CN108123789A - Analyze the method and apparatus of security attack - Google Patents
Analyze the method and apparatus of security attack Download PDFInfo
- Publication number
- CN108123789A CN108123789A CN201611063393.6A CN201611063393A CN108123789A CN 108123789 A CN108123789 A CN 108123789A CN 201611063393 A CN201611063393 A CN 201611063393A CN 108123789 A CN108123789 A CN 108123789A
- Authority
- CN
- China
- Prior art keywords
- file
- signaling data
- attack
- data
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
An embodiment of the present invention provides a kind of method and apparatus for analyzing security attack, this method includes:Signaling data is obtained, the crucial cell field information of the signaling data is extracted from each protocol layer corresponding with the signaling data;Security attack analysis is carried out to the signaling data according to the crucial cell field information, obtain security attack analysis result, solve the problem of in the prior art for unshielded means attack without corresponding mode realize to whether there is attack or success attack whether judgement.
Description
Technical field
The present invention relates to field of communication technology more particularly to a kind of method and apparatus for analyzing security attack.
Background technology
In recent years, as traditional gsm communication system items technology is gradually ripe, for SS7 signaling securities in gsm system
Attack report and event it is also increasing, the security threat often referred in these substantial amounts of relevant reports include locating and tracking,
Call diversion, refusal service etc..
For the existing preventive means for being related to SS7 signaling securities threat, mainly by signaling fire wall according to signaling GT codes
Judged with the CUSTOMER ID (MDN or IMSI) of carrying plus wall scroll Signaling instructions behavioural characteristic, if met certain
Abnormal behavior, then it is assumed that belong to security threat, carry out corresponding protection action.
Existing SS7 signaling securities preventive means can be shown in Table 1:
Table 1SS7 signaling security preventive means
For locating and tracking, there are partial protection means, and kidnapped for calling and refuse service class, then without specific protection
Means;For there is the attack of preventive means, specific audit measure, method or system, equipment etc. are had no to having been carried out protecting hand
Duan Jinhang is verified, equally, the attack for unshielded means, also without corresponding audit, to realize to whether whetheing there is attack or attacking
Hit the judgement of success or not.
The content of the invention
In view of above-mentioned technical problem, the embodiment of the present invention provides a kind of method and apparatus for analyzing security attack, solves existing
Have the attack for unshielded means in technology, without corresponding mode realize to whether there is attack or success attack whether
The problem of judgement.
The embodiment of the present invention in a first aspect, provide it is a kind of analyze security attack method, including:
Signaling data is obtained, the key of the signaling data is extracted from each protocol layer corresponding with the signaling data
Cell field information;
Security attack analysis is carried out to the signaling data according to the crucial cell field information, obtains security attack point
Analyse result.
Optionally, the acquisition signaling data, including:
Offline signaling data is obtained from international gateway, the offline signaling data is to generate at predetermined intervals
Data packet.
Optionally, security attack analysis is carried out to the signaling data according to the crucial cell field information, is pacified
Full attack analysis as a result, including:
Operation code type field and message direction field in the crucial cell field information, to the signaling
Data are classified, and generate the systematic searching cell data file of the signaling data, each type of systematic searching cell number
Include the request direction file of the type and the response direction file of the type according to file;
Security attack analysis is carried out to the signaling data according to the request direction file and response direction file, is obtained
Confirm that attack set and doubtful attack are gathered.
Optionally, it is described that security attack analysis is carried out according to the request direction file and response direction file, it obtains really
Recognize attack set and doubtful attack is gathered, including:
According to the principle inwardly asked, the request direction file in systematic searching cell data file is filtered;
Stock affairs ID in the request direction file for meeting filter condition and purpose affairs ID in response direction file are done
Association checks;
If ask in the file of direction in request message in stock affairs ID and response direction file purpose in response message
Affairs ID is identical, and the location information field carried in direction file is responded in response message is shown as national position letter
Request message and response message merging are then output to confirmation attack set corresponding with systematic searching cell data file by breath
In;
If response message not corresponding with request message, the request message is output to and systematic searching cell
In the corresponding doubtful attack set of data file.
Optionally, according to the principle inwardly asked, the request direction file in systematic searching cell data file is carried out
Filtering, including:
Take this country, stock signaling point code OPC as non-originating, international mobile subscriber identification of Destination Point Code DPC
Code IMSI or Mobile Directory Number MDN is the filter condition of this country, to the request in systematic searching cell data file
Direction file is filtered.
According to the second aspect of the embodiment of the present invention, a kind of equipment for analyzing security attack is additionally provided, including:
Acquisition module, for obtaining signaling data, from each protocol layer corresponding with the signaling data described in extraction
The crucial cell field information of signaling data;
Analysis module, for carrying out security attack analysis to the signaling data according to the crucial cell field information,
Obtain security attack analysis result.
Optionally, the acquisition module includes:
Acquiring unit, for obtaining offline signaling data from international gateway, the offline signaling data is according to predetermined
Time interval generation data packet;
Extraction unit, for extracting the offline signaling number from each protocol layer corresponding with the offline signaling data
According to crucial cell field information.
Optionally, the analysis module includes:
Taxon, for the operation code type field and message direction word in the crucial cell field information
Section, classifies to the signaling data, generates the systematic searching cell data file of the signaling data, each type of point
Class retrieval cell data file includes the request direction file of the type and the response direction file of the type;
Analytic unit, for carrying out safety to the signaling data according to the request direction file and response direction file
Attack analysis, is confirmed attack set and doubtful attack is gathered.
Optionally, the analytic unit includes:
Subelement is filtered, for the principle that basis is inwardly asked, to the request direction in systematic searching cell data file
File is filtered;
Subelement is checked, for stock affairs ID and response direction file in the request direction file of filter condition will to be met
Middle purpose affairs ID does association and checks;
If ask in the file of direction in request message in stock affairs ID and response direction file purpose in response message
Affairs ID is identical, and the location information field carried in direction file is responded in response message is shown as national position letter
Request message and response message merging are then output to confirmation attack set corresponding with systematic searching cell data file by breath
In;
If response message not corresponding with request message, the request message is output to and systematic searching cell
In the corresponding doubtful attack set of data file.
Optionally, the filtering subelement is further used for:
Take this country, stock signaling point code OPC as non-originating, international mobile subscriber identification of Destination Point Code DPC
Code IMSI or Mobile Directory Number MDN is the filter condition of this country, to the request in systematic searching cell data file
Direction file is filtered.
A technical solution in above-mentioned technical proposal has the following advantages that or advantageous effect:Obtain signaling data, from
The crucial cell field information of the signaling data is extracted in the corresponding each protocol layer of signaling data;Then according to crucial cell
Field information carries out security attack analysis to the signaling data, obtains security attack analysis result, and it is right in the prior art to solve
In the attack of unshielded means, without corresponding mode realize to whether there is attack or success attack whether judgement ask
Topic.Existing scheme focuses on interception, protection, lacks the means confirmed to subsequent effect, and the present embodiment can obtain the signaling number
According to security attack analysis result, provide it is a kind of to subsequent effect confirm means;Further, the present embodiment realization is based on
Now net crawl data, can obtain from existing international gateway monitoring signaling data, not increase signaling procurement cost;And this reality
It can be that Audit Report exports to apply example, the generation of existing net is not immediately affected by;It analyzes and ties for security attack, now net can subsequently drunk
Feelings are operated.
Description of the drawings
Fig. 1 is the flow chart for the method that security attack is analyzed in the embodiment of the present invention one;
Fig. 2 is the schematic diagram that attack is related to signalling system No.7 protocal layers in the embodiment of the present invention one;
Fig. 3 is the flow chart of step 102 in the embodiment of the present invention one;
Fig. 4 is the flow chart of step 1022 in the embodiment of the present invention one;
Fig. 5 is one of block diagram of equipment that security attack is analyzed in the embodiment of the present invention two;
Fig. 6 is the two of the block diagram for the equipment that security attack is analyzed in the embodiment of the present invention two.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
Completely it is communicated to those skilled in the art.
One skilled in the art will appreciate that embodiments of the present invention can be implemented as a kind of system, device, equipment, method
Or computer program product.Therefore, the embodiment of the present invention can be implemented as following form:It is complete hardware, complete
The form that software (including firmware, resident software, microcode etc.) or hardware and software combine.
Embodiment one
Referring to Fig. 1, a kind of method for analyzing security attack is shown in figure, is as follows:
Step 101 obtains signaling data, and the signaling number is extracted from each protocol layer corresponding with the signaling data
According to crucial cell field information;
In the present embodiment, optionally, obtain offline signaling data from international gateway, the offline signaling data be by
The data packet generated according to predetermined time interval.By built from existing net international gateway in signaling related system obtain out,
Enter the offline signaling data of twocouese, without being transformed to existing net, network will not be impacted.Above-mentioned offline signaling data can
Think and obtain international gateway bi-directional data, offline signaling data storage format can be PCAP files, offline signaling data text
Part storage duration can be that predetermined time interval (such as 2 minutes) generates a data packet, offline signaling data file name
Form can be cvt_yyyymmddhhmiss.pcap;
Data file is for example:cvt_20150207194922.pcap
File format explanation:
Cvt- file prefixes
' _ '-separator
Yyyy-4, represent year
Mm-2, represent the moon
Dd-2, represent day
Hh-2, when representing
It mi-2, represents and divides
Ss-2, represent the second
By taking signalling system No.7 as an example, each protocol layer corresponding with the signalling system No.7 is as shown in Figure 2.
Equally, by taking signalling system No.7 as an example, each crucial cell field information of layer extraction see the table below:
Step 102 carries out security attack analysis according to the crucial cell field information to the signaling data, is pacified
Full attack analysis result.
Referring to Fig. 3, the flow of step 102 is shown in figure, is as follows:
Step 1021, the operation code type field in the crucial cell field information and message direction field,
Classify to the signaling data, generate the systematic searching cell data file of the signaling data, each type of classification
Retrieving cell data file includes the request direction file of the type and the response direction file of the type;
Aforesaid operations type of code field can be expressed as OperationCode, including:ati、sri、psi、psl、isd、
cl、dsd。
Above-mentioned message direction field can be expressed as ComponentTypeTag, including:Invoke represents inwardly request,
Rr/rrnl represents outwards response.
Step 1022 carries out security attack according to the request direction file and response direction file to the signaling data
Analysis, is confirmed attack set and doubtful attack is gathered.
Further, list and doubtful attack list are attacked into the confirmation distinguished by attack type, integrates output.
Above-mentioned systematic searching cell data file can include:Locating and tracking systematic searching cell data table, calling are kidnapped
Systematic searching cell data table and refusal classification of service retrieval cell data table,
1) locating and tracking systematic searching cell data list file name format is as follows:
The offline signaling data filename .txt of OperationCode_ComponentTypeTag_
Locating and tracking systematic searching cell data list file name is as follows:
ati_invoke_cvt_20150207194922.txt
ati_rr_cvt_20150207194922.txt
sri_invoke_cvt_20150207194922.txt
sri_rr_cvt_20150207194922.txt
sri_rrnl_cvt_20150207194922.txt
psi_invoke_cvt_20150207194922.txt
psi_rr_cvt_20150207194922.txt
psl_invoke_cvt_20150207194922.txt
psl_rr_cvt_20150207194922.txt
Wherein, sri message location information is not only present in ReturnResult (Last) message, there is also
LocationInformation and Ext-GeographicalInformation fields pass through ReturnResult (NotLast)
The situation that message returns to the message supplement that OperationCode is sri, it is necessary to export sri_rrnl_cvt_
20150207194922.txt。
2) it is as follows to kidnap systematic searching cell data list file name format for calling:
The offline signaling data filename .txt of OperationCode_ComponentTypeTag_si_
The offline signaling data filename .txt of OperationCode_ComponentTypeTag_si_gsmSCF_
The offline signaling data filename .txt of OperationCode_ComponentTypeTag_gsmSCF_
The offline signaling data filename .txt of OperationCode_ComponentTypeTag_
It is as follows that systematic searching cell data list file name is kidnapped in calling:
isd_invoke_si_cvt_20150207194922.txt
isd_invoke_si_gsmSCF_cvt_20150207194922.txt
isd_invoke_gsmSCF_cvt_20150207194922.txt
isd_rr_cvt_20150207194922.txt
Due to existing in the invoke directions message of isd:
SubscriberIdentity is only provided
GsmSCF-Address is only provided
SubscriberIdentity and gsmSCF-Address is provided, three kinds of situations are, it is necessary to generate 3 class systematic searchings
Cell data list file.
3) it is as follows to refuse classification of service retrieval cell data list file name format:
The offline signaling data filename .txt of OperationCode_ComponentTypeTag_
It is as follows to refuse classification of service retrieval cell data list file name:
cl_invoke_cvt_20150207194922.txt
cl_rr_cvt_20150207194922.txt
dsd_invoke_cvt_20150207194922.txt
dsd_rr_cvt_20150207194922.txt
Further, in the present embodiment, classification inspection can be kidnapped to locating and tracking systematic searching cell data table, calling
Rope cell data table and refusal classification of service retrieval cell data table in message carry out duplicate removal processing, specifically, will positioning with
Track systematic searching cell data table, calling are kidnapped in systematic searching cell data table and refusal classification of service retrieval cell data table
Similar message, equidirectional Piece file mergence, and the same message of re-transmission is done into duplicate removal inspection, by identical re-transmission message
Data are picked out, and only retain a corresponding data.
After above-mentioned processing, signaling data by type of message, message direction is classified, is merged, duplicate removal output, is made
For the input of subsequent characteristics analyzing and processing.Treated, and filename is as follows:
ati_invoke.txt/ati_rr.txt
sri_invoke.txt/sri_rr.txt/sri_rrnl.txt
psi_invoke.txt/psi_rr.txt
psl_invoke.txt/psl_rr.txt
isd_invoke_si.txt/isd_invoke_si_gsmSCF.txt/isd_invoke_gsmSCF.txt/isd_
rr.txt
cl_invoke.txt/cl_rr.txt
dsd_invoke.txt/dsd_rr.txt
Referring to Fig. 4, the flow of step 1022 is shown in figure, is as follows:
Step 10221, according to the principle inwardly asked, to the request direction file in systematic searching cell data file into
Row filtering;
Specifically, be this country with Destination Point Code (DPC), stock signaling point code (OPC) is non-originating, (international
Mobile identification number) IMSI or (Mobile Directory Number) MDN be this country filter condition, to systematic searching cell number
It is filtered according to the request direction file in file.
Step 10222, by stock affairs ID in the request direction file for meeting filter condition
(OriginatingTransactionID) with responding purpose affairs ID in the file of direction
(DestinationTransactionID) association is done to check;
If it is responded in step 10223, request direction file in request message in stock affairs ID and response direction file
Purpose affairs ID is identical in message, and the location information field carried in direction file is responded in response message
(LocationInformation or Ext-GeographicalInformation) is shown as national location information, then please
Message and response message merging is asked to be output in confirmation attack set corresponding with systematic searching cell data file;
If step 10224, response message not corresponding with request message, the request message is output to dividing
In the corresponding doubtful attack set of class retrieval cell data file.
It is kidnapped below for locating and tracking, calling and refusal services three kinds of security threats to describe how to obtain safety analysis
As a result.
1) locating and tracking signature analysis
In locating and tracking systematic searching cell data table, from request direction invoke files in, according to DPC for this country,
OPC is the filter condition that non-originating, IMSI or MDN is this country;Filter condition will be met
OriginatingTransactionID is closed with DestinationTransactionID in response direction rr or rrnl file
Joint inspection is looked into, if in request message in OriginatingTransactionID and response message
DestinationTransactionID is identical, and the LocationInformation fields carried in the response message are shown
The Ext-GeographicalInformation fields for being shown as national location information or carrying in the response message are shown as this
Request message and response message merging are output to and confirm in locating and tracking attack list by state's location information;To have request message,
It is output to without corresponding response message in doubtful locating and tracking attack list.
2) signature analysis is kidnapped in calling
In systematic searching cell data table is kidnapped in calling, from request direction invoke files, first will only it provide
SubscriberIdentity and only provide gsmSCF-Address two tables of data according to
OriginatingTransactionID fields are done association and are checked, if existed in two tables
The identical two datas merging of field is appended to and provides by the identical data of OriginatingTransactionID fields
In the data list file of subscriberIdentity and gsmSCF-Address.
By requesting party in the data list file for providing subscriberIdentity and gsmSCF-Address after integration
To invoke message, according to DPC be this country, OPC is that non-originating, IMSI or MDN is national filter condition;Filtering rod will be met
The OriginatingTransactionID of part is associated with DestinationTransactionID in response direction rr files
It checks, if in request message in OriginatingTransactionID and response message
DestinationTransactionID is identical, and request message and response message merging are output to confirmation calling hijack attack row
In table;There to be request message, but be output to without corresponding response message in doubtful calling hijack attack list.
3) service features analysis is refused
Refusal classification of service retrieval cell data table in, from request direction invoke files in, according to DPC for this country,
OPC is the filter condition that non-originating, IMSI or MDN is this country;Filter condition will be met
OriginatingTransactionID associates inspection with DestinationTransactionID in response direction rr files,
If DestinationTransactionID phases in OriginatingTransactionID and response message in request message
Together, request message and response message merging are output to and confirmed in Denial of Service attack list;There to be request message, but without correspondence
Response message is output in doubtful Denial of Service attack list.
In the present embodiment, signaling data is obtained first, from each protocol layer corresponding with signaling data described in extraction
The crucial cell field information of signaling data;Then security attack is carried out to the signaling data according to crucial cell field information
Analysis obtains security attack analysis result, solves the attack for unshielded means in the prior art, real without corresponding mode
Now to whether there is attack or success attack whether judgement the problem of.Existing scheme focuses on interception, protection, lacks to imitating afterwards
The means that fruit confirms, and the present embodiment can obtain the security attack analysis result of the signaling data, provide one kind to subsequent
The means that effect confirms;Further, the present embodiment is realized captures data based on existing net, can be supervised from existing international gateway signaling
It is obtained in measured data, does not increase signaling procurement cost;And the present embodiment can be that Audit Report exports, and existing net not generated vertical
Influence;It analyzes and ties for security attack, now net can take the circumstances into consideration to be operated subsequently.
Embodiment two
Referring to Fig. 5, a kind of equipment for analyzing security attack is shown in figure, which includes:
For obtaining signaling data, institute is extracted from each protocol layer corresponding with the signaling data for acquisition module 501
State the crucial cell field information of signaling data;
In the present embodiment, optionally, acquisition module 501 obtains offline signaling data from international gateway, described offline
Signaling data is the data packet generated at predetermined intervals.By having built signaling phase relation from existing net international gateway
It obtained out in system, enter the offline signaling data of twocouese, without being transformed to existing net, network will not impacted.
Analysis module 502, for carrying out security attack point to the signaling data according to the crucial cell field information
Analysis, obtains security attack analysis result.
Above-mentioned analysis result can include:Confirm locating and tracking attack list, doubtful locating and tracking attack list, confirm and exhale
It cries hijack attack list, doubtful calling hijack attack list, confirm Denial of Service attack list and doubtful Denial of Service attack row
Table.
In the present embodiment, optionally, the acquisition module 501 includes:Acquiring unit 5011 and extraction unit 5012, ginseng
See Fig. 6, wherein,
Acquiring unit 5011, for obtaining offline signaling data from international gateway, the offline signaling data be according to
The data packet of predetermined time interval generation;
Extraction unit 5012, for extracting the offline letter from each protocol layer corresponding with the offline signaling data
Make the crucial cell field information of data.
In the present embodiment, optionally, the analysis module 502 includes:
Taxon 5021, for the operation code type field in the crucial cell field information and message side
To field, classify to the signaling data, generate the systematic searching cell data file of the signaling data, each type
Systematic searching cell data file include the type request direction file and the type response direction file;
Analytic unit 5022, for being carried out according to the request direction file and response direction file to the signaling data
Security attack is analyzed, and is confirmed attack set and doubtful attack is gathered.
In the present embodiment, optionally, the analytic unit 5022 includes:
Subelement 50221 is filtered, for the principle that basis is inwardly asked, to the request in systematic searching cell data file
Direction file is filtered;
Subelement 50222 is checked, for stock affairs ID and responder in the request direction file of filter condition will to be met
Into file, purpose affairs ID does association and checks;
If ask in the file of direction in request message in stock affairs ID and response direction file purpose in response message
Affairs ID is identical, and the location information field carried in direction file is responded in response message is shown as national position letter
Request message and response message merging are then output to confirmation attack set corresponding with systematic searching cell data file by breath
In;
If response message not corresponding with request message, the request message is output to and systematic searching cell
In the corresponding doubtful attack set of data file.
In the present embodiment, optionally, the filtering subelement 50221 is further used for:
Take this country, stock signaling point code OPC as non-originating, international mobile subscriber identification of Destination Point Code DPC
Code IMSI or Mobile Directory Number MDN is the filter condition of this country, to the request in systematic searching cell data file
Direction file is filtered.
In the present embodiment, signaling data is obtained first, from each protocol layer corresponding with signaling data described in extraction
The crucial cell field information of signaling data;Then security attack is carried out to the signaling data according to crucial cell field information
Analysis obtains security attack analysis result, solves the attack for unshielded means in the prior art, real without corresponding mode
Now to whether there is attack or success attack whether judgement the problem of.Existing scheme focuses on interception, protection, lacks to imitating afterwards
The means that fruit confirms, and the present embodiment can obtain the security attack analysis result of the signaling data, provide one kind to subsequent
The means that effect confirms;Further, the present embodiment is realized captures data based on existing net, can be supervised from existing international gateway signaling
It is obtained in measured data, does not increase signaling procurement cost;And the present embodiment can be that Audit Report exports, and existing net not generated vertical
Influence;It analyzes and ties for security attack, now net can take the circumstances into consideration to be operated subsequently.
It is to be understood that " one embodiment " or " embodiment " that specification is mentioned in the whole text mean it is related with embodiment
A particular feature, structure, or characteristic is included at least one embodiment of the present invention.Therefore, occur everywhere in entire disclosure
" in one embodiment " or " in one embodiment " identical embodiment is not necessarily referred to.In addition, these specific feature, knots
Structure or characteristic can in any suitable manner combine in one or more embodiments.
In various embodiments of the present invention, it should be appreciated that the size of the sequence number of above-mentioned each process is not meant to perform suitable
The priority of sequence, the execution sequence of each process should be determined with its function and internal logic, without the implementation of the reply embodiment of the present invention
Process forms any restriction
In addition, the terms " system " and " network " are often used interchangeably herein.
It is to be understood that the terms "and/or", is only a kind of incidence relation for describing affiliated partner, expression can deposit
In three kinds of relations, for example, A and/or B, can represent:Individualism A exists simultaneously A and B, these three situations of individualism B.
In addition, character "/" herein, it is a kind of relation of "or" to typically represent forward-backward correlation object.
In embodiment provided herein, it should be appreciated that " B corresponding with A " represents that B is associated with A, can be with according to A
Determine B.It is also to be understood that determine that B is not meant to determine B only according to A according to A, it can also be according to A and/or other information
Determine B.
In several embodiments provided herein, it should be understood that disclosed method and apparatus, it can be by other
Mode realize.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the unit, only
For a kind of division of logic function, there can be other dividing mode in actual implementation, such as multiple units or component can combine
Or it is desirably integrated into another system or some features can be ignored or does not perform.Another, shown or discussed phase
Coupling, direct-coupling or communication connection between mutually can be by some interfaces, the INDIRECT COUPLING or communication of device or unit
Connection can be electrical, machinery or other forms.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it can also
That the independent physics of unit includes, can also two or more units integrate in a unit.Above-mentioned integrated list
The form that hardware had both may be employed in member is realized, can also be realized in the form of hardware adds SFU software functional unit.
The above-mentioned integrated unit realized in the form of SFU software functional unit, can be stored in one and computer-readable deposit
In storage media.Above-mentioned SFU software functional unit is stored in a storage medium, is used including some instructions so that a computer
Equipment (can be personal computer, server or the network equipment etc.) performs receiving/transmission method described in each embodiment of the present invention
Part steps.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only memory (Read-Only Memory, abbreviation
ROM), random access memory (Random Access Memory, abbreviation RAM), magnetic disc or CD etc. are various to store
The medium of program code.
Above-described is the preferred embodiment of the present invention, it should be pointed out that is come for the ordinary person of the art
It says, several improvements and modifications can also be made under the premise of principle of the present invention is not departed from, these improvements and modifications also exist
In protection scope of the present invention.
Claims (10)
- A kind of 1. method for analyzing security attack, which is characterized in that including:Signaling data is obtained, the crucial cell of the signaling data is extracted from each protocol layer corresponding with the signaling data Field information;Security attack analysis is carried out to the signaling data according to the crucial cell field information, obtains security attack analysis knot Fruit.
- 2. according to the method described in claim 1, it is characterized in that, the acquisition signaling data, including:Offline signaling data is obtained from international gateway, the offline signaling data is the number generated at predetermined intervals According to bag.
- 3. according to the method described in claim 1, it is characterized in that, according to the crucial cell field information to the signaling number According to security attack analysis is carried out, security attack analysis result is obtained, including:Operation code type field and message direction field in the crucial cell field information, to the signaling data Classify, generate the systematic searching cell data file of the signaling data, each type of systematic searching cell data text Part includes the request direction file of the type and the response direction file of the type;Security attack analysis is carried out to the signaling data according to the request direction file and response direction file, is confirmed Attack set and doubtful attack are gathered.
- It is 4. according to the method described in claim 3, it is characterized in that, described according to the request direction file and response direction text Part carries out security attack analysis, is confirmed attack set and doubtful attack is gathered, including:According to the principle inwardly asked, the request direction file in systematic searching cell data file is filtered;Stock affairs ID in the request direction file for meeting filter condition is associated with purpose affairs ID in response direction file It checks;If ask in the file of direction in request message in stock affairs ID and response direction file purpose affairs in response message ID is identical, and the location information field carried in direction file is responded in response message is shown as national location information, then Request message and response message merging are output in confirmation attack set corresponding with systematic searching cell data file;If response message not corresponding with request message, the request message is output to and systematic searching cell data In the corresponding doubtful attack set of file.
- 5. according to the method described in claim 3, it is characterized in that, according to the principle inwardly asked, to systematic searching cell number It is filtered according to the request direction file in file, including:It is non-originating, international mobile subscriber identity by this country, stock signaling point code OPC of Destination Point Code DPC IMSI or Mobile Directory Number MDN is the filter condition of this country, to the requesting party in systematic searching cell data file It is filtered to file.
- 6. a kind of equipment for analyzing security attack, which is characterized in that including:For obtaining signaling data, the signaling is extracted from each protocol layer corresponding with the signaling data for acquisition module The crucial cell field information of data;Analysis module for carrying out security attack analysis to the signaling data according to the crucial cell field information, obtains Security attack analysis result.
- 7. equipment according to claim 6, which is characterized in that the acquisition module includes:Acquiring unit, for obtaining offline signaling data from international gateway, the offline signaling data be according to it is predetermined when Between be spaced the data packet of generation;Extraction unit, for extracting the offline signaling data from each protocol layer corresponding with the offline signaling data Crucial cell field information.
- 8. equipment according to claim 6, which is characterized in that the analysis module includes:Taxon, for the operation code type field and message direction field in the crucial cell field information, Classify to the signaling data, generate the systematic searching cell data file of the signaling data, each type of classification Retrieving cell data file includes the request direction file of the type and the response direction file of the type;Analytic unit, for carrying out security attack to the signaling data according to the request direction file and response direction file Analysis, is confirmed attack set and doubtful attack is gathered.
- 9. equipment according to claim 8, which is characterized in that the analytic unit includes:Subelement is filtered, for the principle that basis is inwardly asked, to the request direction file in systematic searching cell data file It is filtered;Subelement is checked, for stock affairs ID and mesh in response direction file in the request direction file of filter condition will to be met Affairs ID do association check;If ask in the file of direction in request message in stock affairs ID and response direction file purpose affairs in response message ID is identical, and the location information field carried in direction file is responded in response message is shown as national location information, then Request message and response message merging are output in confirmation attack set corresponding with systematic searching cell data file;If response message not corresponding with request message, the request message is output to and systematic searching cell data In the corresponding doubtful attack set of file.
- 10. equipment according to claim 9, which is characterized in that the filtering subelement is further used for:It is non-originating, international mobile subscriber identity by this country, stock signaling point code OPC of Destination Point Code DPC IMSI or Mobile Directory Number MDN is the filter condition of this country, to the requesting party in systematic searching cell data file It is filtered to file.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611063393.6A CN108123789B (en) | 2016-11-28 | 2016-11-28 | Method and device for analyzing security attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611063393.6A CN108123789B (en) | 2016-11-28 | 2016-11-28 | Method and device for analyzing security attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108123789A true CN108123789A (en) | 2018-06-05 |
CN108123789B CN108123789B (en) | 2021-01-15 |
Family
ID=62223677
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611063393.6A Active CN108123789B (en) | 2016-11-28 | 2016-11-28 | Method and device for analyzing security attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108123789B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111901818A (en) * | 2020-06-15 | 2020-11-06 | 国家计算机网络与信息安全管理中心 | Method for judging abnormal behavior of core network element based on MAP signaling |
CN113556741A (en) * | 2020-04-21 | 2021-10-26 | 中国移动通信有限公司研究院 | Security interception method and device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101321173A (en) * | 2008-07-21 | 2008-12-10 | 华为技术有限公司 | Method, system and device for preventing network attack |
CN101945109A (en) * | 2010-09-16 | 2011-01-12 | 电子科技大学 | Method for carrying out path recording and source tracing on signaling No.7 network transmitting process |
CN102572753A (en) * | 2012-02-07 | 2012-07-11 | 北京中创信测科技股份有限公司 | Method and system for analyzing signaling of mobile application part |
CN103078755A (en) * | 2012-12-31 | 2013-05-01 | 中国人民解放军总参谋部第五十四研究所 | No.7 signaling acquisition and injection system |
US20160127908A1 (en) * | 2014-11-05 | 2016-05-05 | Vodafone Ip Licensing Limited | Monitoring of signalling traffic |
-
2016
- 2016-11-28 CN CN201611063393.6A patent/CN108123789B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101321173A (en) * | 2008-07-21 | 2008-12-10 | 华为技术有限公司 | Method, system and device for preventing network attack |
CN101945109A (en) * | 2010-09-16 | 2011-01-12 | 电子科技大学 | Method for carrying out path recording and source tracing on signaling No.7 network transmitting process |
CN102572753A (en) * | 2012-02-07 | 2012-07-11 | 北京中创信测科技股份有限公司 | Method and system for analyzing signaling of mobile application part |
CN103078755A (en) * | 2012-12-31 | 2013-05-01 | 中国人民解放军总参谋部第五十四研究所 | No.7 signaling acquisition and injection system |
US20160127908A1 (en) * | 2014-11-05 | 2016-05-05 | Vodafone Ip Licensing Limited | Monitoring of signalling traffic |
Non-Patent Citations (2)
Title |
---|
何韦伟; 季新生; 刘彩霞: "七号信令网中基于MTP3层的安全机制研究", 《微电子学与计算机》 * |
梁好; 孙健; 许都: "电信网中合法信令产生的用户线DoS攻击分析", 《信息工程大学学报》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113556741A (en) * | 2020-04-21 | 2021-10-26 | 中国移动通信有限公司研究院 | Security interception method and device |
CN111901818A (en) * | 2020-06-15 | 2020-11-06 | 国家计算机网络与信息安全管理中心 | Method for judging abnormal behavior of core network element based on MAP signaling |
Also Published As
Publication number | Publication date |
---|---|
CN108123789B (en) | 2021-01-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103368979B (en) | Network security verifying device based on improved K-means algorithm | |
Ektefa et al. | Intrusion detection using data mining techniques | |
CN108183888B (en) | Social engineering intrusion attack path detection method based on random forest algorithm | |
CN107172022B (en) | APT threat detection method and system based on intrusion path | |
Azwar et al. | Intrusion detection in secure network for cybersecurity systems using machine learning and data mining | |
CN103026345A (en) | Dynamic multidimensional schemas for event monitoring priority | |
CN109413109A (en) | Heaven and earth integrated network oriented security state analysis method based on finite-state machine | |
CN107342987A (en) | A kind of anti-telecommunication fraud system of network | |
US20150113651A1 (en) | Spammer group extraction apparatus and method | |
CN110210213A (en) | The method and device of filtering fallacious sample, storage medium, electronic device | |
Riadi et al. | Log analysis techniques using clustering in network forensics | |
CN114885334B (en) | High-concurrency short message processing method | |
CN115134250A (en) | Network attack source tracing evidence obtaining method | |
CN112822153A (en) | Method and system for discovering suspicious threats based on DNS log | |
CN108123789A (en) | Analyze the method and apparatus of security attack | |
CN103501302B (en) | Method and system for automatically extracting worm features | |
CN109474611A (en) | It is a kind of that detection technique is protected based on multifactor E mail safety | |
CN106973051A (en) | Set up method, device, storage medium and the processor of detection Cyberthreat model | |
Aldwairi et al. | Flukes: Autonomous log forensics, intelligence and visualization tool | |
Mohamed et al. | Alert correlation using a novel clustering approach | |
Edwards et al. | Cyber strategies used to combat child sexual abuse material | |
CN105069158A (en) | Data mining method and system | |
CN101296224B (en) | P2P flux recognition system and method | |
Jaafar et al. | Demystifying the cyber attribution: An exploratory study | |
Ali et al. | Deceptive phishing detection system: from audio and text messages in instant messengers using data mining approach |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |