CN109040127B - Detection device and method for Diameter flooding attack - Google Patents
Detection device and method for Diameter flooding attack Download PDFInfo
- Publication number
- CN109040127B CN109040127B CN201811086841.3A CN201811086841A CN109040127B CN 109040127 B CN109040127 B CN 109040127B CN 201811086841 A CN201811086841 A CN 201811086841A CN 109040127 B CN109040127 B CN 109040127B
- Authority
- CN
- China
- Prior art keywords
- state machine
- signaling
- parameters
- matching
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/1016—IP multimedia subsystem [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Multimedia (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the technical field of communication security, and particularly relates to a device and a method for detecting Diameter flooding attack, wherein the device comprises: the parameter extraction module is used for extracting signaling message parameters in the signaling, matching the state machine according to the parameters, setting and initializing each signaling message parameter counter, wherein the signaling message parameters comprise session identification parameters, source host parameters and user name parameters; the signaling flow analysis module is used for carrying out early warning analysis on signaling message parameters in the signaling by utilizing the counting value of the counter according to the matching condition of the state machine; and the detection alarm module is used for carrying out flooding attack alarm according to the early warning analysis result of the signaling message parameters. The invention is suitable for the IMS network in the mobile communication network, realizes the safety detection and early warning of the Diameter flooding attack, automatically identifies and detects the Diameter protocol flooding attack according to the IMS signaling flow, detects and early warns the Diameter flooding attack flow from the signaling flow, improves the safety of the IMS network, and has important guiding significance for the safety of the communication network.
Description
Technical Field
The invention belongs to the technical field of communication security, and particularly relates to a device and a method for detecting Diameter flooding attacks, which are applicable to an IMS (IP multimedia subsystem) network in a mobile communication network and can realize security detection and early warning on the Diameter flooding attacks.
Background
Ims (IP Multimedia subsystem) is a network architecture that provides voice and Multimedia services over IP networks. The IMS can implement convergence of fixed user services, mobile user services, and internet services, and convergence of multimedia services such as voice, data, and video, and is a core technology of the next generation network.
In an IMS network architecture, an HSS (Home Subscriber Server) serves as an important data center for users in the network and is responsible for related tasks such as authentication and authorization of all users. The Diameter protocol is a main protocol for interaction between the HSS and the CSCF (Call Session Control Function). The IMS network is based on a core network of all IP load, so that the vulnerability existing in the IP network is possessed. And thus are more susceptible to various forms of network attacks, particularly flooding attacks using the Diameter protocol. The Diameter flooding attack aims to utilize a large amount of Diameter signaling to be sent to key network element entities such as HSS/CSCF and the like to occupy service and network resources of the entities, so that the service capability of related network elements is reduced, and even the services are rejected. The detection method for the Diameter protocol flooding attack in the IMS network plays an important role in ensuring the safety of the core network element entity of the IMS network, and is an important technical means for ensuring the integral service quality and reliability of the IMS network.
Disclosure of Invention
The invention provides a device and a method for detecting the Diameter flooding attack, which are characterized in that the device and the method are deployed before a CSCF entity or an HSS entity, extract key parameters of Diameter messages to establish a state machine, analyze and count all Diameter signaling flowing through, and further detect and alarm Diamster message flow exceeding a threshold value, are easy to combine and realize, and improve the safety of a communication network.
According to the design scheme provided by the invention, the detection device for the Diameter flooding attack is deployed in front of a network architecture network element entity and is used for detecting the flooding attack in a signaling flow in real time and carrying out early warning; the detection device comprises: a parameter extraction module, a signaling flow analysis module and a detection alarm module, wherein,
the parameter extraction module is used for extracting signaling message parameters in the signaling, matching the state machine according to the parameters, setting and initializing each signaling message parameter counter, wherein the signaling message parameters comprise session identification parameters, source host parameters and user name parameters;
the signaling flow analysis module is used for carrying out early warning analysis on signaling message parameters in the signaling by utilizing the counting value of the counter according to the matching condition of the state machine;
and the detection alarm module is used for carrying out flooding attack alarm according to the early warning analysis result of the signaling message parameters.
The parameter extraction module further includes a state machine query submodule, which queries the state machine matching condition in advance according to the extracted signaling message parameter, creates a state machine for coordination control according to the query result, and stores the signaling message parameter.
In the above, the signaling flow analysis module includes a session identifier analysis sub-module, a source host analysis sub-module, and a user name analysis sub-module, wherein,
the session identification analysis submodule is used for matching the session identification parameters flowing through the signaling with the parameter data stored in the state machine, if the matching is consistent, the parameter counter counts, the value of the parameter counter is compared with a preset session identification flooding threshold value, and an early warning analysis result is obtained according to the comparison condition;
the source host analysis submodule is used for matching the source host parameters flowing through the signaling with the parameter data stored in the state machine, if the matching is consistent, the parameter counter counts, the value of the parameter counter is compared with a preset source host flooding threshold value, and an early warning analysis result is obtained according to the comparison condition;
and the user name analysis sub-module is used for matching the user name parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset user name flooding threshold value, and acquiring an early warning analysis result according to the comparison condition.
Preferably, the signaling flow analysis module further includes a state machine timeout processing submodule, where the state machine timeout processing submodule is configured to determine a timeout state of the state machine according to the state machine creation time, the current time point, and a preset time period, and perform timeout processing operation on the state machine according to a determination result.
Furthermore, the state machine timeout processing submodule comprises a state machine deleting unit and a count zero clearing unit, wherein,
the state machine deleting unit is used for comparing the time period between the current time point and the state machine establishing time with the preset destroying time period and deleting the state machine according to the comparison result;
and the counting zero clearing unit is used for comparing the time period between the current time point and the state machine creation time with a preset zero clearing time period and carrying out zero clearing treatment on each signaling message parameter counter in the state machine according to the comparison result.
A method for detecting Diameter flooding attack comprises the following contents:
A) extracting signaling message parameters flowing through signaling, matching a state machine according to the parameters, setting and initializing each signaling message parameter counter, wherein the signaling message parameters comprise a session identification parameter, a source host parameter and a user name parameter;
B) according to the matching condition of the state machine, utilizing the counting value of the counter to carry out early warning analysis on the signaling message parameters;
C) and carrying out flooding attack alarm according to the early warning analysis result of the signaling message parameter.
In the method, in a), the state machine matching condition is queried according to the extracted signaling message parameters, and a state machine for coordination control is created according to the query result and the signaling message parameters are stored.
In the method, B), the early warning analysis is performed on the signaling message parameters, and the method specifically includes the following steps:
B1) matching the session identification parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset session identification flooding threshold value, obtaining an early warning analysis result according to the comparison condition, and entering step B2 if the matching is inconsistent);
B2) matching the source host parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset source host flooding threshold value, acquiring an early warning analysis result according to the comparison condition, and entering step B3 if the matching is inconsistent);
B3) and matching the user name parameters passing through the signaling with the parameter data stored in the state machine, if the matching is consistent, counting by the parameter counter, comparing the value of the parameter counter with a preset user name flooding threshold value, acquiring an early warning analysis result according to the comparison condition, and if the matching is inconsistent, reading the next signaling passing through.
In the method, B), the early warning analysis result is the threshold condition is exceeded or the threshold condition is not exceeded.
In the method, C), the early warning analysis result of the situation exceeding the threshold value is subjected to flooding attack warning; and if the early warning analysis result does not exceed the threshold value, no warning is carried out, and the next signaling flowing through is continuously extracted.
The invention has the beneficial effects that:
in the invention, a detection device is deployed in front of a CSCF entity or an HSS entity, key parameters of Diameter messages are extracted to establish a state machine, all Diameter signaling flowing through is analyzed and counted, and then detection alarm is carried out on Diamster message flow exceeding a threshold value; the method can be applied to the IMS network in the mobile communication network, is used for realizing the safety detection and early warning of the Diameter flooding attack, automatically identifies and detects the Diameter protocol flooding attack according to the IMS signaling flow, detects and early warns the Diameter flooding attack flow from the signaling flow, improves the safety of the IMS network, and has important guiding significance for the safety of the communication network.
Description of the drawings:
FIG. 1 is a schematic view of an exemplary embodiment of a detection apparatus;
FIG. 2 is a diagram of a signaling flow analysis module in an embodiment;
FIG. 3 is a diagram illustrating an embodiment of a timeout processing sub-module of the state machine;
FIG. 4 is a first flowchart of a detection method according to an embodiment;
figure 5 is a schematic diagram of a Diameter protocol signaling related entity in an embodiment;
FIG. 6 is a flow chart of the detection method in the embodiment II;
FIG. 7 is a diagram of an embodiment of a state machine;
figure 8 is a Diameter message parameter diagram in an embodiment.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
Diameter messages consist of two parts, namely: a header (header) and a message body (message body). The message header is located at the front end of the message, and includes a protocol version, a message length, a command code, an application ID, a hop-by-hop identifier, and an end-to-end identifier, which are described in detail in fig. 8; the message body consists of a plurality of AVPs, and each AVP consists of AVP Code, AVP Flag, AVP Length, Vendor-ID and Data, and is shown in the attached figure 8 in detail. The IMS network is based on a core network of all IP load, so that the vulnerability existing in the IP network is possessed. And thus are more susceptible to various forms of network attacks, particularly flooding attacks using the Diameter protocol. The Diameter flooding attack aims to utilize a large amount of Diameter signaling to be sent to key network element entities such as HSS/CSCF and the like to occupy service and network resources of the entities, so that the service capability of related network elements is reduced, and even the services are rejected. To this end, an embodiment of the present invention, referring to fig. 1, provides a device for detecting a Diameter flooding attack, including: a parameter extraction module, a signaling flow analysis module and a detection alarm module, wherein,
the parameter extraction module is used for extracting signaling message parameters in the signaling, matching the state machine according to the parameters, setting and initializing each signaling message parameter counter, wherein the signaling message parameters comprise session identification parameters, source host parameters and user name parameters;
the signaling flow analysis module is used for carrying out early warning analysis on signaling message parameters in the signaling by utilizing the counting value of the counter according to the matching condition of the state machine;
and the detection alarm module is used for carrying out flooding attack alarm according to the early warning analysis result of the signaling message parameters.
The detection device is deployed in front of a network architecture network element entity and is used for detecting flooding attacks in a signaling flow in real time and carrying out early warning; the detection device. Referring to fig. 5, the detection apparatus in the embodiment may be deployed before a CSCF entity or an HSS entity, and perform real-time detection and early warning on a Diameter signaling flow that continues in an IMS network.
In order to avoid the situation of unsuccessful matching when performing state machine matching according to the signaling message parameters, in another embodiment of the present invention, the parameter extraction module further includes a state machine query submodule, which queries the state machine matching condition in advance according to the extracted signaling message parameters, creates a state machine for coordination control according to the query result, and stores the signaling message parameters.
In the process of performing signaling early warning analysis according to the matching condition of the counter and the state machine, in a further embodiment of the present invention, an analysis module for session identification parameters, source host parameters, and user name parameters in signaling message parameters is provided, specifically, as shown in fig. 2, the signaling flow analysis module includes a session identification analysis sub-module, a source host analysis sub-module, and a user name analysis sub-module, wherein,
the session identification analysis submodule is used for matching the session identification parameters flowing through the signaling with the parameter data stored in the state machine, if the matching is consistent, the parameter counter counts, the value of the parameter counter is compared with a preset session identification flooding threshold value, and an early warning analysis result is obtained according to the comparison condition;
the source host analysis submodule is used for matching the source host parameters flowing through the signaling with the parameter data stored in the state machine, if the matching is consistent, the parameter counter counts, the value of the parameter counter is compared with a preset source host flooding threshold value, and an early warning analysis result is obtained according to the comparison condition;
and the user name analysis sub-module is used for matching the user name parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset user name flooding threshold value, and acquiring an early warning analysis result according to the comparison condition.
In the process of performing early warning analysis on the signaling flow, in another embodiment of the present invention, the signaling flow analysis module further includes a state machine timeout processing submodule, where the state machine timeout processing submodule is configured to determine a state machine timeout state according to the state machine creation time, the current time point, and a preset time period, and perform timeout processing operation on the state machine according to a determination result.
In performing the timeout processing operation on the state machine, further, as shown in fig. 3, the state machine timeout processing submodule includes a state machine deleting unit and a count clearing unit, wherein,
the state machine deleting unit is used for comparing the time period between the current time point and the state machine establishing time with the preset destroying time period and deleting the state machine according to the comparison result;
and the counting zero clearing unit is used for comparing the time period between the current time point and the state machine creation time with a preset zero clearing time period and carrying out zero clearing treatment on each signaling message parameter counter in the state machine according to the comparison result.
Based on the above detection apparatus, an embodiment of the present invention further provides a method for detecting a Diameter flooding attack, which is shown in fig. 4 and includes the following contents:
extracting signaling message parameters flowing through signaling, matching a state machine according to the parameters, setting and initializing each signaling message parameter counter, wherein the signaling message parameters comprise a session identification parameter, a source host parameter and a user name parameter;
according to the matching condition of the state machine, utilizing the counting value of the counter to carry out early warning analysis on the signaling message parameters;
and carrying out flooding attack alarm according to the early warning analysis result of the signaling message parameter.
In the embodiment of the detection method, the matching condition of the state machine is inquired according to the extracted signaling message parameters, the state machine for coordination control is established according to the inquiry result, and the signaling message parameters are stored.
In another embodiment of the detection method of the present invention, the early warning analysis is performed on signaling message parameters, which specifically includes the following contents:
B1) matching the session identification parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset session identification flooding threshold value, obtaining an early warning analysis result according to the comparison condition, and entering step B2 if the matching is inconsistent);
B2) matching the source host parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset source host flooding threshold value, acquiring an early warning analysis result according to the comparison condition, and entering step B3 if the matching is inconsistent);
B3) and matching the user name parameters passing through the signaling with the parameter data stored in the state machine, if the matching is consistent, counting by the parameter counter, comparing the value of the parameter counter with a preset user name flooding threshold value, acquiring an early warning analysis result according to the comparison condition, and if the matching is inconsistent, reading the next signaling passing through.
The early warning analysis result is that the threshold condition is exceeded or the threshold condition is not exceeded.
Carrying out flood attack warning on the early warning analysis result of the situation exceeding the threshold value; and if the early warning analysis result does not exceed the threshold value, no warning is carried out, and the next signaling flowing through is continuously extracted.
To further verify the effectiveness of the present invention, as shown in fig. 6, the following is explained by using a specific Diameter signaling:
step (I): reading a Diameter signaling message, extracting main parameters, including: session-id (SD for short), Origin-Host (OH for short), and User-Name (UN for short), the positions of which in the message are shown in fig. 8;
step (II): as shown in fig. 7, all state machines are queried to determine whether the state machine matching the above parameters exists, if not, the state machine is established, the above parameters are stored, the same SD number, the same OH number and the same UN number are all set to be 0, and the creation time T is addedCreatingThen jumping to the step (seven); if yes, continuing;
step (three): calculating whether the state machine times out, if (T)At present-TCreating)>TDestroy the materialWhen it is time to delete the state machine (where T isAt presentFor the current point in time, TDestroy the materialA threshold for destruction, settable); when (T)At present-TCreating)>TZero clearingThe same SD number, the same OH number and the same UN number in the state machine are all set to 0 (wherein T isZero clearingA threshold value for zero clearing, which may be set); if not, continuing;
step (IV): if the Session-Id in the message is consistent with that in the state machine, adding 1 to the same SD number, and judging if the same SD number is larger than NOD(NODThe flooding threshold values are the same SD), then the flooding attack is alarmed, otherwise, the step (seven) is skipped;
step (V): if the Origin-Host in the message is consistent with the state machine, adding 1 to the same OH number, and judging whether the same OH number is more than NOH(NOHThe flooding threshold value is the same as that of OH), then the flooding attack is alarmed, otherwise, the step (seven) is skipped;
step (six): if the User-Name in the message is consistent with that in the state machine, adding 1 to the same UN number, and judging whether the same UN number is more than NUN(NUNThe flooding threshold values of the same UN) are obtained, the flooding attack is alarmed, otherwise, the step (seven) is skipped;
step (seven): the next Diameter message is processed.
The embodiment of the invention automatically identifies and detects the Diameter protocol flooding attack according to the IMS signaling flow, detects and warns the Diameter flooding attack flow from the signaling flow, improves the safety of the IMS network, effectively ensures the safety and the reliability of the communication network, and has important significance for the safety development of the communication network.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The elements of the various examples and method steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and the components and steps of the examples have been described in a functional generic sense in the foregoing description for clarity of hardware and software interchangeability. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
Those skilled in the art will appreciate that all or part of the steps of the above methods may be implemented by instructing the relevant hardware through a program, which may be stored in a computer-readable storage medium, such as: read-only memory, magnetic or optical disk, and the like. Alternatively, all or part of the steps of the foregoing embodiments may also be implemented by using one or more integrated circuits, and accordingly, each module/unit in the foregoing embodiments may be implemented in the form of hardware, and may also be implemented in the form of a software functional module. The present invention is not limited to any specific form of combination of hardware and software.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (8)
1. A detection device for Diameter flooding attack is characterized in that the detection device is deployed in front of a network architecture network element entity and is used for detecting flooding attack in a signaling flow in real time and carrying out early warning; the detection device comprises: a parameter extraction module, a signaling flow analysis module and a detection alarm module, wherein,
the parameter extraction module is used for extracting signaling message parameters in the signaling, matching the state machine according to the parameters, setting and initializing each signaling message parameter counter, wherein the signaling message parameters comprise session identification parameters, source host parameters and user name parameters;
the signaling flow analysis module is used for carrying out early warning analysis on signaling message parameters in the signaling by utilizing the counting value of the counter according to the matching condition of the state machine;
the detection alarm module is used for carrying out flooding attack alarm according to the early warning analysis result of the signaling message parameter;
the signaling flow analysis module comprises a session identification analysis sub-module, a source host analysis sub-module and a user name analysis sub-module, wherein,
the session identification analysis submodule is used for matching the session identification parameters flowing through the signaling with the parameter data stored in the state machine, if the matching is consistent, the parameter counter counts, the value of the parameter counter is compared with a preset session identification flooding threshold value, and an early warning analysis result is obtained according to the comparison condition;
the source host analysis submodule is used for matching the source host parameters flowing through the signaling with the parameter data stored in the state machine, if the matching is consistent, the parameter counter counts, the value of the parameter counter is compared with a preset source host flooding threshold value, and an early warning analysis result is obtained according to the comparison condition;
and the user name analysis sub-module is used for matching the user name parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset user name flooding threshold value, and acquiring an early warning analysis result according to the comparison condition.
2. The device of claim 1, wherein the parameter extraction module further comprises a state machine query submodule configured to query a state machine matching condition in advance according to the extracted signaling message parameters, create a state machine for coordination control according to a query result, and store the signaling message parameters.
3. The device of claim 1, wherein the signaling flow analysis module further comprises a state machine timeout processing sub-module, and the state machine timeout processing sub-module is configured to determine a timeout state of the state machine according to the creation time of the state machine, the current time point, and a preset time period, and perform a timeout processing operation on the state machine according to the determination result.
4. The apparatus of claim 3 wherein the state machine timeout processing submodule comprises a state machine deletion unit and a count clear unit, wherein,
the state machine deleting unit is used for comparing the time period between the current time point and the state machine establishing time with the preset destroying time period and deleting the state machine according to the comparison result;
and the counting zero clearing unit is used for comparing the time period between the current time point and the state machine creation time with a preset zero clearing time period and carrying out zero clearing treatment on each signaling message parameter counter in the state machine according to the comparison result.
5. A method for detecting a Diameter flooding attack is characterized by comprising the following contents:
A) extracting signaling message parameters flowing through signaling, matching a state machine according to the parameters, setting and initializing each signaling message parameter counter, wherein the signaling message parameters comprise a session identification parameter, a source host parameter and a user name parameter;
B) according to the matching condition of the state machine, utilizing the counting value of the counter to carry out early warning analysis on the signaling message parameters;
C) carrying out flooding attack alarm according to the early warning analysis result of the signaling message parameter;
B) in the method, early warning analysis is performed on signaling message parameters, and the method specifically comprises the following contents:
B1) matching the session identification parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset session identification flooding threshold value, obtaining an early warning analysis result according to the comparison condition, and entering step B2 if the matching is inconsistent);
B2) matching the source host parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset source host flooding threshold value, acquiring an early warning analysis result according to the comparison condition, and entering step B3 if the matching is inconsistent);
B3) and matching the user name parameters passing through the signaling with the parameter data stored in the state machine, if the matching is consistent, counting by the parameter counter, comparing the value of the parameter counter with a preset user name flooding threshold value, acquiring an early warning analysis result according to the comparison condition, and if the matching is inconsistent, reading the next signaling passing through.
6. The method of detecting Diameter flooding attacks of claim 5, characterized in that, in A), the state machine matching condition is queried according to the extracted signaling message parameters, and a state machine for coordination control is created according to the query result and the signaling message parameters are stored.
7. The method of detecting a Diameter flooding attack of claim 5, characterized in that in B), the early warning analysis result is a threshold condition is exceeded or a threshold condition is not exceeded.
8. The method for detecting Diameter flooding attacks of claim 7, characterized in that in C), a flooding attack warning is performed on the early warning analysis result of the situation exceeding the threshold; and if the early warning analysis result does not exceed the threshold value, no warning is carried out, and the next signaling flowing through is continuously extracted.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811086841.3A CN109040127B (en) | 2018-09-18 | 2018-09-18 | Detection device and method for Diameter flooding attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811086841.3A CN109040127B (en) | 2018-09-18 | 2018-09-18 | Detection device and method for Diameter flooding attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109040127A CN109040127A (en) | 2018-12-18 |
CN109040127B true CN109040127B (en) | 2020-11-03 |
Family
ID=64616721
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811086841.3A Active CN109040127B (en) | 2018-09-18 | 2018-09-18 | Detection device and method for Diameter flooding attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109040127B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113115314B (en) * | 2021-03-30 | 2022-11-01 | 中国人民解放军战略支援部队信息工程大学 | Method and device for protecting HSS (home subscriber server) signaling of 4G mobile communication network |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1968280A (en) * | 2006-11-23 | 2007-05-23 | 华为技术有限公司 | System and method for detecting and filtering invalid header field |
EP1830536A1 (en) * | 2006-03-01 | 2007-09-05 | Siemens Aktiengesellschaft | Method for self-provisioning of subscriber data in the IP multimedia subsystem (IMS) |
CN102075924A (en) * | 2010-11-22 | 2011-05-25 | 北京邮电大学 | Session state based method and system for detecting vulnerability of internet protocol (IP) multimedia subsystem (IMS) |
CN104468506A (en) * | 2014-10-28 | 2015-03-25 | 大唐移动通信设备有限公司 | Session state detection method and device |
CN108076019A (en) * | 2016-11-17 | 2018-05-25 | 北京金山云网络技术有限公司 | Anomalous traffic detection method and device based on traffic mirroring |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8375453B2 (en) * | 2008-05-21 | 2013-02-12 | At&T Intellectual Property I, Lp | Methods and apparatus to mitigate a denial-of-service attack in a voice over internet protocol network |
-
2018
- 2018-09-18 CN CN201811086841.3A patent/CN109040127B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1830536A1 (en) * | 2006-03-01 | 2007-09-05 | Siemens Aktiengesellschaft | Method for self-provisioning of subscriber data in the IP multimedia subsystem (IMS) |
CN1968280A (en) * | 2006-11-23 | 2007-05-23 | 华为技术有限公司 | System and method for detecting and filtering invalid header field |
CN102075924A (en) * | 2010-11-22 | 2011-05-25 | 北京邮电大学 | Session state based method and system for detecting vulnerability of internet protocol (IP) multimedia subsystem (IMS) |
CN104468506A (en) * | 2014-10-28 | 2015-03-25 | 大唐移动通信设备有限公司 | Session state detection method and device |
CN108076019A (en) * | 2016-11-17 | 2018-05-25 | 北京金山云网络技术有限公司 | Anomalous traffic detection method and device based on traffic mirroring |
Non-Patent Citations (3)
Title |
---|
"IMS网络安全威胁及测试方法研究";陈慧敏;《 现代电信科技》;20130225(第2期);第66-72页 * |
"IMS网络Diameter协议流程漏洞挖掘";郭严赞等;《计算机工程》;20130915;第39卷(第9期);第6-11页 * |
"VoIP intrusion detection through interacting protocol state machines";Sengar, H.等;《In International Conference on Dependable Systems and Networks》;20060630;第393-402页 * |
Also Published As
Publication number | Publication date |
---|---|
CN109040127A (en) | 2018-12-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105939326B (en) | Method and device for processing message | |
CN112887274B (en) | Method and device for detecting command injection attack, computer equipment and storage medium | |
EP3025538B1 (en) | Detecting fraudulent traffic in a telecommunications system | |
CN116438779A (en) | Methods, systems, and computer readable media for implementing ingress message rate limiting with network function identifiers | |
CN101547207A (en) | Protocol identification control method and equipment based on application behavior mode | |
CN102045300A (en) | Detecting method, device and system of botnet | |
US20090265456A1 (en) | Method and system to manage multimedia sessions, allowing control over the set-up of communication channels | |
CN102404741B (en) | Method and device for detecting abnormal online of mobile terminal | |
JP4692776B2 (en) | Method for protecting SIP-based applications | |
WO2016101595A1 (en) | Method, apparatus and system for accessing third-party resource through application | |
CN112003873B (en) | HTTP (hyper text transport protocol) traffic defense method and system for resisting DDoS (distributed denial of service) attack | |
CN112769833A (en) | Method and device for detecting command injection attack, computer equipment and storage medium | |
CN113489702A (en) | Interface current limiting method and device and electronic equipment | |
CN109040127B (en) | Detection device and method for Diameter flooding attack | |
CN106790073B (en) | Blocking method and device for malicious attack of Web server and firewall | |
CN109067782B (en) | IMS network session abnormal interruption attack detection device and method | |
CN109040126B (en) | Detection device and method for SIP flooding attack of IMS network | |
CN105656912A (en) | Mobile intelligent terminal APP request process control method | |
CN105991509A (en) | Session processing method and apparatus | |
KR101384868B1 (en) | Enhanced call tracing | |
CN109246144A (en) | HSS unauthorized access detection device and method in IMS network | |
Li et al. | An efficient intrusion detection and prevention system against SIP malformed messages attacks | |
CN116074051A (en) | Equipment fingerprint generation method and equipment | |
US20150358336A1 (en) | Method for detecting fraud in an ims network | |
CN109257376B (en) | IMS network Diameter malformed fragment attack detection device and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |