdom identifies network theory basic research " project, further investigation and exploring supports that wisdom (intelligence, perceives, recognizes Know, dynamic etc.) the future network system rationale of service and network, the Future Internet framework of proposition.It is advantageous that it In conjunction with the advantage of the Internet and conventional telecommunications net, will be decoupling for the ambiguity of IP address, using identity and position separate, resource with Position separating technology, improves network scalability, safety, mobility.Network is divided into entity domains and row by wisdom mark network For domain, introduce access network mark AID (Access Identifier) and Intranet mark RID (Routing Identifier), one Aspect improves network service quality, on the other hand improves the security performance of network, and can be with existing the Internet and net Network framework is merged.
Wisdom identifies the important component part that network is studied as Next Generation Internet, within its network architecture is same Centered on appearance, route and cache way are different from traditional IP network.This framework pass through distributed content cache mechanism, realize with Content is the data transfer of core, changes traditional host-based network communication pattern.
Flourishing with mobile Internet, the high speed development of various new network applications, data service flow is Exceed speech business flow, become most important traffic overhead.People enjoy various brand-new network service while, explosion type Flow increase constantly increase the rise with smart machine for the traffic requirement to mobile Internet, the download content quantity of people Unprecedentedly huge, this brings very big pressure to network.Global radio operator face therefore in terms of high-speed mobile broadband service Face growing demand, increasing user tends to the application that bandwidth is consumed in pole, such as Video Applications, and operator has to Find new technology and carry out these increasing needs leading.For 3G, LTE can provide high-speed mobile network broadband to take Business.Its theoretical speed of download is about the 100MB/ second, approximates 2000 times dialling up on the telephone.According to this speed, download one The file of 600MB, only needs 6 seconds.But in actual applications, all bandwidth are all subject to transmission range and online user number simultaneously Impact.At present International Telecommunication Association's technical requirements basic to 4G are, are issued to speed 100 mbit in mobile status, static and Slow mobile status is issued to speed 1G bps.Compared with existing mobile communication technology, the transmission speed of 4G can improve 1000 Times.
In recent years, internet security problem becomes increasingly conspicuous.Online working, ecommerce, or even E-Government are all flown The development of speed.It is assumed that all nodes are all believable at the beginning of the Internet design, and it is all freedom and equality.This leads to tradition The Internet lacks authenticating user identification mechanism, lacks the administrative mechanism of safety, this makes falsely using of identity be possibly realized with deception. Because being flooded with various hackers on network, they utilize technological means (virus or network attack) to obtain illegal interests.People Also in the solution constantly seeking internet security, such as exploitation fire wall, safety auditing system, intruding detection system etc., but All fundamentally do not solve the checking credible to subscriber authentication.
Wisdom mark network includes three aspects:Networking component layer, resource adaption layer and smart service layer.Wherein, wisdom The Uniform Name that service layer is responsible for various services is mated with the dynamic wisdom of description, service behavior description, service, these services packages The various Networks being provided by operator or third party value-added service provider, mainly voice, data, Streaming Media etc. are provided.Wisdom Service layer introduces service identifiers SID (Service Identifier) and carrys out intelligence s ervice of labelling, realize service " resource and Position separating ", is not only completed Uniform Name and the description of service, and realizes " resource and the position separating " servicing;Service mark Know wisdom to map for completing moving between certain service and network group (networking component of bottom combines) of resource adaption layer State mate, realize service and network infrastructure between wisdom coupling, make service realize relatively reliable.
Wisdom mark network is framework, user's no longer attentinal contents storage location network using content as center, and only closes Intracardiac appearance itself.Message is no longer using similar IP address as mark, but is referred to as identifying using the name of service itself.In this net In network communication process, transmit two kinds of type of data packet, include user's request with service identifiers interest bag server (or delay Deposit node) packet that returns.User's request person sends the interest bag with service identifiers, and this bag will identify network by wisdom Node is transmitted to the neighbouring node that can respond this request content;Then the packet comprising service identifiers and content will be along The repercussion path of interest bag sends requestor to, completes the transmission of primary information with this.
Fig. 1 shows that existing LTE network is identified in network integration network with wisdom, and main network element device includes:LTE Basic network element LTE base station eNodeB (Evolved Node B) of core net EPC (Evolved Packet Core), network section Point MME (Mobility Management Entity) and gateway SGW (Serving GateWay);Wisdom identifies network Private network SID server, private network router GSR (Gigabit Switch Router, kilomegabit TSR) and mapping clothes Business device;And merged the mobile private network security gateway of PDN Gateway PGW (PDN GateWay) and private network couple in router ASR and set Standby.
In this network environment, the request that user terminal UE (User Equipment) sends can be SID request, should SID request needs the network element device support in LTE network to process the packet comprising SID.Using the communication mode based on SID not With traditional communication mode based on IP/AID:First, institute in the data packet format different pieces of information bag that user terminal sends The field comprising mainly includes SID, AID, UID and other are every;Second, communication process has differences the SID that UE sends Request, needs to first pass through SID resolution server, to parse the SID field in packet, and by corresponding for SID AID or AID group Conjunction returns to UE, and then UE asks communication with corresponding AID again;3rd, when packet is transferred to mobile private network security gateway, AID field in packet will be replaced by RID, and this RID is to be corresponding AID distribution by mapping server.
In this network environment, as shown in Fig. 2 user terminal accesses LTE network and sends the flow process of SID request to private network Include 14 steps altogether, the wherein the 1st step to the 11st step for the step of user terminal access LTE network, the 12nd step to the 14th step is User terminal is accessing LTE network and after starting proper communication, the step sending SID request to private network, above-mentioned to private network transmission SID request is directed to private network router GSR and sends SID request.
As described above, LTE network comprises content memorizer CS with each node in wisdom mark network integration network (content storage), just empties storage for data cached bag different from ip router after the completion of data forwarding Content, the node in this network asks identical data for convenience of different user, needs to cache completed data as far as possible.And it is every The memory space of individual node is limited, and each node is unable to all of packet of infinite buffer.When the packet of caching reaches The maximum that node space can bear, then receive new packet it is necessary to carry out caching replacement, that is, with certain strategy, Abandon old packet, to ensure that node storage space is not occupied full, reduce the probability of content requests failure.
But utilized by attacker come by way of obtaining packet by caching when this, such as attacker controls certain node Router, thus the content of the packet distorted, but do not change its SID, so after normal interest bag reaches, because coupling SID will return the packet being tampered, and this packet just can be found not to be that it is desired interior when reaching user Hold, simultaneously, in the whole downlink returning, the packet of this SID all having been tampered with caching, when other use When this SID is asked at family again, equally cannot desired content.Now, when validated user carries out normal request, because of middle node Point no longer can provide it normal service, and user has to go request data to farther cache node or even content source, thus Greatly reduce the request efficiency of user.If routing node also selects to carry out signature authentication, its expense is very big, has reality Test and show that the calculating performance that the router having multiple gigabit network interfaces is carried out to each packet required for signature authentication is ten Divide unpractical.
As described above, identify the communication process based on nodal cache of the network architecture for the wisdom centered on content, Attacker adopts attack meanses such as:
(1) pass through to control certain router, the content of the packet that it is received is distorted, then its descending road The content of the packet being cached by device is also all tampered with.
(2) by the prediction to certain specific SID, machine simulation requestor and service that attacker is controlled by oneself carry Donor, the packet that the still content meeting this SID is not the desired content of normal users is pre-deposited router In caching.
And both the above aggressive behavior all causes the interest bag that user sends normal service request cannot receive correct clothes Business content-data bag.In existing content center network, the technology that solution content tampering compares main flow is SCIC (Self- Certifying Interests/Content).Main inclusion S-SCIC (Static-Self-Certifying Interests/Content) with D-SCIC (Dynamic-Self-Certifying Interests/Content) S-SCIC master If a cryptographic Hash is automatically generated according to the content of each packet, once the content of so packet changes, breathe out Uncommon value is as well as change.D-SCIC is mainly requestor and adds a field in interest bag What PublisherPublicKeyDigest deposited is the cryptographic Hash of the public key of ISP, once requestor uses this word Section, each router will verify whether the packet returning meets and interest bag identical public key.
In said method, S-SCIC can be very good to solve the problems, such as that content is tampered, and is simultaneous for continuous data (content1, content2 ...), its solution is that cryptographic Hash hash2 of content2 is stored in content1 together, Therefore only need to know the accuracy that cryptographic Hash hash1 of content1 can ensure one section of continuous data.But, its effect Scope is only limitted to data, such as one film or an e-book of static state, and ISP can be in advance by each section The cryptographic Hash held is calculated and hash1 is sent to requestor.And in real network, be to there is much dynamic contents , the content that perhaps will return is before request is initiated and non-existent (result of such as web search).In this case S-SCIC cannot ensure integrity and the accuracy of content.Meanwhile, although D-SCIC can solve some controlled services and carry The problem of the content tampering that donor causes.Once but attacker is directly to change the ISP that it is trusted to be buffered in route When the content of the packet on device rather than public key, public key match still can be correct, but returns the packet returning on the way Content remains mistake.And, any at present all cannot accomplish to support based on Self-certified nomenclature simultaneously static and dynamic Self-certified content naming method.
Accordingly, it is desirable to provide a kind of improve, in rational calculating, the data content that is maliciously tampered is detected in performance range Bag probability thus reduce be tampered content packet be buffered the fusions LTE of probability wisdom identify network in service Distort the composite defense method of DoS attack.
Content of the invention
It is an object of the invention to provide a kind of wisdom of fusion LTE identifies the association that in network, service is distorted with DoS attack Same defence method, to realize:
1st, when attacker seized on both sides by the arms some private network router GSR in private network and distort that it caches or receive normal During the content of the packet comprising SID, composite defense will be carried out when packet is transferred in LTE network, reduction is tampered The probability that packet is cached by eNodeB, increased the probability that mobile subscriber normally obtains correct service content simultaneously;
2nd, because the volume of transmitted data that PGW is carried is huge, therefore PGW itself does not carry out signature authentication, but The eNodeB being linked into private network by this PGW is collectively constituted composite defense mechanism as authentication ' unit, PGW is as one simultaneously Individual center controls, and to improve eNodeB and to detect the probability being tampered packet, effectively ensures to imitate while taking into account performance Rate.
For reaching above-mentioned purpose, the present invention adopts following technical proposals:
A kind of wisdom of fusion LTE identifies the composite defense method that in network, service is distorted with DoS attack, walks including following Suddenly:
Abnormal SID Prestige Management table is maintained on PGW, and sets up and the SID in packet in the packet that GSR returns Corresponding verification probability;
When PGW receives this packet, judge in abnormal SID Prestige Management table with the presence or absence of the SID in this packet, If then the verification probability in this packet is set to SID pair in this packet of storage in abnormal SID Prestige Management table The verification probability answered, if otherwise keep the verification probability in this packet;
When eNodeB receives the packet of PGW return, decided whether to this number according to the verification probability in packet Carry out signature authentication according to bag, if carrying out signature authentication and certification success, caching this packet and this packet is sent to user Terminal, if carrying out signature authentication and authentification failure, abandoning this packet and sending the different of the SID carrying in this packet to PGW Often warning message;
When PGW receives the abnormal alarm information of the SID carrying in this packet, judge in abnormal SID Prestige Management table With the presence or absence of the SID in this packet, if the corresponding verification of this SID then improving storage in abnormal SID Prestige Management table is general Rate, if otherwise this SID is added in abnormal SID Prestige Management table and improves this SID of storage in abnormal SID Prestige Management table Corresponding verification probability.
Preferably, the initial value of the verification probability corresponding with SID set up in the described packet in GSR return is identical.
Preferably, described packet also includes digital signature and the service content being provided.
Beneficial effects of the present invention are as follows:
Technical scheme of the present invention, while keeping original system certification, access, communication function, is asked to based on SID The attacker's control node router being likely to occur in the network environment asked carries out content tampering attack, leads to eNodeB storage big Amount mistake caching, reduces the behavior of the efficiency of the correct content of user's request, is analyzed, in private network on PGW and eNodeB Add composite defense mechanism to limit the malice tampering of SID from mobile network core network edge, be effectively protected mobile network The service acquisition quality of the content safety of base station and user in network.
Brief description
Below in conjunction with the accompanying drawings the specific embodiment of the present invention is described in further detail;
Fig. 1 illustrates the network environment topological diagram of LTE network and wisdom mark network integration network in prior art.
Fig. 2 illustrates to identify in the network environment of network integration network in LTE network and wisdom in prior art, user terminal Access LTE network and send the basic communication flow chart of SID request to private network.
Fig. 3 illustrates in the wisdom mark network merge LTE, service is distorted with the concrete letter of the composite defense method of DoS attack Make flow chart.
Specific embodiment
In order to be illustrated more clearly that the present invention, with reference to preferred embodiments and drawings, the present invention is done further Bright.In accompanying drawing, similar part is indicated with identical reference.It will be appreciated by those skilled in the art that institute is concrete below The content of description is illustrative and be not restrictive, and should not be limited the scope of the invention with this.
The wisdom of fusion LTE disclosed by the invention identifies the composite defense method bag that in network, service is distorted with DoS attack Include following steps:
Abnormal SID Prestige Management table is maintained on PGW, and in the packet that the SID request that GSR sends according to UE returns Set up verification probability corresponding with the SID in packet, the verification probability corresponding with SID set up in each packet in network Initial value is identical;
When PGW receives the packet of GSR return, judge to whether there is this packet in abnormal SID Prestige Management table In SID, if this SID then the verification probability in this packet being set in abnormal SID Prestige Management table storage corresponds to Verification probability, if otherwise keeping the verification probability in this packet;
Because the volume of transmitted data that PGW is carried is huge, therefore PGW itself does not carry out signature authentication, but will Authentication ' unit is used as by the eNodeB that this PGW is linked into private network and collectively constitutes composite defense mechanism;So, when eNodeB connects When receiving the packet that PGW returns, decide whether to carry out signature authentication to this packet according to the verification probability in packet, if Carry out signature authentication and certification successfully then directly caches this packet and this packet is sent to next-hop eNodeB or use Family terminal, if carrying out signature authentication and authentification failure, abandoning this packet and sending the SID's carrying in this packet to PGW Abnormal alarm information;
When PGW receives the abnormal alarm information of the SID carrying in this packet it is meant that the corresponding packet of this SID The possibility that content presence has been tampered, then judge to whether there is this SID, if then to this SID's in abnormal SID Prestige Management table Degrees of comparison is degraded, and improves stored this SID corresponding verification probability in abnormal SID Prestige Management table;If otherwise SID is added in abnormal SID Prestige Management table, and the degrees of comparison of this SID is degraded, improve abnormal SID prestige pipe This SID corresponding verification probability of storage in reason table.Wherein, if the result that PGW judges is not deposit in abnormal SID Prestige Management table In this SID, then illustrate that this SID corresponding verification probability was never improved by PGW, this SID corresponding verification probability is still Set up verification probability initial value during verification probability corresponding with SID in the packet that GSR returns, then PGW is in initial value On the basis of improve this SID corresponding verification probability of storage in abnormal SID Prestige Management table.
When PGW receives the packet containing identical SID of GSR return again, the verification probability of this packet will Improved by PGW, thus improving the probability that the packet being tampered is detected by eNodeB, and then raising nodal cache correctly counts Probability according to bag content.
As shown in figure 3, in the wisdom mark network of fusion LTE disclosed by the invention, DoS attack is distorted to service working in coordination with Being exemplified below of the concrete signaling process of defence method:
First, the composite defense method that in the wisdom mark network merge LTE, service is distorted with DoS attack starts to execute Before, user terminal first has to access LTE network and send SID request, this access LTE network and transmission SID request to private network Flow process is access request flow process commonly used in the prior art, is briefly described as follows:SGW initiates PDP Context request to PGW;PGW Send PDP Context response to SGW;User opens webpage using user terminal, opens WEB verification process, user's debarkation authentication The page inputs user name password;Authentication service inquires about user's user name password, return authentication result, and such as certification is passed through, then reset To ASR authentication management address, ASR module allows its networking, and distributes Intranet mark for it, adds mapping table.User sends Packet, PGW/ASR gives the corresponding Intranet mark of access mark distribution using family instead;Afterwards, user terminal is accessing LTE network And after starting proper communication, send SID request to private network;
Afterwards, the wisdom merging LTE identifies the concrete signaling of the composite defense method that in network, service is distorted with DoS attack Being exemplified as of flow process:
Abnormal SID Prestige Management table is maintained on PGW, and in the packet that the SID request that GSR sends according to UE returns Set up verification probability corresponding with the SID in packet, wherein, set up and the SID in packet in the packet that GSR returns The initial value of corresponding verification probability is identical;
UE1 reaches on the GSR being controlled by attacker to the SID request that private network sends, and attacker has distorted and has been buffered in this The packet content containing identical SID on GSR, the packet after being tampered returns, and GSR on the way equally also caches simultaneously Packet after being tampered;
When the packet that the GSR that controlled by attacker returns reaches PGW, whether PGW judges in exception SID Prestige Management table There is the SID in this packet, if the not SID in this packet in the abnormal SID Prestige Management table in PGW, keeping should Verification probability P 1 in packet, when this packet reach base station eNodeB 1 when, eNodeB1 will according to this verification probability P 1 Decide whether to carry out signature authentication to this packet;
If eNodeB1 carries out signature authentication and finds authentification failure, illustrate that this packet has been tampered with, eNodeB1 Directly abandon this packet, simultaneously by the abnormal alarm feedback of the information of the SID carrying in this packet to PGW;
When PGW receives abnormal alarm information, SID is added in abnormal SID Prestige Management table, and the prestige to this SID Grade is degraded, and improves this SID corresponding verification probability of storage in abnormal SID Prestige Management table, by abnormal SID prestige pipe In reason table, this SID of storage corresponding verification probability P 1 improves to P2.
Afterwards, the UE2 in the range of another base station eNodeB 2 to private network have sent SID request, this SID request SID with The SID of the SID request that UE1 sends before is identical, and that is, UE22 has initiated the SID request to identical SID, obtains equally in private network The packet that is tampered simultaneously returns;
When the packet being tampered reaches PGW, because abnormal SID Prestige Management table in PGW for the SID in this packet There is record, the therefore verification probability in this packet is set to P2, when this packet reaches base station eNodeB 2, eNodeB2 will Based on new probability P 2 (P2>P1) judging whether to carry out signature authentication to this packet, thus, detect that this packet is usurped The probability changing is bigger.
In this programme, LTE network has identified defined in the network integration network signaling format of data with wisdom, is specifically defined As follows:
1) what GSR provided or returned meets the form such as following table of the packet of SID request (can be described as interest bag):
SID CheckProbability Signature Content
Wherein:
SID:Service identifiers;
CheckProbability:Verification probability;
Signature:Digital signature;
Content:The service content being provided.
2) abnormal SID Prestige Management table storage format such as following table:
Wherein:
SID`:Exception service identifies;
Level:The current degrees of comparison of this service identifiers;
CheckProbability:The verification probability of this service identifiers evaluated according to degrees of comparison.
3) eNodeB feeds back the message format such as following table of abnormal SID information to PGW:
SID` CheckProbability Option
Wherein:
SID`:Exception service identifies;
CheckProbability:The verification probability of this service identifiers evaluated according to degrees of comparison;
Option:Option.
The wisdom of fusion LTE disclosed by the invention identifies the composite defense method tool that in network, service is distorted with DoS attack There are following features:
(1) abnormal SID Prestige Management table is set up on PGW, can determine that it is verified general according to SID degrees of comparison in real time Rate;
(2) eNodeB once packet is carried out with signature authentication failure, then feeds back the SID information of this packet extremely at once PGW, is produced gain effects to the data acquisition of the next user being asked identical SID by other eNodeB, realizes eNodeB And the composite defense mechanism that PGW collectively forms;
(3) determine verification probability method include by SID degrees of comparison change and according in the current field each The non-load balanced case constructor relation of eNodeB determines the verification probability of specifically abnormal SID.
Obviously, the above embodiment of the present invention is only intended to clearly illustrate example of the present invention, and is not right The restriction of embodiments of the present invention, for those of ordinary skill in the field, also may be used on the basis of the above description To make other changes in different forms, all of embodiment cannot be exhaustive here, every belong to this Obvious change that bright technical scheme is extended out or change the row still in protection scope of the present invention.

Claims (3)

1. a kind of wisdom of fusion LTE identify the composite defense method that in network service distorted with DoS attack it is characterised in that The method comprises the steps:
Abnormal SID Prestige Management table is maintained on PGW, and sets up corresponding with the SID in packet in the packet that GSR returns Verification probability;
When PGW receives this packet, judge in abnormal SID Prestige Management table with the presence or absence of the SID in this packet, if The SID being then set in abnormal SID Prestige Management table in this packet of storage by the verification probability in this packet is corresponding Verification probability, if otherwise keep the verification probability in this packet;
When eNodeB receives the packet of PGW return, decided whether to this packet according to the verification probability in packet Carry out signature authentication, if carrying out signature authentication and certification success, caching this packet and this packet is sent to user eventually End, if carrying out signature authentication and authentification failure, abandoning this packet and sending the exception of the SID carrying in this packet to PGW Warning message;
When PGW receives the abnormal alarm information of the SID carrying in this packet, whether judge in abnormal SID Prestige Management table There is the SID in this packet, if then improving this SID corresponding verification probability of storage in abnormal SID Prestige Management table, if This SID otherwise this SID being added in abnormal SID Prestige Management table and improving storage in abnormal SID Prestige Management table corresponds to Verification probability.
2. the wisdom of fusion LTE according to claim 1 identifies the composite defense side that in network, service is distorted with DoS attack Method is it is characterised in that the initial value of the verification probability corresponding with SID set up in the described packet in GSR return is identical.
3. the wisdom of fusion LTE according to claim 1 identifies the composite defense side that in network, service is distorted with DoS attack Method is it is characterised in that described packet also includes digital signature and the service content being provided.
CN201611122590.0A 2016-12-08 2016-12-08 The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service Expired - Fee Related CN106453421B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611122590.0A CN106453421B (en) 2016-12-08 2016-12-08 The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611122590.0A CN106453421B (en) 2016-12-08 2016-12-08 The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service

Publications (2)

Publication Number Publication Date
CN106453421A true CN106453421A (en) 2017-02-22
CN106453421B CN106453421B (en) 2019-08-16

Family

ID=58216250

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611122590.0A Expired - Fee Related CN106453421B (en) 2016-12-08 2016-12-08 The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service

Country Status (1)

Country Link
CN (1) CN106453421B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109462498A (en) * 2018-10-24 2019-03-12 北京交通大学 A kind of pervasive network system and its communication means
CN113316152A (en) * 2021-05-21 2021-08-27 重庆邮电大学 DoS attack detection method and defense method for terminal in LTE system
WO2023241048A1 (en) * 2022-06-15 2023-12-21 中兴通讯股份有限公司 Regulation and control method for network connection request, controller, base station, and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101631026A (en) * 2008-07-18 2010-01-20 北京启明星辰信息技术股份有限公司 Method and device for defending against denial-of-service attacks
US20110183733A1 (en) * 2010-01-25 2011-07-28 Asami Yoshida Power management apparatus, and method of providing game contents
JP2011150663A (en) * 2010-01-25 2011-08-04 Sony Corp Power management apparatus, and display method
CN104506459A (en) * 2014-12-10 2015-04-08 北京交通大学 Data packet transmission method, device and system in intelligent cooperative network
CN104580165A (en) * 2014-12-19 2015-04-29 北京交通大学 Cooperative caching method in intelligence cooperative network
CN105991557A (en) * 2015-02-05 2016-10-05 精硕世纪科技(北京)有限公司 Network attack defense method based on DNS intelligent analysis system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101631026A (en) * 2008-07-18 2010-01-20 北京启明星辰信息技术股份有限公司 Method and device for defending against denial-of-service attacks
US20110183733A1 (en) * 2010-01-25 2011-07-28 Asami Yoshida Power management apparatus, and method of providing game contents
JP2011150663A (en) * 2010-01-25 2011-08-04 Sony Corp Power management apparatus, and display method
CN104506459A (en) * 2014-12-10 2015-04-08 北京交通大学 Data packet transmission method, device and system in intelligent cooperative network
CN104580165A (en) * 2014-12-19 2015-04-29 北京交通大学 Cooperative caching method in intelligence cooperative network
CN105991557A (en) * 2015-02-05 2016-10-05 精硕世纪科技(北京)有限公司 Network attack defense method based on DNS intelligent analysis system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109462498A (en) * 2018-10-24 2019-03-12 北京交通大学 A kind of pervasive network system and its communication means
CN113316152A (en) * 2021-05-21 2021-08-27 重庆邮电大学 DoS attack detection method and defense method for terminal in LTE system
WO2023241048A1 (en) * 2022-06-15 2023-12-21 中兴通讯股份有限公司 Regulation and control method for network connection request, controller, base station, and storage medium

Also Published As

Publication number Publication date
CN106453421B (en) 2019-08-16

Similar Documents

Publication Publication Date Title
CN109039436B (en) Method and system for satellite security access authentication
US10972463B2 (en) Blockchain-based NB-IoT devices
US11271892B2 (en) Network communication method and system, device, and storage medium
US9173244B2 (en) Methods for establishing and using public path, M2M communication method, and systems thereof
CN104023092B (en) A kind of method and system for realizing orientation flow bag
CN107395500B (en) Intelligent network architecture integrating perception, calculation and storage and implementation method
CN113891430A (en) Communication method, device and system
CN101309272B (en) Authentication server and mobile communication terminal access controlling method of virtual private network
US10405363B2 (en) D2D mode B discovery security method, terminal and system, and storage medium
SG178429A1 (en) Network selection method based on multi-link and apparatus thereof
Yu et al. Non-access-stratum request attack in E-UTRAN
CN115189913B (en) Data message transmission method and device
CN106453421B (en) The wisdom mark network of fusion LTE distorts the composite defense method of DoS attack to service
EP4184988A1 (en) Network slicing management system, application server and terminal device
CN106210057A (en) A kind of cloud security means of defence based on CDN
Rao et al. Privacy in LTE networks
CN104253798A (en) Network security monitoring method and system
CN102752266B (en) Access control method and equipment thereof
WO2017108009A1 (en) Diameter signaling transmission method and device
CN105429936A (en) Defense method and apparatus of malicious occupation of storage resources in private network router
CN103001931A (en) Communication system of terminals interconnected among different networks
Holtmanns et al. Subscriber profile extraction and modification via diameter interconnection
CN105208022A (en) Alarm information generation method and device
CN100556027C (en) A kind of address renewing method of IKE Network Based
US9749201B2 (en) Method and system for monitoring locator/identifier separation network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20190816

Termination date: 20191208