CN109257351B - IMS network logic abnormity detection device and method based on Markov - Google Patents

IMS network logic abnormity detection device and method based on Markov Download PDF

Info

Publication number
CN109257351B
CN109257351B CN201811086791.9A CN201811086791A CN109257351B CN 109257351 B CN109257351 B CN 109257351B CN 201811086791 A CN201811086791 A CN 201811086791A CN 109257351 B CN109257351 B CN 109257351B
Authority
CN
China
Prior art keywords
message
markov
logic
state
state machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811086791.9A
Other languages
Chinese (zh)
Other versions
CN109257351A (en
Inventor
刘树新
刘彩霞
李森有
王凯
柏溢
何赞园
陈云杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN201811086791.9A priority Critical patent/CN109257351B/en
Publication of CN109257351A publication Critical patent/CN109257351A/en
Application granted granted Critical
Publication of CN109257351B publication Critical patent/CN109257351B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention belongs to the technical field of communication safety, and particularly relates to an IMS network logic anomaly detection device and method based on Markov, wherein the device comprises the following components: the system comprises a parameter extraction module and an anomaly detection module, wherein the parameter extraction module is used for extracting message parameters in the SIP message, and the message parameters comprise a message type, a session ID, a user name and a flow type; and the anomaly detection module is used for analyzing the message type conversion relation according to the Markov state conversion chain and judging the logic anomaly of the IMS network according to the analysis result. The invention establishes the message type conversion relation in the service process based on the Markov chain, then carries out service process logic detection aiming at the SIP message flow, finds out the signaling message which is inconsistent with the message type conversion in the normal service process, thereby detecting whether the logic abnormal condition exists in the IMS network, realizing the safety protection of the IMS network, improving the safety and the reliability of the IMS network and having important guiding significance for the safety of the communication network.

Description

IMS network logic abnormity detection device and method based on Markov
Technical Field
The invention belongs to the technical field of communication safety, and particularly relates to an IMS network logic abnormality detection device and method based on Markov, which are used for an IMS network in a mobile communication network.
Background
Ims (IP Multimedia subsystem) is a network architecture that provides voice and Multimedia services over IP networks. The IMS can implement convergence of fixed user services, mobile user services, and internet services, and convergence of multimedia services such as voice, data, and video, and is a core technology of the next generation network. A markov chain is a random process of transitioning from one state to another in a state space. The process has no memory, namely the current state, the future state and the past state are independent. At each step of the Markov chain, the system maintains the existing state or transitions to another state based on conditional probabilities, the change in state is called a transition, and the state change probabilities are called transition probabilities.
Disclosure of Invention
Therefore, the invention provides an IMS network logic abnormity detection device and method based on Markov, which aim at detecting abnormal regulations which may appear in different service flows in an IMS network, and judge whether IMS network logic is abnormal according to whether the type of a Markov state transition chain inquiry message accords with the transition relation, thereby being easy to realize and improving the safety and reliability of a communication network.
According to the design scheme provided by the invention, the IMS network logic abnormality detection device based on Markov comprises: a parameter extraction module, and an anomaly detection module, wherein,
the parameter extraction module is used for extracting message parameters in the SIP message, wherein the message parameters comprise a message type, a session ID, a user name and a flow type;
and the anomaly detection module is used for analyzing the message type conversion relation according to the Markov state conversion chain and judging the logic anomaly of the IMS network according to the analysis result.
In the above, the anomaly detection module comprises a state machine query submodule, a logic anomaly judgment submodule and a state machine scanning submodule, wherein,
the state machine query submodule is used for creating a new state machine according to whether the state machine for extracting the message type exists in the state machine or not;
the logic anomaly judgment submodule is used for judging the logic anomaly of the extracted message type according to the Markov state conversion chain;
and the state machine scanning submodule is used for scanning all the state machines, deleting the state machines or returning the state machines to the parameter extraction module for extracting the next SIP message according to the comparison result of the scanning time and the set threshold value.
Preferably, the logic anomaly judgment sub-module includes a transformation relation analysis unit and a transformation chain limiting unit, wherein,
the conversion relation analysis unit is used for carrying out conversion relation analysis on the message type according to the Markov state conversion chain and carrying out network logic abnormity judgment according to the analysis result;
and the conversion chain limiting unit is used for storing the message types conforming to the conversion relation, judging whether the conversion chain is in the end of the Markov state conversion chain, and deleting the current state machine or triggering the state machine scanning submodule according to the judgment result.
A method for detecting IMS network logic abnormity based on Markov comprises the following contents:
A) extracting message parameters in the SIP message, wherein the message parameters comprise a message type, a session ID, a user name and a flow type;
B) and analyzing the message type conversion relation according to the Markov state conversion chain, and judging the logic abnormality of the IMS network according to the analysis result.
In the above method, the logic abnormality determination in B) includes the following steps:
B1) judging whether a state machine for extracting the message type exists in the state machines, and creating a new state machine or executing B2 according to the judgment result;
B2) performing conversion relation analysis on the extracted message types according to a Markov state conversion chain, and performing logic exception output or execution B3 according to the analysis result);
B3) and scanning all the state machines, and deleting or returning the state machines to extract the next SIP message.
The method described above, B1), when creating a new state machine, the currently extracted message parameters, the last message type and the creation time are stored.
The method described above, B2), wherein the analysis of the transformation relationship comprises the following steps:
B21) analyzing the conversion relation of the message types according to the Markov state conversion chain, if the conversion relation of the Markov state conversion chain is met, executing B22), otherwise, judging that the network logic is abnormal and outputting;
B22) and storing the message types which accord with the conversion relation, and judging whether the message types are positioned at the end of the Markov state conversion chain, if so, deleting the current state machine, otherwise, executing B3).
In the above method, B3), all state machines are scanned, the time length between the creation time and the current time is compared with a set time threshold, if the time length is greater than the set time threshold, the current state machine is deleted, otherwise, a) is returned, and the next SIP message is extracted.
The invention has the beneficial effects that:
the invention analyzes different service flows, establishes the message type conversion relation in the service flow based on the Markov chain, then carries out service flow logic detection aiming at the SIP message flow, finds out the signaling message which is inconsistent with the message type conversion in the normal service flow, thereby detecting whether the IMS network has logic abnormal condition, realizing the safety protection of the IMS network, improving the safety and the reliability of the IMS network and having important guiding significance for the safety of the communication network.
Description of the drawings:
FIG. 1 is a schematic view of an exemplary embodiment of a detection apparatus;
FIG. 2 is a schematic diagram of an exemplary anomaly detection module;
FIG. 3 is a block diagram of an embodiment of a logic anomaly determination sub-module;
FIG. 4 is a first flowchart of a detection method according to an embodiment;
FIG. 5 is a flow chart of logic anomaly determination in an embodiment;
FIG. 6 is a flow chart of an embodiment of a transformation relation analysis;
FIG. 7 is a flow chart of the detection method in the embodiment II;
FIG. 8 is a diagram of an exemplary state machine;
FIG. 9 is a diagram illustrating SIP message extraction fields in an embodiment;
fig. 10 is a diagram of an IMS network markov state transition chain in an embodiment.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
The SIP message format consists of three parts, namely: a start line (start line), a header (header), and a message body (message body). The initial line is the first line of the message, and identifies the message type and the SIP identification; the format of the message header is < name of header field > < field value >, which is shown in detail in fig. 9. The message body may be null according to the designation in the message header at the end of the message, or may be in the SDP protocol format, as shown in fig. 9. In the IMS network architecture, the session control capability of the SIP protocol is used to support multimedia services. SIP is a text-based application-layer control protocol for creating, modifying and releasing multimedia sessions for one or more participants. In order to ensure the security of a communication session and timely determine a logical anomaly of an SIP session of an IMS network, an embodiment of the present invention, as shown in fig. 1, provides a markov-based IMS network logical anomaly detection apparatus, including: a parameter extraction module, and an anomaly detection module, wherein,
the parameter extraction module is used for extracting message parameters in the SIP message, wherein the message parameters comprise a message type, a session ID, a user name and a flow type;
and the anomaly detection module is used for analyzing the message type conversion relation according to the Markov state conversion chain and judging the logic anomaly of the IMS network according to the analysis result.
In the process of analyzing the conversion relationship of the message types by using the markov, according to still another embodiment of the present invention, as shown in fig. 2, the anomaly detection module includes a state machine query sub-module, a logic anomaly determination sub-module, and a state machine scanning sub-module, wherein,
the state machine query submodule is used for creating a new state machine according to whether the state machine for extracting the message type exists in the state machine or not;
the logic anomaly judgment submodule is used for judging the logic anomaly of the extracted message type according to the Markov state conversion chain;
and the state machine scanning submodule is used for scanning all the state machines, deleting the state machines or returning the state machines to the parameter extraction module for extracting the next SIP message according to the comparison result of the scanning time and the set threshold value.
In the IMS network logic anomaly determination process, referring to fig. 3, in another embodiment of the present invention, the logic anomaly determination sub-module includes a transformation relation analysis unit and a transformation chain restriction unit, wherein,
the conversion relation analysis unit is used for carrying out conversion relation analysis on the message type according to the Markov state conversion chain and carrying out network logic abnormity judgment according to the analysis result;
and the conversion chain limiting unit is used for storing the message types conforming to the conversion relation, judging whether the conversion chain is in the end of the Markov state conversion chain, and deleting the current state machine or triggering the state machine scanning submodule according to the judgment result.
Based on the above detection apparatus, an embodiment of the present invention further provides a method for detecting a logic anomaly of an IMS network based on markov, which is shown in fig. 4 and includes the following contents:
A) extracting message parameters in the SIP message, wherein the message parameters comprise a message type, a session ID, a user name and a flow type;
B) and analyzing the message type conversion relation according to the Markov state conversion chain, and judging the logic abnormality of the IMS network according to the analysis result.
In the process of determining a logical anomaly in the IMS network according to the analysis result, referring to fig. 5, according to still another embodiment of the present invention, the logical anomaly determination may be designed to include the following:
B1) judging whether a state machine for extracting the message type exists in the state machines, and creating a new state machine or executing B2 according to the judgment result;
B2) performing conversion relation analysis on the extracted message types according to a Markov state conversion chain, and performing logic exception output or execution B3 according to the analysis result);
B3) and scanning all the state machines, and deleting or returning the state machines to extract the next SIP message.
When a new state machine is created, the currently extracted message parameters, the last message type and the creation time are stored.
In the process of performing a transitive relationship analysis on the extracted message types according to the markov state transition chain, referring to fig. 6, according to another embodiment of the present invention, the transitive relationship analysis can be designed to include the following:
B21) analyzing the conversion relation of the message types according to the Markov state conversion chain, if the conversion relation of the Markov state conversion chain is met, executing B22), otherwise, judging that the network logic is abnormal and outputting;
B22) and storing the message types which accord with the conversion relation, and judging whether the message types are positioned at the end of the Markov state conversion chain, if so, deleting the current state machine, otherwise, executing B3).
Scanning all state machines, comparing the time length between the creation time and the current time with a set time threshold, if the time length is greater than the set time threshold, deleting the current state machine, otherwise, returning to A), and extracting the next SIP message.
To further verify the effectiveness of the present invention, as shown in fig. 7, the following is explained by using specific SIP signaling messages:
step (I): sequentially processing an SIP signaling message, and respectively extracting a message type, a Call-ID, a user name and a flow type From a start line, Call-ID, From and CSeq (the extraction positions are shown in FIG. 9);
step (II): inquiring whether the state machine has the Call-ID of the information or not, if the state machine does not have the Call-ID, establishing the state machine, filling the Call-ID, the user name, the flow type, the last message type and the creation time (the establishment content of the state machine is shown in figure 8);
step (three): if the Call-ID of the information exists in the state machine, inquiring the specified Markov state conversion chain according to the process type, and matching whether the message type of the new message and the last message type stored in the state machine accord with the conversion relation or not (the Markov state conversion chain is shown as a, b, c, d, e and f in figure 10), if not, detecting that the information is logic abnormal;
step (IV): if the conversion chain conforms to the Markov state, the new message type is stored in the last message type of the state machine, and whether the conversion chain is at the end of the Markov state at the moment is judged, and the state machine is deleted;
step (V): scanning all state machines, and deleting the state machines if the calculation time (T current time-T creation time) > Tmax;
step (six): and returning to the implementation step I to process the next SIP signaling message.
In an IMS network system architecture, according to Markov state transformation chains with different process types, the message type of a new message is matched with the last message type stored in a state machine, and whether the new message conforms to the Markov conversion relation or not is judged, so that whether a logic abnormal condition exists in the IMS network or not is detected, the safety protection of the IMS network is realized, the safety and the reliability of the IMS network are improved, the safety and the reliability of a communication network are effectively ensured, and the method has important significance for the safety development of the communication network.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The elements of the various examples and method steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and the components and steps of the examples have been described in a functional generic sense in the foregoing description for clarity of hardware and software interchangeability. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
Those skilled in the art will appreciate that all or part of the steps of the above methods may be implemented by instructing the relevant hardware through a program, which may be stored in a computer-readable storage medium, such as: read-only memory, magnetic or optical disk, and the like. Alternatively, all or part of the steps of the foregoing embodiments may also be implemented by using one or more integrated circuits, and accordingly, each module/unit in the foregoing embodiments may be implemented in the form of hardware, and may also be implemented in the form of a software functional module. The present invention is not limited to any specific form of combination of hardware and software.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (4)

1. An IMS network logic anomaly detection apparatus based on markov, comprising: a parameter extraction module, and an anomaly detection module, wherein,
the parameter extraction module is used for extracting message parameters in the SIP message, wherein the message parameters comprise a message type, a session ID, a user name and a flow type;
the anomaly detection module is used for analyzing the message type conversion relation according to the Markov state conversion chain and carrying out logic anomaly judgment on the IMS network according to the analysis result;
the abnormality detection module comprises a state machine query submodule, a logic abnormality judgment submodule and a state machine scanning submodule, wherein,
the state machine query submodule is used for creating a new state machine according to whether the state machine for extracting the message type exists in the state machine or not;
the logic anomaly judgment submodule is used for judging the logic anomaly of the extracted message type according to the Markov state conversion chain;
the state machine scanning submodule is used for scanning all the state machines, deleting the state machines or returning the state machines to the parameter extraction module for extracting the next SIP message according to the comparison result of the scanning time and the set threshold value;
the logic abnormity judgment sub-module comprises a conversion relation analysis unit and a conversion chain limiting unit, wherein,
the conversion relation analysis unit is used for carrying out conversion relation analysis on the message type according to the Markov state conversion chain and carrying out network logic abnormity judgment according to the analysis result;
and the conversion chain limiting unit is used for storing the message types conforming to the conversion relation, judging whether the conversion chain is in the end of the Markov state conversion chain, and deleting the current state machine or triggering the state machine scanning submodule according to the judgment result.
2. A method for detecting IMS network logic abnormity based on Markov is characterized by comprising the following contents:
A) extracting message parameters in the SIP message, wherein the message parameters comprise a message type, a session ID, a user name and a flow type;
B) analyzing the message type conversion relation according to the Markov state conversion chain, and judging the logic abnormity of the IMS network according to the analysis result;
B) and the middle logic abnormity judgment comprises the following contents:
B1) judging whether a state machine for extracting the message type exists in the state machines, and creating a new state machine or executing B2 according to the judgment result;
B2) performing conversion relation analysis on the extracted message types according to a Markov state conversion chain, and performing logic exception output or execution B3 according to the analysis result);
B3) scanning all state machines, deleting the state machines or returning to extract the next SIP message;
B2) the medium conversion relation analysis comprises the following contents:
B21) analyzing the conversion relation of the message types according to the Markov state conversion chain, if the conversion relation of the Markov state conversion chain is met, executing B22), otherwise, judging that the network logic is abnormal and outputting;
B22) and storing the message types which accord with the conversion relation, and judging whether the message types are positioned at the end of the Markov state conversion chain, if so, deleting the current state machine, otherwise, executing B3).
3. A method for detecting logical anomalies in a markov based IMS network according to claim 2, characterized in that in B1), when a new state machine is created, the currently extracted message parameters, the last message type and the creation time are stored.
4. The method for detecting logic abnormality of IMS network based on markov according to claim 2, wherein B3) scans all state machines, compares the time length between the creation time and the current time with a set time threshold, deletes the current state machine if the time length is greater than the set time threshold, otherwise returns to a), and extracts the next SIP message.
CN201811086791.9A 2018-09-18 2018-09-18 IMS network logic abnormity detection device and method based on Markov Active CN109257351B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811086791.9A CN109257351B (en) 2018-09-18 2018-09-18 IMS network logic abnormity detection device and method based on Markov

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811086791.9A CN109257351B (en) 2018-09-18 2018-09-18 IMS network logic abnormity detection device and method based on Markov

Publications (2)

Publication Number Publication Date
CN109257351A CN109257351A (en) 2019-01-22
CN109257351B true CN109257351B (en) 2021-04-02

Family

ID=65046976

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811086791.9A Active CN109257351B (en) 2018-09-18 2018-09-18 IMS network logic abnormity detection device and method based on Markov

Country Status (1)

Country Link
CN (1) CN109257351B (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924660B (en) * 2009-06-09 2014-07-02 阿尔卡特朗讯公司 Method and device for detecting network malicious behaviors
KR101095878B1 (en) * 2009-10-21 2011-12-21 한신대학교 산학협력단 SIP DoS Attack Detection and Prevention System and Method using Hidden Markov Model
CN103501512B (en) * 2013-10-22 2016-10-05 中国人民解放军理工大学 Based on bunch WSN can survive method for routing and survivability evaluation model

Also Published As

Publication number Publication date
CN109257351A (en) 2019-01-22

Similar Documents

Publication Publication Date Title
CN101505276B (en) Network application flow recognition method and apparatus and network application flow management apparatus
US7835352B2 (en) Method, system and equipment for processing SIP requests in IMS network
Antunes et al. Reverse engineering of protocols from network traces
EP1879337A1 (en) A method for processing the register message in the ims network according to the initial filtering rules
CN114050926A (en) Data message depth detection method and device
CN109067782B (en) IMS network session abnormal interruption attack detection device and method
CN112887274A (en) Method and device for detecting command injection attack, computer equipment and storage medium
CN101247281A (en) Protocol packet detecting method, system and equipment
CN111586058A (en) Mixed protocol agent system and method for operation and maintenance audit system
US7889760B2 (en) Systems and methods for sending binary, file contents, and other information, across SIP info and text communication channels
WO2010139237A1 (en) Method and device for deep packet inspection
CN109257351B (en) IMS network logic abnormity detection device and method based on Markov
CN109040126B (en) Detection device and method for SIP flooding attack of IMS network
KR101287588B1 (en) Security System of the SIP base VoIP service
Li et al. A rules-based intrusion detection and prevention framework against SIP malformed messages attacks
CN1578234A (en) Detecting method for Link routine state
Li et al. An efficient intrusion detection and prevention system against SIP malformed messages attacks
CN109040127B (en) Detection device and method for Diameter flooding attack
CN110300092B (en) Packet identification method and packet identification device
CN109246144A (en) HSS unauthorized access detection device and method in IMS network
CN109194668B (en) Device and method for preventing SIP session of IMS network from being falsified
CN110266902B (en) VoIP signaling and media data association system and method
TWI760887B (en) Method and server for abnormal status detection of voice signaling
CN112887280A (en) Network protocol metadata extraction system and method based on automaton
CN1988447B (en) Method and device for treating communication network service

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant