CN109040127B - Detection device and method for Diameter flooding attack - Google Patents

Detection device and method for Diameter flooding attack Download PDF

Info

Publication number
CN109040127B
CN109040127B CN201811086841.3A CN201811086841A CN109040127B CN 109040127 B CN109040127 B CN 109040127B CN 201811086841 A CN201811086841 A CN 201811086841A CN 109040127 B CN109040127 B CN 109040127B
Authority
CN
China
Prior art keywords
state machine
signaling
parameters
matching
parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811086841.3A
Other languages
Chinese (zh)
Other versions
CN109040127A (en
Inventor
刘彩霞
王凯
刘树新
吉立新
李星
冯莉
葛东东
陈云杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN201811086841.3A priority Critical patent/CN109040127B/en
Publication of CN109040127A publication Critical patent/CN109040127A/en
Application granted granted Critical
Publication of CN109040127B publication Critical patent/CN109040127B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Multimedia (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of communication security, and particularly relates to a device and a method for detecting Diameter flooding attack, wherein the device comprises: the parameter extraction module is used for extracting signaling message parameters in the signaling, matching the state machine according to the parameters, setting and initializing each signaling message parameter counter, wherein the signaling message parameters comprise session identification parameters, source host parameters and user name parameters; the signaling flow analysis module is used for carrying out early warning analysis on signaling message parameters in the signaling by utilizing the counting value of the counter according to the matching condition of the state machine; and the detection alarm module is used for carrying out flooding attack alarm according to the early warning analysis result of the signaling message parameters. The invention is suitable for the IMS network in the mobile communication network, realizes the safety detection and early warning of the Diameter flooding attack, automatically identifies and detects the Diameter protocol flooding attack according to the IMS signaling flow, detects and early warns the Diameter flooding attack flow from the signaling flow, improves the safety of the IMS network, and has important guiding significance for the safety of the communication network.

Description

Detection device and method for Diameter flooding attack
Technical Field
The invention belongs to the technical field of communication security, and particularly relates to a device and a method for detecting Diameter flooding attacks, which are applicable to an IMS (IP multimedia subsystem) network in a mobile communication network and can realize security detection and early warning on the Diameter flooding attacks.
Background
Ims (IP Multimedia subsystem) is a network architecture that provides voice and Multimedia services over IP networks. The IMS can implement convergence of fixed user services, mobile user services, and internet services, and convergence of multimedia services such as voice, data, and video, and is a core technology of the next generation network.
In an IMS network architecture, an HSS (Home Subscriber Server) serves as an important data center for users in the network and is responsible for related tasks such as authentication and authorization of all users. The Diameter protocol is a main protocol for interaction between the HSS and the CSCF (Call Session Control Function). The IMS network is based on a core network of all IP load, so that the vulnerability existing in the IP network is possessed. And thus are more susceptible to various forms of network attacks, particularly flooding attacks using the Diameter protocol. The Diameter flooding attack aims to utilize a large amount of Diameter signaling to be sent to key network element entities such as HSS/CSCF and the like to occupy service and network resources of the entities, so that the service capability of related network elements is reduced, and even the services are rejected. The detection method for the Diameter protocol flooding attack in the IMS network plays an important role in ensuring the safety of the core network element entity of the IMS network, and is an important technical means for ensuring the integral service quality and reliability of the IMS network.
Disclosure of Invention
The invention provides a device and a method for detecting the Diameter flooding attack, which are characterized in that the device and the method are deployed before a CSCF entity or an HSS entity, extract key parameters of Diameter messages to establish a state machine, analyze and count all Diameter signaling flowing through, and further detect and alarm Diamster message flow exceeding a threshold value, are easy to combine and realize, and improve the safety of a communication network.
According to the design scheme provided by the invention, the detection device for the Diameter flooding attack is deployed in front of a network architecture network element entity and is used for detecting the flooding attack in a signaling flow in real time and carrying out early warning; the detection device comprises: a parameter extraction module, a signaling flow analysis module and a detection alarm module, wherein,
the parameter extraction module is used for extracting signaling message parameters in the signaling, matching the state machine according to the parameters, setting and initializing each signaling message parameter counter, wherein the signaling message parameters comprise session identification parameters, source host parameters and user name parameters;
the signaling flow analysis module is used for carrying out early warning analysis on signaling message parameters in the signaling by utilizing the counting value of the counter according to the matching condition of the state machine;
and the detection alarm module is used for carrying out flooding attack alarm according to the early warning analysis result of the signaling message parameters.
The parameter extraction module further includes a state machine query submodule, which queries the state machine matching condition in advance according to the extracted signaling message parameter, creates a state machine for coordination control according to the query result, and stores the signaling message parameter.
In the above, the signaling flow analysis module includes a session identifier analysis sub-module, a source host analysis sub-module, and a user name analysis sub-module, wherein,
the session identification analysis submodule is used for matching the session identification parameters flowing through the signaling with the parameter data stored in the state machine, if the matching is consistent, the parameter counter counts, the value of the parameter counter is compared with a preset session identification flooding threshold value, and an early warning analysis result is obtained according to the comparison condition;
the source host analysis submodule is used for matching the source host parameters flowing through the signaling with the parameter data stored in the state machine, if the matching is consistent, the parameter counter counts, the value of the parameter counter is compared with a preset source host flooding threshold value, and an early warning analysis result is obtained according to the comparison condition;
and the user name analysis sub-module is used for matching the user name parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset user name flooding threshold value, and acquiring an early warning analysis result according to the comparison condition.
Preferably, the signaling flow analysis module further includes a state machine timeout processing submodule, where the state machine timeout processing submodule is configured to determine a timeout state of the state machine according to the state machine creation time, the current time point, and a preset time period, and perform timeout processing operation on the state machine according to a determination result.
Furthermore, the state machine timeout processing submodule comprises a state machine deleting unit and a count zero clearing unit, wherein,
the state machine deleting unit is used for comparing the time period between the current time point and the state machine establishing time with the preset destroying time period and deleting the state machine according to the comparison result;
and the counting zero clearing unit is used for comparing the time period between the current time point and the state machine creation time with a preset zero clearing time period and carrying out zero clearing treatment on each signaling message parameter counter in the state machine according to the comparison result.
A method for detecting Diameter flooding attack comprises the following contents:
A) extracting signaling message parameters flowing through signaling, matching a state machine according to the parameters, setting and initializing each signaling message parameter counter, wherein the signaling message parameters comprise a session identification parameter, a source host parameter and a user name parameter;
B) according to the matching condition of the state machine, utilizing the counting value of the counter to carry out early warning analysis on the signaling message parameters;
C) and carrying out flooding attack alarm according to the early warning analysis result of the signaling message parameter.
In the method, in a), the state machine matching condition is queried according to the extracted signaling message parameters, and a state machine for coordination control is created according to the query result and the signaling message parameters are stored.
In the method, B), the early warning analysis is performed on the signaling message parameters, and the method specifically includes the following steps:
B1) matching the session identification parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset session identification flooding threshold value, obtaining an early warning analysis result according to the comparison condition, and entering step B2 if the matching is inconsistent);
B2) matching the source host parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset source host flooding threshold value, acquiring an early warning analysis result according to the comparison condition, and entering step B3 if the matching is inconsistent);
B3) and matching the user name parameters passing through the signaling with the parameter data stored in the state machine, if the matching is consistent, counting by the parameter counter, comparing the value of the parameter counter with a preset user name flooding threshold value, acquiring an early warning analysis result according to the comparison condition, and if the matching is inconsistent, reading the next signaling passing through.
In the method, B), the early warning analysis result is the threshold condition is exceeded or the threshold condition is not exceeded.
In the method, C), the early warning analysis result of the situation exceeding the threshold value is subjected to flooding attack warning; and if the early warning analysis result does not exceed the threshold value, no warning is carried out, and the next signaling flowing through is continuously extracted.
The invention has the beneficial effects that:
in the invention, a detection device is deployed in front of a CSCF entity or an HSS entity, key parameters of Diameter messages are extracted to establish a state machine, all Diameter signaling flowing through is analyzed and counted, and then detection alarm is carried out on Diamster message flow exceeding a threshold value; the method can be applied to the IMS network in the mobile communication network, is used for realizing the safety detection and early warning of the Diameter flooding attack, automatically identifies and detects the Diameter protocol flooding attack according to the IMS signaling flow, detects and early warns the Diameter flooding attack flow from the signaling flow, improves the safety of the IMS network, and has important guiding significance for the safety of the communication network.
Description of the drawings:
FIG. 1 is a schematic view of an exemplary embodiment of a detection apparatus;
FIG. 2 is a diagram of a signaling flow analysis module in an embodiment;
FIG. 3 is a diagram illustrating an embodiment of a timeout processing sub-module of the state machine;
FIG. 4 is a first flowchart of a detection method according to an embodiment;
figure 5 is a schematic diagram of a Diameter protocol signaling related entity in an embodiment;
FIG. 6 is a flow chart of the detection method in the embodiment II;
FIG. 7 is a diagram of an embodiment of a state machine;
figure 8 is a Diameter message parameter diagram in an embodiment.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
Diameter messages consist of two parts, namely: a header (header) and a message body (message body). The message header is located at the front end of the message, and includes a protocol version, a message length, a command code, an application ID, a hop-by-hop identifier, and an end-to-end identifier, which are described in detail in fig. 8; the message body consists of a plurality of AVPs, and each AVP consists of AVP Code, AVP Flag, AVP Length, Vendor-ID and Data, and is shown in the attached figure 8 in detail. The IMS network is based on a core network of all IP load, so that the vulnerability existing in the IP network is possessed. And thus are more susceptible to various forms of network attacks, particularly flooding attacks using the Diameter protocol. The Diameter flooding attack aims to utilize a large amount of Diameter signaling to be sent to key network element entities such as HSS/CSCF and the like to occupy service and network resources of the entities, so that the service capability of related network elements is reduced, and even the services are rejected. To this end, an embodiment of the present invention, referring to fig. 1, provides a device for detecting a Diameter flooding attack, including: a parameter extraction module, a signaling flow analysis module and a detection alarm module, wherein,
the parameter extraction module is used for extracting signaling message parameters in the signaling, matching the state machine according to the parameters, setting and initializing each signaling message parameter counter, wherein the signaling message parameters comprise session identification parameters, source host parameters and user name parameters;
the signaling flow analysis module is used for carrying out early warning analysis on signaling message parameters in the signaling by utilizing the counting value of the counter according to the matching condition of the state machine;
and the detection alarm module is used for carrying out flooding attack alarm according to the early warning analysis result of the signaling message parameters.
The detection device is deployed in front of a network architecture network element entity and is used for detecting flooding attacks in a signaling flow in real time and carrying out early warning; the detection device. Referring to fig. 5, the detection apparatus in the embodiment may be deployed before a CSCF entity or an HSS entity, and perform real-time detection and early warning on a Diameter signaling flow that continues in an IMS network.
In order to avoid the situation of unsuccessful matching when performing state machine matching according to the signaling message parameters, in another embodiment of the present invention, the parameter extraction module further includes a state machine query submodule, which queries the state machine matching condition in advance according to the extracted signaling message parameters, creates a state machine for coordination control according to the query result, and stores the signaling message parameters.
In the process of performing signaling early warning analysis according to the matching condition of the counter and the state machine, in a further embodiment of the present invention, an analysis module for session identification parameters, source host parameters, and user name parameters in signaling message parameters is provided, specifically, as shown in fig. 2, the signaling flow analysis module includes a session identification analysis sub-module, a source host analysis sub-module, and a user name analysis sub-module, wherein,
the session identification analysis submodule is used for matching the session identification parameters flowing through the signaling with the parameter data stored in the state machine, if the matching is consistent, the parameter counter counts, the value of the parameter counter is compared with a preset session identification flooding threshold value, and an early warning analysis result is obtained according to the comparison condition;
the source host analysis submodule is used for matching the source host parameters flowing through the signaling with the parameter data stored in the state machine, if the matching is consistent, the parameter counter counts, the value of the parameter counter is compared with a preset source host flooding threshold value, and an early warning analysis result is obtained according to the comparison condition;
and the user name analysis sub-module is used for matching the user name parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset user name flooding threshold value, and acquiring an early warning analysis result according to the comparison condition.
In the process of performing early warning analysis on the signaling flow, in another embodiment of the present invention, the signaling flow analysis module further includes a state machine timeout processing submodule, where the state machine timeout processing submodule is configured to determine a state machine timeout state according to the state machine creation time, the current time point, and a preset time period, and perform timeout processing operation on the state machine according to a determination result.
In performing the timeout processing operation on the state machine, further, as shown in fig. 3, the state machine timeout processing submodule includes a state machine deleting unit and a count clearing unit, wherein,
the state machine deleting unit is used for comparing the time period between the current time point and the state machine establishing time with the preset destroying time period and deleting the state machine according to the comparison result;
and the counting zero clearing unit is used for comparing the time period between the current time point and the state machine creation time with a preset zero clearing time period and carrying out zero clearing treatment on each signaling message parameter counter in the state machine according to the comparison result.
Based on the above detection apparatus, an embodiment of the present invention further provides a method for detecting a Diameter flooding attack, which is shown in fig. 4 and includes the following contents:
extracting signaling message parameters flowing through signaling, matching a state machine according to the parameters, setting and initializing each signaling message parameter counter, wherein the signaling message parameters comprise a session identification parameter, a source host parameter and a user name parameter;
according to the matching condition of the state machine, utilizing the counting value of the counter to carry out early warning analysis on the signaling message parameters;
and carrying out flooding attack alarm according to the early warning analysis result of the signaling message parameter.
In the embodiment of the detection method, the matching condition of the state machine is inquired according to the extracted signaling message parameters, the state machine for coordination control is established according to the inquiry result, and the signaling message parameters are stored.
In another embodiment of the detection method of the present invention, the early warning analysis is performed on signaling message parameters, which specifically includes the following contents:
B1) matching the session identification parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset session identification flooding threshold value, obtaining an early warning analysis result according to the comparison condition, and entering step B2 if the matching is inconsistent);
B2) matching the source host parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset source host flooding threshold value, acquiring an early warning analysis result according to the comparison condition, and entering step B3 if the matching is inconsistent);
B3) and matching the user name parameters passing through the signaling with the parameter data stored in the state machine, if the matching is consistent, counting by the parameter counter, comparing the value of the parameter counter with a preset user name flooding threshold value, acquiring an early warning analysis result according to the comparison condition, and if the matching is inconsistent, reading the next signaling passing through.
The early warning analysis result is that the threshold condition is exceeded or the threshold condition is not exceeded.
Carrying out flood attack warning on the early warning analysis result of the situation exceeding the threshold value; and if the early warning analysis result does not exceed the threshold value, no warning is carried out, and the next signaling flowing through is continuously extracted.
To further verify the effectiveness of the present invention, as shown in fig. 6, the following is explained by using a specific Diameter signaling:
step (I): reading a Diameter signaling message, extracting main parameters, including: session-id (SD for short), Origin-Host (OH for short), and User-Name (UN for short), the positions of which in the message are shown in fig. 8;
step (II): as shown in fig. 7, all state machines are queried to determine whether the state machine matching the above parameters exists, if not, the state machine is established, the above parameters are stored, the same SD number, the same OH number and the same UN number are all set to be 0, and the creation time T is addedCreatingThen jumping to the step (seven); if yes, continuing;
step (three): calculating whether the state machine times out, if (T)At present-TCreating)>TDestroy the materialWhen it is time to delete the state machine (where T isAt presentFor the current point in time, TDestroy the materialA threshold for destruction, settable); when (T)At present-TCreating)>TZero clearingThe same SD number, the same OH number and the same UN number in the state machine are all set to 0 (wherein T isZero clearingA threshold value for zero clearing, which may be set); if not, continuing;
step (IV): if the Session-Id in the message is consistent with that in the state machine, adding 1 to the same SD number, and judging if the same SD number is larger than NOD(NODThe flooding threshold values are the same SD), then the flooding attack is alarmed, otherwise, the step (seven) is skipped;
step (V): if the Origin-Host in the message is consistent with the state machine, adding 1 to the same OH number, and judging whether the same OH number is more than NOH(NOHThe flooding threshold value is the same as that of OH), then the flooding attack is alarmed, otherwise, the step (seven) is skipped;
step (six): if the User-Name in the message is consistent with that in the state machine, adding 1 to the same UN number, and judging whether the same UN number is more than NUN(NUNThe flooding threshold values of the same UN) are obtained, the flooding attack is alarmed, otherwise, the step (seven) is skipped;
step (seven): the next Diameter message is processed.
The embodiment of the invention automatically identifies and detects the Diameter protocol flooding attack according to the IMS signaling flow, detects and warns the Diameter flooding attack flow from the signaling flow, improves the safety of the IMS network, effectively ensures the safety and the reliability of the communication network, and has important significance for the safety development of the communication network.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The elements of the various examples and method steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and the components and steps of the examples have been described in a functional generic sense in the foregoing description for clarity of hardware and software interchangeability. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
Those skilled in the art will appreciate that all or part of the steps of the above methods may be implemented by instructing the relevant hardware through a program, which may be stored in a computer-readable storage medium, such as: read-only memory, magnetic or optical disk, and the like. Alternatively, all or part of the steps of the foregoing embodiments may also be implemented by using one or more integrated circuits, and accordingly, each module/unit in the foregoing embodiments may be implemented in the form of hardware, and may also be implemented in the form of a software functional module. The present invention is not limited to any specific form of combination of hardware and software.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (8)

1. A detection device for Diameter flooding attack is characterized in that the detection device is deployed in front of a network architecture network element entity and is used for detecting flooding attack in a signaling flow in real time and carrying out early warning; the detection device comprises: a parameter extraction module, a signaling flow analysis module and a detection alarm module, wherein,
the parameter extraction module is used for extracting signaling message parameters in the signaling, matching the state machine according to the parameters, setting and initializing each signaling message parameter counter, wherein the signaling message parameters comprise session identification parameters, source host parameters and user name parameters;
the signaling flow analysis module is used for carrying out early warning analysis on signaling message parameters in the signaling by utilizing the counting value of the counter according to the matching condition of the state machine;
the detection alarm module is used for carrying out flooding attack alarm according to the early warning analysis result of the signaling message parameter;
the signaling flow analysis module comprises a session identification analysis sub-module, a source host analysis sub-module and a user name analysis sub-module, wherein,
the session identification analysis submodule is used for matching the session identification parameters flowing through the signaling with the parameter data stored in the state machine, if the matching is consistent, the parameter counter counts, the value of the parameter counter is compared with a preset session identification flooding threshold value, and an early warning analysis result is obtained according to the comparison condition;
the source host analysis submodule is used for matching the source host parameters flowing through the signaling with the parameter data stored in the state machine, if the matching is consistent, the parameter counter counts, the value of the parameter counter is compared with a preset source host flooding threshold value, and an early warning analysis result is obtained according to the comparison condition;
and the user name analysis sub-module is used for matching the user name parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset user name flooding threshold value, and acquiring an early warning analysis result according to the comparison condition.
2. The device of claim 1, wherein the parameter extraction module further comprises a state machine query submodule configured to query a state machine matching condition in advance according to the extracted signaling message parameters, create a state machine for coordination control according to a query result, and store the signaling message parameters.
3. The device of claim 1, wherein the signaling flow analysis module further comprises a state machine timeout processing sub-module, and the state machine timeout processing sub-module is configured to determine a timeout state of the state machine according to the creation time of the state machine, the current time point, and a preset time period, and perform a timeout processing operation on the state machine according to the determination result.
4. The apparatus of claim 3 wherein the state machine timeout processing submodule comprises a state machine deletion unit and a count clear unit, wherein,
the state machine deleting unit is used for comparing the time period between the current time point and the state machine establishing time with the preset destroying time period and deleting the state machine according to the comparison result;
and the counting zero clearing unit is used for comparing the time period between the current time point and the state machine creation time with a preset zero clearing time period and carrying out zero clearing treatment on each signaling message parameter counter in the state machine according to the comparison result.
5. A method for detecting a Diameter flooding attack is characterized by comprising the following contents:
A) extracting signaling message parameters flowing through signaling, matching a state machine according to the parameters, setting and initializing each signaling message parameter counter, wherein the signaling message parameters comprise a session identification parameter, a source host parameter and a user name parameter;
B) according to the matching condition of the state machine, utilizing the counting value of the counter to carry out early warning analysis on the signaling message parameters;
C) carrying out flooding attack alarm according to the early warning analysis result of the signaling message parameter;
B) in the method, early warning analysis is performed on signaling message parameters, and the method specifically comprises the following contents:
B1) matching the session identification parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset session identification flooding threshold value, obtaining an early warning analysis result according to the comparison condition, and entering step B2 if the matching is inconsistent);
B2) matching the source host parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset source host flooding threshold value, acquiring an early warning analysis result according to the comparison condition, and entering step B3 if the matching is inconsistent);
B3) and matching the user name parameters passing through the signaling with the parameter data stored in the state machine, if the matching is consistent, counting by the parameter counter, comparing the value of the parameter counter with a preset user name flooding threshold value, acquiring an early warning analysis result according to the comparison condition, and if the matching is inconsistent, reading the next signaling passing through.
6. The method of detecting Diameter flooding attacks of claim 5, characterized in that, in A), the state machine matching condition is queried according to the extracted signaling message parameters, and a state machine for coordination control is created according to the query result and the signaling message parameters are stored.
7. The method of detecting a Diameter flooding attack of claim 5, characterized in that in B), the early warning analysis result is a threshold condition is exceeded or a threshold condition is not exceeded.
8. The method for detecting Diameter flooding attacks of claim 7, characterized in that in C), a flooding attack warning is performed on the early warning analysis result of the situation exceeding the threshold; and if the early warning analysis result does not exceed the threshold value, no warning is carried out, and the next signaling flowing through is continuously extracted.
CN201811086841.3A 2018-09-18 2018-09-18 Detection device and method for Diameter flooding attack Active CN109040127B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811086841.3A CN109040127B (en) 2018-09-18 2018-09-18 Detection device and method for Diameter flooding attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811086841.3A CN109040127B (en) 2018-09-18 2018-09-18 Detection device and method for Diameter flooding attack

Publications (2)

Publication Number Publication Date
CN109040127A CN109040127A (en) 2018-12-18
CN109040127B true CN109040127B (en) 2020-11-03

Family

ID=64616721

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811086841.3A Active CN109040127B (en) 2018-09-18 2018-09-18 Detection device and method for Diameter flooding attack

Country Status (1)

Country Link
CN (1) CN109040127B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113115314B (en) * 2021-03-30 2022-11-01 中国人民解放军战略支援部队信息工程大学 Method and device for protecting HSS (home subscriber server) signaling of 4G mobile communication network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1968280A (en) * 2006-11-23 2007-05-23 华为技术有限公司 System and method for detecting and filtering invalid header field
EP1830536A1 (en) * 2006-03-01 2007-09-05 Siemens Aktiengesellschaft Method for self-provisioning of subscriber data in the IP multimedia subsystem (IMS)
CN102075924A (en) * 2010-11-22 2011-05-25 北京邮电大学 Session state based method and system for detecting vulnerability of internet protocol (IP) multimedia subsystem (IMS)
CN104468506A (en) * 2014-10-28 2015-03-25 大唐移动通信设备有限公司 Session state detection method and device
CN108076019A (en) * 2016-11-17 2018-05-25 北京金山云网络技术有限公司 Anomalous traffic detection method and device based on traffic mirroring

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8375453B2 (en) * 2008-05-21 2013-02-12 At&T Intellectual Property I, Lp Methods and apparatus to mitigate a denial-of-service attack in a voice over internet protocol network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1830536A1 (en) * 2006-03-01 2007-09-05 Siemens Aktiengesellschaft Method for self-provisioning of subscriber data in the IP multimedia subsystem (IMS)
CN1968280A (en) * 2006-11-23 2007-05-23 华为技术有限公司 System and method for detecting and filtering invalid header field
CN102075924A (en) * 2010-11-22 2011-05-25 北京邮电大学 Session state based method and system for detecting vulnerability of internet protocol (IP) multimedia subsystem (IMS)
CN104468506A (en) * 2014-10-28 2015-03-25 大唐移动通信设备有限公司 Session state detection method and device
CN108076019A (en) * 2016-11-17 2018-05-25 北京金山云网络技术有限公司 Anomalous traffic detection method and device based on traffic mirroring

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"IMS网络安全威胁及测试方法研究";陈慧敏;《 现代电信科技》;20130225(第2期);第66-72页 *
"IMS网络Diameter协议流程漏洞挖掘";郭严赞等;《计算机工程》;20130915;第39卷(第9期);第6-11页 *
"VoIP intrusion detection through interacting protocol state machines";Sengar, H.等;《In International Conference on Dependable Systems and Networks》;20060630;第393-402页 *

Also Published As

Publication number Publication date
CN109040127A (en) 2018-12-18

Similar Documents

Publication Publication Date Title
CN105939326B (en) Method and device for processing message
CN112887274B (en) Method and device for detecting command injection attack, computer equipment and storage medium
EP3025538B1 (en) Detecting fraudulent traffic in a telecommunications system
CN116438779A (en) Methods, systems, and computer readable media for implementing ingress message rate limiting with network function identifiers
CN101547207A (en) Protocol identification control method and equipment based on application behavior mode
CN102045300A (en) Detecting method, device and system of botnet
US20090265456A1 (en) Method and system to manage multimedia sessions, allowing control over the set-up of communication channels
CN102404741B (en) Method and device for detecting abnormal online of mobile terminal
JP4692776B2 (en) Method for protecting SIP-based applications
WO2016101595A1 (en) Method, apparatus and system for accessing third-party resource through application
CN112003873B (en) HTTP (hyper text transport protocol) traffic defense method and system for resisting DDoS (distributed denial of service) attack
CN112769833A (en) Method and device for detecting command injection attack, computer equipment and storage medium
CN113489702A (en) Interface current limiting method and device and electronic equipment
CN109040127B (en) Detection device and method for Diameter flooding attack
CN106790073B (en) Blocking method and device for malicious attack of Web server and firewall
CN109067782B (en) IMS network session abnormal interruption attack detection device and method
CN109040126B (en) Detection device and method for SIP flooding attack of IMS network
CN105656912A (en) Mobile intelligent terminal APP request process control method
CN105991509A (en) Session processing method and apparatus
KR101384868B1 (en) Enhanced call tracing
CN109246144A (en) HSS unauthorized access detection device and method in IMS network
Li et al. An efficient intrusion detection and prevention system against SIP malformed messages attacks
CN116074051A (en) Equipment fingerprint generation method and equipment
US20150358336A1 (en) Method for detecting fraud in an ims network
CN109257376B (en) IMS network Diameter malformed fragment attack detection device and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant