CN109428870A - Network attack processing method based on Internet of Things, apparatus and system - Google Patents
Network attack processing method based on Internet of Things, apparatus and system Download PDFInfo
- Publication number
- CN109428870A CN109428870A CN201710769846.5A CN201710769846A CN109428870A CN 109428870 A CN109428870 A CN 109428870A CN 201710769846 A CN201710769846 A CN 201710769846A CN 109428870 A CN109428870 A CN 109428870A
- Authority
- CN
- China
- Prior art keywords
- terminal equipment
- attack
- entity
- mark
- service server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the present application provides a kind of network attack processing method based on Internet of Things, apparatus and system.During terminal device carries out data interaction with service server by the user entity in core net, whether service server judging terminal device has attack, when determining that terminal device has attack, notice user entity is filtered the data packet from the terminal device with attack, realize the interception to attack, influence of the network attack to service server is reduced, the reliability and safety of service server are improved.
Description
Technical field
This application involves field of communication technology more particularly to a kind of network attack processing methods based on Internet of Things, device
And system.
Background technique
The communication technology is constantly developing, and the differentiation of the communication technology not only brings more bandwidth, more stable wireless
Network communication, and solid condition is provided to provide richer service application by carrier of communication network, push shifting
Dynamic business and Internet service are interpenetrated, are merged.
Terminal device is connect by communication network with service server, and can obtain service server using communication mode
The service of offer.User can easily obtain various services, such as amusement and recreation class, tool media whenever and wherever possible in this way
The different services such as class, commercial finance and economic, meet the demand for services of user.
In application scenes, the quantity of the terminal device based on communication network access service server may be more.
It, will be to business when great amount of terminals equipment is launched a offensive by illegal (such as hacker) control or virus infection to service server
Server causes serious influence, even results in service server paralysis.
Summary of the invention
The embodiment of the present application provides a kind of network attack processing method based on Internet of Things, apparatus and system, to reduce
Influence of the network attack to service server improves the reliability and safety of service server.
The embodiment of the present application provides a kind of network attack processing method based on Internet of Things, comprising:
Receive the data packet from first terminal equipment that the user entity in core net is sent;
It wraps based on the data, determines that the first terminal equipment has attack;
The user entity is notified to be filtered to from the data packet of the first terminal equipment.
The embodiment of the present application also provides a kind of network attack processing method based on Internet of Things, applied to the use in core net
Family face entity, which comprises
The data packet that first terminal equipment is sent to service server is received, the data packet carries the first terminal and sets
Standby mark;
According to the mark of the first terminal equipment and the mark of the currently valid terminal device with attack,
Determine that the first terminal equipment has attack;
Forbid sending to the service server and be filtered to from the data packet of the first terminal equipment.
The embodiment of the present application also provides a kind of network attack processing method based on Internet of Things, applied to the letter in core net
Enable face entity, which comprises
The notification message from service server is received, the notification message includes having attack to the service server
The mark of the first terminal equipment of behavior;
The notification message is forwarded to the user entity in the core net, to indicate the user entity to next
It is filtered from the data packet of the first terminal equipment.
The embodiment of the present application also provides a kind of service server, comprising: communication component, memory and processor;
The communication component, for receiving the data from first terminal equipment of the transmission of the user entity in core net
Packet;
The memory, for storing program;
The processor is coupled to the memory, for executing described program, to be used for:
It wraps based on the data, determines that the first terminal equipment has attack;
The user entity is notified to be filtered to from the data packet of the first terminal equipment.
The embodiment of the present application also provides a kind of user entity, comprising: communication component, memory and processor;
The communication component, the data packet for being sent to service server for receiving first terminal equipment, the data packet are taken
Mark with the first terminal equipment;
The memory, for storing program;
The processor is coupled to the memory, for executing described program, to be used for:
According to the mark of the first terminal equipment and the mark of the currently valid terminal device with attack,
Determine that the first terminal equipment has attack;
Data packet from the first terminal equipment is filtered.
The embodiment of the present application also provides a kind of signaling face entity, comprising: communication component, memory and processor;
The communication component, for receiving the notification message from service server, the notification message includes to described
Service server has the mark of the first terminal equipment of attack;
The memory, for storing program;
The processor is coupled to the memory, for executing described program, to be used for:
The user entity that the notification message is forwarded in the core net by the communication component is controlled, to indicate
User entity is stated to be filtered the data packet from the first terminal equipment;
The communication component is also used under the control of the processor for the notification message to be forwarded to the user face
Entity.
The embodiment of the present application also provides a kind of operation system based on Internet of Things, comprising: the industry that above-described embodiment body provides
The signaling face entity that the user entity and above-described embodiment body that business server, above-described embodiment body provide provide;The industry
Business server is located in Internet of Things, and the user entity and the signaling plane are physically located in core net.
In the embodiment of the present application, it is counted by the user entity in core net with service server in terminal device
During interaction, whether service server judging terminal device has attack, attacks when determining that terminal device has
When behavior, notice user entity is filtered the data packet from the terminal device with attack, realizes to attack
The interception of behavior reduces influence of the network attack to service server, improves the reliability and safety of service server.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present application, constitutes part of this application, this Shen
Illustrative embodiments and their description please are not constituted an undue limitation on the present application for explaining the application.In the accompanying drawings:
Fig. 1 is the structural schematic diagram for the operation system based on core net that one exemplary embodiment of the application provides;
Fig. 2 a is the structure for the exemplary operation system based on Internet of Things of one kind that one exemplary embodiment of the application provides
Schematic diagram;
Fig. 2 b is the flow diagram that exemplary service system shown in Fig. 2 a handles network attack;
Fig. 3 a is the knot for the exemplary operation system based on Internet of Things of another kind that one exemplary embodiment of the application provides
Structure schematic diagram;
Fig. 3 b is the flow diagram that exemplary service system shown in Fig. 3 a handles network attack;
Fig. 4 a is the knot for another exemplary operation system based on Internet of Things that one exemplary embodiment of the application provides
Structure schematic diagram;
Fig. 4 b is the flow diagram that exemplary service system shown in Fig. 4 a handles network attack;
Fig. 5 is the network attack processing method for the slave business server side description that one exemplary embodiment of the application provides
Flow diagram;
Fig. 6 is the network attack processing method for the slave user entity angle description that one exemplary embodiment of the application provides
Flow diagram;
Fig. 7 is the network attack processing method for the slave signaling plane entity angle description that one exemplary embodiment of the application provides
Flow diagram;
Fig. 8 a is a kind of structural schematic diagram for network attack processing unit that one exemplary embodiment of the application provides;
Fig. 8 b is a kind of structural schematic diagram for service server that one exemplary embodiment of the application provides;
Fig. 9 a is the structural schematic diagram for another network attack processing unit that one exemplary embodiment of the application provides;
Fig. 9 b is a kind of structural schematic diagram for user entity that one exemplary embodiment of the application provides;
Figure 10 a is the structural schematic diagram for another network attack processing unit that one exemplary embodiment of the application provides;
Figure 10 b is a kind of structural schematic diagram for signaling face entity that one exemplary embodiment of the application provides.
Specific embodiment
To keep the purposes, technical schemes and advantages of the application clearer, below in conjunction with the application specific embodiment and
Technical scheme is clearly and completely described in corresponding attached drawing.Obviously, described embodiment is only the application one
Section Example, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art are not doing
Every other embodiment obtained under the premise of creative work out, shall fall in the protection scope of this application.
In the application scenarios that service server is merged with communication core net, in order to reduce network attack to service server
Influence, improve the reliability and safety of service server, the embodiment of the present application provides a solution, cardinal principle
It is: during terminal device carries out data interaction with service server by the user entity in core net, business clothes
Business device judges whether terminal device has attack;When judging that terminal device has attack, notify that user face is real
Body is filtered the data packet from the terminal device with attack, the interception to attack is realized, to reduce
Influence of the network attack to service server improves the reliability and safety of service server.
In the application is respectively implemented, terminal device can be mobile phone, laptop, tablet computer, POS machine, vehicle mounted electric
The equipment of the various accessible communication core nets such as brain.
In each embodiment of the application, service server is primarily referred to as in Internet of Things (Internet of Things, IoT)
Server.The server be mainly responsible for access internet any article is managed, and with two dimension code reading equipment, penetrate
The information sensing devices such as frequency identification device, infrared inductor, global positioning system and/or laser scanner interact, to this
A little information sensing devices provide the information of relative article, to realize the functions such as Weigh sensor, positioning, tracking, monitoring and management.
In each embodiment of the application, the realization framework of core net is not limited.For example, core net can use 4G core
Heart planar network architecture can also use 5G core net framework, it might even be possible to using the other core net frameworks for being possible to occur in the future.
, will be in conjunction with attached drawing in the application following embodiment, the technical scheme provided by various embodiments of the present application will be described in detail.
Fig. 1 is the structural schematic diagram for the operation system based on Internet of Things that one exemplary embodiment of the application provides.Such as Fig. 1
Shown, which includes: core net 101 and Internet of Things 102.
In core net 101, the network element in core net 101 is greatly classified by the type that data are mainly handled according to network element
User entity and signaling face entity.User entity is mainly responsible for processing business data, such as transmitting audio data or grouping
Business datum etc..Signaling face entity is mainly responsible for processing signaling data, such as the foundation of control call flow, maintenance and release etc..
Wherein, signaling face entity is connect with user entity.
Internet of Things 102 mainly includes service server.Optionally, in addition to service server, Internet of Things 102 can also be wrapped
Include some other complementary equipment, such as database, storage equipment, router etc..
As shown in Figure 1, service server is connected with each other with user entity and signaling face entity respectively, Internet of Things is realized
102 merge with core net 101.Wherein, Internet of Things 102 is merged with core net 101, be conducive to core net 101 be carrier to
User provides service application more abundant.
For terminal device, it can access core net 101, and establish service connection with service server, pass through core later
User entity and progress data interaction in heart net 101, achieve the purpose that the service or business provided using service server.
For example, the data packet for being sent to service server can be sent to user entity by terminal device;User entity receives terminal
Equipment is sent to the data packet of service server, sends the packet to service server.Correspondingly, service server can incite somebody to action
The data packet for returning to terminal device is sent to user entity;User entity receives service server and returns to terminal device
Data packet, send the packet to terminal device.
The mark of inchoation equipment and the mark of receiving end equipment can be carried in the packet header of above-mentioned data packet.It is sent out with terminal device
Toward for the data packet of service server, the mark of terminal device and the mark of service server are carried in the packet header of the data packet
Know.Wherein, the mark of terminal device can be the IP address of terminal device or the IP address of terminal device and port numbers, or
The mobile network code (such as cell-phone number) of person's terminal device, or can also simultaneously include IP address, the port of terminal device
Number and mobile network code, etc..The mark of service server can be the IP address of server or the title of server,
Perhaps the business network No. of server or simultaneously include server IP address, title and business network No., etc..
Pass through the process of user entity and service server progress data interaction in core net 101 in terminal device
In, terminal device may be by illegal (such as hacker) control or virus infection, and then launches a offensive to service server.When a large amount of
It, can be to service server when terminal device is launched a offensive by illegal (such as hacker) control or virus infection to service server
Serious influence is caused, service server paralysis is even resulted in.
In the present embodiment, service server has attack detecting function first, that is, receives user entity transmission
After data packet from terminal device, it is based on the data packet, judges whether the terminal device for sending the data packet there is attack to go
For.It for ease of description and distinguishes, the terminal device for sending the data packet is known as first terminal equipment, first terminal equipment can be with
It is any terminal device that data interaction is carried out with service server.
When judging that first terminal equipment does not have attack, user entity can be continued through and set with first terminal
It is standby to carry out data interaction.
When judging that first terminal equipment has attack, more conventional way is: service server is for the
One terminal device carries out packet loss processing.But when the data packet of first terminal equipment is more or has great amount of terminals equipment simultaneously
When launching a offensive, packet loss processing can consume a large amount of software and hardware resources of service server, such as need to parse the packet header of data packet
And judge whether to need packet loss according to the inchoation equipment mark in packet header, this will affect the regular traffic of service server, even
Service server is caused to be paralysed.
Therefore, in the present embodiment, when judging that first terminal equipment has attack, service server can lead to
Know that user entity is filtered the data packet from first terminal equipment.This is equivalent at user entity to first eventually
The attack of end equipment is intercepted, and user entity is filtered the data packet with attack, it is possible to reduce
It is sent to the data packet of service server or even is no longer sent to service server, to reduce network attack to the shadow of service server
It rings, is conducive to the reliability and safety that improve service server.
Optionally, service server is in addition to notifying user entity to be filtered the data packet from first terminal equipment
Except, it can be combined with packet loss processing mode, i.e., the data from the first terminal equipment with attack that will be recognized
Packet abandons.
Wherein, service server can be using various ways notice user entity to the data from first terminal equipment
Packet is filtered.Two kinds of optional embodiments are given below:
In an optional embodiment, service server can directly send a notification message to user entity, the notice
Message is used to indicate user entity and is filtered to the data packet from first terminal equipment, is sent to service server to reduce
The data packet with attack be even no longer sent to service server.
In another optional embodiment, service server can send notice to the signaling face entity of core net 101 and disappear
Breath, so that notification message is forwarded to user entity by signaling face entity.For signaling face entity, receives and come from business service
The notification message of device is determined as first terminal equipment and mentions then according to the mark of the first terminal equipment carried in notification message
The user entity is forwarded to for the user entity of service, and then by notification message.The notification message is used to indicate user
Face entity is filtered the data packet from the first terminal equipment with attack.
For user entity, the notification message from service server of signaling face entity forwarding can receive, from
The mark of the first terminal equipment with attack is known in notification message.Later, when user entity receives first eventually
When end equipment is sent to the data packet of service server, can according to the mark of the first terminal equipment carried in the data packet and
The mark of the currently valid terminal device with attack, judges whether first terminal equipment has attack.
If in the mark of the currently valid terminal device with attack including the mark of first terminal equipment, user
Face entity can determine that first terminal equipment has attack, then carry out to the data packet from first terminal equipment
Filter.
If not including the mark of first terminal equipment in the mark of the currently valid terminal device with attack, use
Family face entity can determine that first terminal equipment does not have attack, will then send from the data packet of first terminal equipment
To service server.
Optionally, there are many modes that user entity is filtered the data packet from first terminal equipment.Below
Enumerate several ways:
Mode 1): user entity is by the data packet discarding from first terminal equipment, i.e., common packet loss mode.
Mode 2): user entity disconnection is connect with the user face of first terminal equipment, i.e., kicks down first terminal equipment
Line.
Mode 3): selectively the data packet from first terminal equipment is sent to service server.
For example, can be selected from the data packet from first terminal equipment according to the maximum amount of giving out a contract for a project in certain time
Partial data packet is sent to service server.
In another example size can be selected to set from the data packet from first terminal equipment according to the size of data packet
Determine the data packet in range and be sent to service server, i.e., excessive or too small data packet is filtered.
No matter which kind of above-mentioned mode is used, the quantity that service server receives the data packet with attack can all be reduced
It even no longer receives, advantageously reduces software and hardware resources spent by the aggressive data packet of processing, be conducive to improve business service
The safety and reliability of device.
Wherein, the difference of framework is realized according to core net, user entity and signaling face entity also can be different.In the application
In following embodiment, will be with several core net frameworks under 4G long term evolution (Long Term Evolution, LTE) standard
Example, the network attack processing method for combining implementation to user entity and signaling face entity are illustrated.
Fig. 2 a is the structure for the exemplary operation system based on Internet of Things of one kind that one exemplary embodiment of the application provides
Schematic diagram.As shown in Figure 2 a, which includes: core net 201 and Internet of Things 202.
Core net 201 specifically includes that the wireless base station (eNodeB, eNB) of enhancing, gateway (Gateway, GW), mobility
Management entity (Mobility Management Entity, MME), home signature user server (Home Subscriber
Server, HSS) and Policy and Charging Rules Function (Policy and Charging Rules Function, PCRF)
Entity.
Wherein, eNB is connect by S1-MME interface with MME, and is connect by S1-U interface with GW.MME passes through S11 interface
It connect with GW, and is connect by S6a interface with HSS.GW is connect by Gx interface with PCRF entity.
ENB is the control equipment of the main interface-free resources of follow-on wireless access network, can provide higher uplink and downlink
Rate, lower transmission delay and relatively reliable wireless transmission.MME major function includes: the authentication for participating in UE, authenticates and award
Power, is managed the position of UE, establishes the user face data connection of UE to GW.
Wherein, GW can be divided into gateway (Serving Gateway, S-GW) and grouped data network gateway (Packet
Data Network Gateway, P-GW).S-GW is Universal Terrestrial Radio Access Network (the Evolved Universal of evolution
Terrestrial Radio Access Network, E-UTRAN) between mobile anchor point.P-GW is core net 201 and Internet of Things
The borde gateway of net 202 is responsible for the access of Internet of Things 202, forwards the functions such as data between core net 201 and Internet of Things 202.
To show GW only in fig. 2 a convenient for diagram.
HSS storing user subscription information and configuration file execute the authentication and authorization of user.PCRF entity is business
The strategy and charging control policy decision point of data flow and IP bearing resource provide available strategy for GW and charging control are determined
Plan.PCRF entity is connect with service server, is the signaling plane node of service server core network access 201.
Internet of Things 202 specifically includes that service server.Optionally, in addition to service server, Internet of Things 202 can be with
Including some other complementary equipment, such as database, storage equipment, router etc..
In the exemplary service system shown in Fig. 2 a, service server can cooperate GW and PCRF entity handles network to attack
It hits.GW can be used as user entity involved in network attack process flow, and PCRF entity can be used as network attack process flow
Involved in signaling face entity.
The interaction flow in conjunction with shown in Fig. 2 b, to GW, PCRF entity and business in exemplary service system shown in Fig. 2 a
The process of server mutual cooperation processing network attack is described in detail.For convenient for distinguishing and describing, in process below with
It is illustrated for first terminal equipment.First terminal equipment can be one, be also possible to multiple.
Referring to step 20, first terminal equipment passes through eNB, MME, HSS, GW and PCRF entity core network access 201.
Step 20 mainly includes following operation: first terminal equipment and eNB establish (Radio Resource Control,
RRC it) connects;ENB establishes S1 with MME and connect;MME initiates authentication request to HSS;HSS returns to Authentication Response to MME;MME is to GW
The connection of user face is established in request, and GW selects PCRF entity, and establishes the management connecting to the user face with the PCRF entity of selection
Association, management association are mainly used for controlling the QoS and/or charging policy of user face connection;When GW receives PCRF entity
After the QoS and/or charging policy that are determined for first terminal equipment, connection is replied to MME and is successfully established message, MME is whole to first
End equipment returns to connection and is successfully established message, and so far the user face connection between first terminal equipment and GW, which is established, completes, and also anticipates
Taste first terminal equipment be successfully accessed core net 201.
With continued reference to step 21 and 22, after first terminal equipment is successfully accessed core net 201, first terminal equipment will
The data packet for being sent to service server is sent to GW;The data packet that first terminal equipment is sent to service server is forwarded to industry by GW
Business server.
Step 21 and step 22 mainly describe the basic interactive process between first terminal equipment and service server.The friendship
Mutual process can be different and different because of the realization of service server and provided business.
In an illustrative embodiments, the interactive process between first terminal equipment and service server may include connecing
Enter verification process and service interaction process.First terminal equipment can send certification request to service server, and eventually by first
Identity information of the end equipment in core net 201, for example, mobile network code, IP address, port numbers and certification needed for its
Service server is issued in its information, such as the carrying such as the random number calculated according to code key or password in certification request,
Service server carries out access authentication to first terminal equipment according to these information.First terminal equipment, can after through certification
With to service server initiating business request, hence into service interaction process.Wherein, first terminal is set in service server
During being authenticated, or after first terminal equipment is by certification, service server can be set according to first terminal
Standby mark is determined as first terminal equipment and provides the PCRF entity of QoS and/or charging policy, and according to operator and business
Server corresponds to the agreement between provider, establishes signaling plane with PCRF entity and connect, so that service server is to first terminal
User face connection between equipment and GW is managed.
In above-mentioned example embodiment, it may include first that first terminal equipment, which is sent to the data packet of service server,
Premises equipment requests service server carries out the certification request of access authentication, also may include after certification passes through to service server
The service request of initiation also may include being sent according to the requirement of service server to service server during service interaction
Related data etc..
In first terminal equipment and the interactive process of service server, first terminal equipment may be controlled illegally,
Not according still further to legal equipment behavior rule initiating business request, but launch a offensive to service server.Therefore, eventually first
In end equipment and the interactive process of service server, the data packet that service server is sent using first terminal equipment is foundation, inspection
Survey whether first terminal equipment has attack (referring to step 23).
Optionally, for service server, which kind of mode no matter to detect whether terminal device there is attack to go using
To record the mark of the terminal device with attack detected whenever detecting the terminal device with attack
Know, and be marked as the mark of the currently valid terminal device with attack, to be the other terminals of subsequent detection
Whether equipment there is attack to provide convenience.Based on this, in a kind of illustrative embodiments of step 23, service server
The mark of first terminal equipment can be parsed from the data packet from first terminal equipment;According to the mark of first terminal equipment
Know the mark with the currently valid terminal device with attack, judges whether first terminal equipment has attack.
If including the mark of first terminal equipment in the mark of the currently valid terminal device with attack, can determine
First terminal equipment has attack;, whereas if in the mark of the currently valid terminal device with attack not
Mark including first terminal equipment can then determine that first terminal equipment does not have attack.
Described above is a kind of illustrative embodiments of step 23, but are not unique embodiments.For example, in step 23
Another illustrative embodiments in, service server is directly according to the type and hair of the data packet from first terminal equipment
It sees off to judge whether first terminal equipment has attack.In a kind of attack example, first terminal equipment can be
It establishes service connection in short time with service server repeatedly and removes connection, but be not related in connection every time effective
Business datum.Based on this, service server can parse the data packet of first terminal equipment transmission, according to type of data packet field
Identify that the data packet in a period of time is almost that (such as accounting is up to 90% or more) is used to request to establish connection or dismounting entirely
The data packet of connection there's almost no the data packet of request effective traffic data, and according to first terminal equipment in data packet
Mark judges the frequency that connection is established and removed, such as 30 times in 1 minute, when the frequency that connection is established and removed reaches setting
Upper limit value when, determine first terminal equipment have attack;Conversely, determining that first terminal equipment does not have tool behavior.
When determining that first terminal equipment has attack, 24 are entered step.As described in step 24, service server base
It connect in the signaling plane between PCRF entity to PCRF entity and sends a notification message, so that PCRF entity forwards notification message
To GW.Wherein, the mark of first terminal equipment is carried in the notification message, main purpose is notice GW first terminal equipment tool
There is attack, needs to be filtered to from the data packet of first terminal equipment.
With continued reference to step 25 and 26, PCRF entity receives the notification message that service server is sent, and by notification message
It is forwarded to GW;GW receives the notification message of PCRF entity forwarding, and according to the notification message, knows that first terminal equipment has and attack
Behavior is hit, needs to be filtered to from the data packet of first terminal equipment.
With continued reference to step 27 and 28, GW receives the data packet that first terminal equipment is sent to service server, the data
Packet carries the mark of first terminal equipment;GW is according to the mark of first terminal equipment and currently valid has attack
Terminal device mark, judge whether first terminal equipment has attack.If currently valid have attack
Terminal device mark in include first terminal equipment mark, then can determine first terminal equipment have attack;
, whereas if not including the mark of first terminal equipment in the mark of the currently valid terminal device with attack, then
It can determine that first terminal equipment does not have attack.
Referring to step 29, when determining that first terminal equipment has attack, GW is to the number from first terminal equipment
It is filtered according to packet.For example, the data packet from first terminal equipment can be abandoned, or can disconnect and first terminal equipment
Connection, or selectively to service server send the data packet from first terminal equipment.
In some exemplary embodiments, in step 23, service server detects that the terminal with attack is set
When standby, the mark of these terminal devices with attack can recorde, to identify the terminal device with attack.
In practical applications, terminal device may be controlled illegally whithin a period of time, in order to guarantee that terminal device is not controlled illegally
It remains to normally access service server after system, the validity time can be set in service server, within the validity time
Forbid the terminal device access service server with attack.Based on this, service server has attack row in addition to record
For terminal device mark except, it is also necessary to had for the mark of the currently valid terminal device with attack
The timing of effect property, after validity timing, it is invalid to carry out to the mark of the currently valid terminal device with attack
Processing.The mode of invalidation includes: that the mark for the terminal device for terminating validity timing is deleted, or is directed to validity meter
When terminate terminal device mark addition legitimate markings, it is meant that these terminal devices no longer have attack.
In some exemplary embodiments, in step 25 and/or 26, PCRF entity and/or GW disappear receiving notice
When breath, can also using the mark of the terminal device with attack carried in notification message as it is currently valid have attack
The mark for hitting the terminal device of behavior is stored in local.Similarly, the validity time also can be set on PCRF entity and/or GW,
Only think that these identify identified terminal device and have attack within the validity time, when active between after, this
A little terminal devices can be re-used as normal device and service server initiates operation flow.Based on this, PCRF entity and/or GW
Other than the mark of the terminal device with attack carried in storage notification message, it is also necessary to currently valid tool
There is the mark of the terminal device of attack to carry out validity timing;At the end of validity timing, have to currently valid
The mark of the terminal device of attack carries out invalidation.The mode of invalidation referring to preceding embodiment description, herein
It repeats no more.
Further, in some exemplary embodiments, what based on PCR F entity and/or GW were stored currently valid has
The mark of the terminal device of attack, in process (the i.e. mistake of step 20 description of first terminal equipment core network access 201
Journey) in, it can be sentenced according to the mark of first terminal equipment and the mark of the currently valid terminal device with attack
Whether disconnected first terminal equipment has attack.When determining that first terminal equipment does not have attack, permission first is eventually
End equipment core network access 201.When determining that first terminal equipment has attack, refusal first terminal equipment accesses core
Net 201.
For example, during eNB establishes S1 with MME and connect, MME can according to the mark of first terminal equipment and
The mark for the currently valid terminal device with attack that MME is stored judges whether first terminal equipment has and attacks
Hit behavior.When determining that first terminal equipment has attack, refuse to establish S1 connection for first terminal equipment.
In another example during MME initiates authentication request and HSS to HSS and returns to Authentication Response to MME, HSS can be with
According to the mark for the currently valid terminal device with attack that the mark of first terminal equipment and HSS are stored,
Judge whether first terminal equipment has attack.When determining that first terminal equipment has attack, HSS can be to
MME returns to failed authentication message.
In another example GW can be according to the mark of first terminal equipment during MME establishes user face with GW request and connect
The mark for the currently valid terminal device with attack that knowledge and GW are stored, judges whether first terminal equipment has
There is attack.When determining that first terminal equipment has attack, refusal is established user face with first terminal equipment and is connect.
Wherein, the process of first terminal equipment core network access 201 can be first terminal equipment core network access for the first time
201 process is also possible to the process of first terminal equipment core network access 201 again.For example, in step 29 GW disconnect with
In the case where the connection of first terminal equipment, first terminal equipment is likely to re-request core network access 201.Thus may be used
See, either during first terminal equipment core network access 201 for the first time, or in first terminal equipment accesses core again
During heart net 201, by judging whether first terminal equipment has attack, and first terminal equipment tool is being judged
Refuse first terminal equipment core network access 201 when having attack, and then guarantees the safety and reliability of service server.
Fig. 3 a is the knot for the exemplary operation system based on Internet of Things of another kind that one exemplary embodiment of the application provides
Structure schematic diagram.As shown in Figure 3a, which includes: core net 301 and Internet of Things 302.
Core net 301 specifically includes that eNB, GW, MME, HSS and opening service capability function (Service Capability
Exposure Function, SCEF) entity.SCEF entity is to meet network capabilities open applications scene demand, in core net
The network capabilities open platform introduced in 301, realize the Certificate Authority of third-party application (such as Internet of Things 302), charging and with
Information exchange, Information hiding and the encapsulation of 301 side network element of core net are called.By SCEF entity, core net 301 can be safe
Ground is to third party's open service and network capabilities.
Wherein, eNB is connect by S1-MME interface with MME, and is connect by S1-U interface with GW.MME passes through S11 interface
It connect with GW, and is connect by S6a interface with HSS.MME is connect by T6 interface with SCEF entity, and HSS passes through S6t interface
It is connect with SCEF entity.SCEF entity is connect with service server, is the signaling plane section of service server core network access 301
Point.
Internet of Things 302 specifically includes that service server.Optionally, in addition to service server, Internet of Things 302 can be with
Including some other complementary equipment, such as database, storage equipment, router etc..
In the exemplary service system shown in Fig. 3 a, service server can cooperate at GW, MME, HSS and SCEF entity
Manage network attack.GW can be used as user entity involved in network attack process flow, and MME, HSS and SCEF entity can be made
For signaling face entity involved in network attack process flow.
The interaction flow in conjunction with shown in Fig. 3 b, to GW, MME, HSS, SCEF entity in exemplary service system shown in Fig. 3 a
And the process of service server mutual cooperation processing network attack is described in detail.For convenient for distinguishing and describing, below
It is illustrated by taking first terminal equipment as an example in process.First terminal equipment can be one, be also possible to multiple.
Referring to step 30, first terminal equipment passes through eNB, MME, HSS, GW and SCEF entity core network access 301.
Step 30 mainly includes following operation: first terminal equipment is established RRC with eNB and is connect;ENB and MME establishes S1 company
It connects;MME initiates authentication request to HSS;HSS returns to Authentication Response to MME;MME to GW request establish user face connect, GW to
MME replys connection and is successfully established message;MME returns to connection to first terminal equipment and is successfully established message, and builds with SCEF entity
The vertical management to the connection is associated with, and so far the user face connection between first terminal equipment and GW, which is established, completes, and also implies that the
One terminal device is successfully accessed core net 301.
With continued reference to step 31 and 32, after first terminal equipment is successfully accessed core net 201, first terminal equipment will
The data packet for being sent to service server is sent to GW;The data packet that first terminal equipment is sent to service server is forwarded to industry by GW
Business server.
Referring to step 33, as foundation, detection first terminal is set the data packet that service server is sent using first terminal equipment
It is standby whether to there is attack.When determining that first terminal equipment has attack, 34 are entered step.
About the detailed description of step 31-33, reference can be made to the step 21-23 in Fig. 2 b illustrated embodiment, no longer superfluous herein
It states.It is worth noting that in step 31-32, during service server authenticates first terminal equipment, or
After first terminal equipment is by certification, service server can determine in core net 301 according to the mark of first terminal equipment
SCEF entity establish signaling plane with SCEF entity and according to the agreement between provider corresponding with service server, operator
Connection, so that service server is managed the user face connection between first terminal equipment and GW.
Referring to step 34, when determining that first terminal equipment has attack, service server by with SCEF entity
Between signaling plane connect and send a notification message to SCEF entity, so that notification message is forwarded to HSS by SCEF entity.Wherein,
The mark of first terminal equipment is carried in the notification message, main purpose is that notice GW first terminal equipment has attack row
To need to be filtered to from the data packet of first terminal equipment.
With continued reference to step 35-38, SCEF entity receives the notification message that service server is sent, and notification message is turned
It is sent to HSS;HSS receives the notification message of SCEF entity forwarding, and notification message is forwarded to MME;MME receives HSS forwarding
Notification message, and notification message is forwarded to GW;GW receives the notification message of MME forwarding, and according to the notification message, knows the
One terminal device has attack, needs to be filtered to from the data packet of first terminal equipment.
With continued reference to step 39 and 40, GW receives the data packet that first terminal equipment is sent to service server, the data
Packet carries the mark of first terminal equipment;GW is according to the mark of first terminal equipment and currently valid has attack
Terminal device mark, determine first terminal equipment have attack.If the currently valid end with attack
Include the mark of first terminal equipment in the mark of end equipment, then can determine that first terminal equipment has attack;Conversely,
It, can be true if in the mark of the currently valid terminal device with attack not including the mark of first terminal equipment
First terminal equipment is determined without attack.
With continued reference to step 41, when determining that first terminal equipment has attack, GW is to from first terminal equipment
Data packet be filtered.For example, the data packet from first terminal equipment can be abandoned, or can disconnect and first terminal
The connection of equipment, or selectively the data packet from first terminal equipment is sent to service server.
In some exemplary embodiments, in step 33, service server detects that the terminal with attack is set
When standby, the mark of these terminal devices with attack can recorde, to identify the terminal device with attack.
In addition to this, service server can also carry out validity for the mark of the currently valid terminal device with attack
Timing carries out invalidation to the mark of the currently valid terminal device with attack after validity timing.
The detailed description of the exemplary embodiment can be found in the related embodiment of step 23.
In some exemplary embodiments, in step 35, step 36, step 37 and/or step 38, SCEF entity,
HSS, MME and/or GW can also set the terminal with attack carried in notification message when receiving notification message
Standby mark is stored in local as the mark of the currently valid terminal device with attack.Similarly, SCEF entity,
Also the validity time can be set on HSS, MME and/or GW, only think that these identify identified terminal within the validity time
Equipment have attack, when active between after, these terminal devices can be re-used as normal device and business service
Device initiates operation flow.Based on this, SCEF entity, HSS, MME and/or GW have attack in addition to what is carried in storage notification message
Except the mark of the terminal device of behavior, it is also necessary to have to the mark of the currently valid terminal device with attack
The timing of effect property;At the end of validity timing, it is invalid to carry out to the mark of the currently valid terminal device with attack
Processing.
Further, in some exemplary embodiments, currently had based on what SCEF entity, HSS, MME and/or GW were stored
The mark of the terminal device with attack of effect, in the process of first terminal equipment core network access 301, (i.e. step 30 is retouched
The process stated) in, it can be according to the mark of first terminal equipment and the currently valid terminal device with attack
Mark, judges whether first terminal equipment has attack.When determining that first terminal equipment does not have attack, allow
First terminal equipment core network access 301.When determining that first terminal equipment has attack, refusal first terminal equipment is connect
Enter core net 301.
Wherein, the process of first terminal equipment core network access 301 can be first terminal equipment core network access for the first time
301 process is also possible to the process of first terminal equipment core network access 301 again.For example, in step 41 GW disconnect with
In the case where the connection of first terminal equipment, in general, first terminal equipment may re-request core network access 301.
It can be seen that either during first terminal equipment core network access 301 for the first time, or first terminal equipment again
During core network access 301, by judging whether first terminal equipment has attack, and first terminal is being judged
Equipment directly refuses first terminal equipment core network access 301 when having attack, and then guarantees the safety of service server
Property and reliability.
Fig. 4 a is another exemplary operation system based on mobile network that one exemplary embodiment of the application provides
Structural schematic diagram.As shown in fig. 4 a, which includes: core net 401 and Internet of Things 402.
Core net 401 specifically includes that eNB, GW, MME and SCEF.Wherein, eNB is connect by S1-MME interface with MME, and
It is connect by S1-U interface with GW.MME is connect by S11 interface with GW.MME is connect by T6 interface with SCEF entity.SCEF
Entity is connect with service server, is the node of the signaling plane of service server core network access 401.
Internet of Things 402 specifically includes that service server.Optionally, in addition to service server, Internet of Things 402 can be with
Including some other complementary equipment, such as database, storage equipment, router etc..
In the exemplary service system shown in Fig. 4 a, service server can cooperate GW, MME and SCEF entity handles net
Network attack.GW can be used as user entity involved in network attack process flow, MME and SCEF entity can be used as network and attack
Hit signaling face entity involved in process flow.
The interaction flow in conjunction with shown in Fig. 4 b, to GW, MME, SCEF entity in exemplary service system shown in Fig. 4 a and
The process of service server mutual cooperation processing network attack is described in detail.For convenient for distinguishing and describing, process below
In be illustrated by taking first terminal equipment as an example.First terminal equipment can be one, be also possible to multiple.
Referring to step 50, first terminal equipment passes through eNB, MME, HSS, GW and PCRF entity core network access 401.
Step 50 mainly includes following operation: first terminal equipment is established RRC with eNB and is connect;ENB and MME establishes S1 company
It connects;MME establishes user face to GW request and connects, and GW replys connection to MME and is successfully established message;MME is returned to first terminal equipment
Return connection and be successfully established message, and the management of the connection be associated with the foundation of SCEF entity, so far first terminal equipment and GW it
Between user face connection establish complete, also imply that first terminal equipment is successfully accessed core net 401.
With continued reference to step 51 and 52, after first terminal equipment is successfully accessed core net 401, first terminal equipment will
The data packet for being sent to service server is sent to GW;The data packet that first terminal equipment is sent to service server is forwarded to industry by GW
Business server.
Referring to step 53, as foundation, detection first terminal is set the data packet that service server is sent using first terminal equipment
It is standby whether to there is attack.When determining that first terminal equipment has attack, 54 are entered step.
About the detailed description of step 51-53, reference can be made to the step 21-23 in Fig. 2 b illustrated embodiment, no longer superfluous herein
It states.It is worth noting that in step 51-52, during service server authenticates first terminal equipment, or
After first terminal equipment is by certification, service server can determine in core net 401 according to the mark of first terminal equipment
SCEF entity establish signaling plane with SCEF entity and according to the agreement between provider corresponding with service server, operator
Connection, so that service server is managed the user face connection between first terminal equipment and GW.
Referring to step 54, when determining that first terminal equipment has attack, service server by with SCEF entity
Between signaling plane connect and send a notification message to SCEF entity, so that notification message is forwarded to MME by SCEF entity.Wherein,
The mark of first terminal equipment is carried in the notification message, main purpose is that notice GW first terminal equipment has attack row
To need to be filtered to from the data packet of first terminal equipment.
With continued reference to step 55-57, SCEF entity receives the notification message that service server is sent, and notification message is turned
It is sent to MME;MME receives the notification message of SCEF entity forwarding, and notification message is forwarded to GW;GW receives the logical of MME forwarding
Know message, and according to the notification message, knows that first terminal equipment has attack, need to from first terminal equipment
Data packet is filtered.
With continued reference to step 58 and 59, GW receives the data packet that first terminal equipment is sent to service server, the data
Packet carries the mark of the first terminal equipment;GW is according to the mark of first terminal equipment and currently valid has attack
The mark of the terminal device of behavior determines that first terminal equipment has attack.If currently valid have attack
Terminal device mark in include first terminal equipment mark, then can determine first terminal equipment have attack;
, whereas if not including the mark of first terminal equipment in the mark of the currently valid terminal device with attack, then
It can determine that first terminal equipment does not have attack.
With continued reference to step 60, when determining that first terminal equipment has attack, GW is to from first terminal equipment
Data packet be filtered.For example, the data packet from first terminal equipment can be abandoned, or can disconnect and first terminal
The connection of equipment, or selectively the data packet from first terminal equipment is sent to service server.
In some exemplary embodiments, in step 53, service server detects that the terminal with attack is set
When standby, the mark of these terminal devices with attack can recorde, to identify the terminal device with attack.
In addition to this, service server can also carry out validity for the mark of the currently valid terminal device with attack
Timing carries out invalidation to the mark of the currently valid terminal device with attack after validity timing.
The detailed description of the exemplary embodiment can be found in the related embodiment of step 23.
In some exemplary embodiments, in step 55, step 56 and/or step 57, SCEF entity, MME and/or GW
It, can also be using the mark of the terminal device with attack carried in notification message as working as when receiving notification message
The mark of the preceding effective terminal device with attack is stored in local.It similarly, can also on SCEF entity, MME and/or GW
The validity time is arranged, only think that these identify identified terminal device and have attack within the validity time, when
After effective time, these terminal devices can be re-used as normal device and service server initiates operation flow.It is based on
This, SCEF entity, MME and/or GW in addition to the mark of the terminal device with attack that is carried in storage notification message it
Outside, it is also necessary to which validity timing is carried out to the mark of the currently valid terminal device with attack;When validity timing
At the end of, invalidation is carried out to the mark of the currently valid terminal device with attack.
Further, in some exemplary embodiments, it is stored based on SCEF entity, MME and/or GW currently valid
The mark of terminal device with attack, first terminal equipment core network access 401 process (i.e. step 50 describe
Process) in, can according to the mark of first terminal equipment and the mark of the currently valid terminal device with attack,
Judge whether first terminal equipment has attack.When determining that first terminal equipment does not have attack, allow first
Terminal device core network access 401.When determining that first terminal equipment has attack, refusal first terminal equipment accesses core
Heart net 401.
Wherein, the process of first terminal equipment core network access 401 can be first terminal equipment core network access for the first time
401 process is also possible to the process of first terminal equipment core network access 301 again.For example, in a step 60 GW disconnect with
In the case where the connection of first terminal equipment, first terminal equipment is likely to re-request core network access 401.Thus may be used
See, either during first terminal equipment core network access 401 for the first time, or in first terminal equipment accesses core again
During heart net 401, by judging whether first terminal equipment has attack, and first terminal equipment tool is being judged
Directly refuse first terminal equipment core network access 401 when having an attack, so guarantee service server safety and can
By property.
The above embodiments of the present application are mainly in combination with operation system in detail to technical solution provided by the embodiments of the present application.Under
Technical solution provided by the embodiments of the present application will be described in detail from different network elements angle in the embodiment of face.
Fig. 5 is the network attack processing method for the slave business server side description that one exemplary embodiment of the application provides
Flow diagram.As shown in figure 5, this method comprises:
501, the data packet from first terminal equipment that the user entity in core net is sent is received.
502, based on the data packet from first terminal equipment, determine that first terminal equipment has attack.
503, notice user entity is filtered the data packet from first terminal equipment.
In an optional embodiment, it can send a notification message to the signaling face entity in core net, for signaling plane
Notification message is forwarded to user entity by entity.The notification message is used to indicate user entity to from first terminal equipment
Data packet be filtered.
Wherein, the difference of framework is realized according to core net, user entity and signaling face entity will be different.
For example, user entity can be GW, and signaling face entity can be for the LTE core network framework shown in Fig. 2 a
PCRF entity.It based on this, can send a notification message to the PCRF entity in core net, so that PCRF entity turns notification message
It is sent to GW.
In another example for the LTE core network framework shown in Fig. 3 a, user entity can be GW, and signaling face entity can be with
Including MME, HSS and SCEF entity.Based on this, can send a notification message to the SCEF entity in core net, for SCEF
Notification message is forwarded to GW through the MME in core net by entity.
In another example for the LTE core network framework shown in Fig. 4 a, user entity can be GW, and signaling face entity can be with
Including MME and SCEF entity.Based on this, can send a notification message to the SCEF entity in core net, for SCEF entity
Successively through in core net HSS and MME notification message is forwarded to GW.
In some exemplary embodiments, service server needs the mark previously according to first terminal equipment, determines letter
Face entity is enabled, and establishes signaling plane with signaling face entity and connect, so that service server is connected by the signaling plane to user face
Entity sends a notification message.
In general, service server can be whole during authenticating to first terminal equipment, or first
After end equipment is by certification, signaling face entity is determined.
In some exemplary embodiments, in step 502, it can be taken according in the data packet from first terminal equipment
The mark of the first terminal equipment of band and the mark of the currently valid terminal device with attack, determine that first terminal is set
It is standby that there is attack;Alternatively, can determine first according to the type and transmission behavior of the data packet from first terminal equipment
Terminal device has attack.
In some exemplary embodiments, service server can store the mark of the terminal device with attack,
Validity timing can also be carried out to the mark of the currently valid terminal device with attack;When validity timing terminates
When, invalidation is carried out to the mark of the currently valid terminal device with attack.
In the embodiment of the present application, it is counted by the user entity in core net with service server in terminal device
During interaction, whether service server judging terminal device has attack, attacks when determining that terminal device has
When behavior, notice user entity is filtered the data packet from the terminal device with attack, realizes to attack
The interception of behavior reduces influence of the network attack to service server, improves the reliability and safety of service server.
Fig. 6 is the network attack processing method for the slave user entity angle description that one exemplary embodiment of the application provides
Flow diagram.As shown in fig. 6, this method comprises:
601, the data packet that first terminal equipment is sent to service server is received, data packet carries first terminal equipment
Mark.
602, according to the mark of first terminal equipment and the mark of the currently valid terminal device with attack,
Determine that first terminal equipment has attack.
603, the data packet from first terminal equipment is filtered.
In the present embodiment, user entity is matched with service server, is carried out in terminal device and service server
During data interaction, when receiving first terminal equipment and being sent to the data packet of service server, based on currently valid
The mark of terminal device with attack, judges whether first terminal equipment has attack;When judge first eventually
When end equipment has attack, the data packet from first terminal equipment is filtered, realizes the interception to attack,
Influence of the network attack to service server is reduced, the reliability and safety of service server are improved.
In some exemplary embodiments, in step 603, user entity can be by the number from first terminal equipment
It is abandoned according to packet, no longer can send the data packet from first terminal equipment to service server in this way, mitigate attack pair
The influence of service server.Alternatively, in step 603, user entity can be disconnected to be connected with the user face of first terminal equipment
It connects, sample no longer can send the data packet from first terminal equipment to service server, mitigate attack to business service
The influence of device.Alternatively, in step 603, user entity can selectively send to service server and come from first terminal
The data packet of equipment mitigates influence of the attack to service server to reduce the data packet for being sent to service server.
For example, can be selected from the data packet from first terminal equipment according to the maximum amount of giving out a contract for a project in certain time
Partial data packet is sent to service server.
In another example size can be selected to set from the data packet from first terminal equipment according to the size of data packet
Determine the data packet in range and be sent to service server, i.e., excessive or too small data packet is filtered.
In some exemplary embodiments, user entity judge first terminal equipment do not have attack when,
Data packet from first terminal equipment can be sent to service server.
In some exemplary embodiments, service server can be detected according to the data packet from first terminal equipment
Whether first terminal equipment has attack, and passes through signaling plane reality when detecting that first terminal equipment has attack
Body sends a notification message to user entity, and carries the mark of first terminal equipment in an announcement message.Based on this, user face
Entity can receive the notification message from service server of the forwarding of the signaling face entity in core net, the notification message packet
Include the mark of the first terminal equipment with attack.Based on this, if user entity connects after receiving the notifying message
When receiving from the data packet of first terminal equipment, it can be determined that the mark of the currently valid terminal device with attack
In whether include first terminal equipment mark;If including can determine that first terminal equipment has attack, Jin Erjin
Only the data packet from first terminal equipment is sent to service server.
Wherein, the difference of framework is realized according to core net, user entity and signaling face entity will be different.
For example, user entity can be GW, and signaling face entity can be for the LTE core network framework shown in Fig. 2 a
PCRF entity.Based on this, during receiving the notification message from service server of signaling face entity forwarding, GW can be with
Receive the notification message of PCRF entity forwarding.
In another example for the LTE core network framework shown in Fig. 3 a, user entity can be GW, and signaling face entity can be with
Including MME, HSS and SCEF entity.Based on this, in the notification message from service server for receiving the forwarding of signaling face entity
During, GW can receive the notification message of MME forwarding, wherein MME receives the notification message of HSS forwarding, and HSS is received
The notification message of SCEF entity forwarding.
In another example for the LTE core network framework shown in Fig. 4 a, user entity can be GW, and signaling face entity can be with
Including MME and SCEF entity.Based on this, in the mistake for the notification message from service server for receiving the forwarding of signaling face entity
Cheng Zhong, GW can receive the notification message of MME forwarding, wherein MME receives the notification message of SCEF entity forwarding.
In some exemplary embodiments, before step 601, first terminal equipment needs core network access.Based on use
The mark of the currently valid terminal device with attack of family face entity storage can access core in first terminal equipment
During heart net, according to the mark of first terminal equipment and the mark of the currently valid terminal device with attack
Know, judges whether first terminal equipment has attack;If the mark of the currently valid terminal device with attack
In do not include first terminal equipment mark, determine first terminal equipment do not have attack, allow first terminal equipment connect
Enter core net.In addition, if in the mark of the currently valid terminal device with attack including the mark of first terminal equipment
Know, determines that first terminal equipment has attack, refuse first terminal equipment core network access.
Further, user entity can carry out the mark of the currently valid terminal device with attack effective
Property timing;At the end of validity timing, the mark of the currently valid terminal device with attack is located in vain
Reason.The mode of invalidation includes: that the mark for the terminal device for terminating validity timing is deleted, or is directed to validity timing
The mark of the terminal device of end adds legitimate markings, it is meant that these terminal devices no longer have attack.It in this way can be with
Guarantee that first terminal equipment no longer is remained to normally access service server after illegal control.
Fig. 7 is the network attack processing method for the slave signaling plane entity angle description that one exemplary embodiment of the application provides
Flow diagram.As shown in fig. 7, this method comprises:
701, the notification message from service server is received, notification message includes having attack to service server
First terminal equipment mark.
702, notification message is forwarded to the user entity in core net, to indicate user entity to whole from first
The data packet of end equipment is filtered.
In the present embodiment, signaling face entity is matched with service server, is taken to user entity forwarding from business
The notification message of business device, so that user entity knows that first terminal equipment has attack and to from first terminal equipment
Data packet be filtered, realize interception to attack, reduce influence of the network attack to service server, improve industry
The reliability and safety of business server.
In some exemplary embodiments, before step 701, first terminal equipment needs core network access.Optionally,
During first terminal equipment core network access, signaling face entity can be according to the mark of first terminal equipment and current
The mark of the effective terminal device with attack determines that first terminal equipment does not have attack, and allows first
Terminal device core network access.In addition, if determining first terminal equipment tool during first terminal equipment core network access
There is attack, is then rejected by first terminal equipment core network access.
In some exemplary embodiments, signaling face entity can be by the mark of the first terminal equipment carried in notification message
Know and is stored in local as the mark of the currently valid terminal device with attack.Based on this, in first terminal equipment
It, can be according to the mark of first terminal equipment and currently valid with attack again during core network access
The mark of terminal device, judges whether first terminal equipment has attack;If the currently valid end with attack
Include the mark of first terminal equipment in the mark of end equipment, determines that first terminal equipment has attack, refusal first is eventually
End equipment core network access.In addition, if not including first in the mark of the currently valid terminal device with attack eventually
The mark of end equipment determines that first terminal equipment does not have attack, allows first terminal equipment core network access.
Further, signaling face entity can also have the mark of the currently valid terminal device with attack
The timing of effect property;At the end of validity timing, it is invalid to carry out to the mark of the currently valid terminal device with attack
Processing.The mode of invalidation includes: that the mark for the terminal device for terminating validity timing is deleted, or is directed to validity meter
When terminate terminal device mark addition legitimate markings, it is meant that these terminal devices no longer have attack.In this way may be used
To guarantee to be remained to normally access service server after first terminal equipment is no longer illegally controlled.
It should be noted that the executing subject of each step of above-described embodiment institute providing method may each be same equipment,
Alternatively, this method is also by distinct device as executing subject.For example, the executing subject of step 501 to step 503 can be equipment
A;For another example, step 501 and 502 executing subject can be equipment A, the executing subject of step 503 can be equipment B;Etc..
In addition, containing in some processes of the description in above-described embodiment and attached drawing according to particular order appearance
Multiple operations, but it should be clearly understood that these operations can not execute or parallel according to its sequence what appears in this article
It executes, serial number of operation such as 501,502 etc. is only used for distinguishing each different operation, and serial number itself does not represent any
Execute sequence.In addition, these processes may include more or fewer operations, and these operations can execute in order or
It is parallel to execute.It should be noted that the description such as herein " first ", " second ", be for distinguish different message, equipment,
Module etc. does not represent sequencing, does not also limit " first " and " second " and is different type.
Fig. 8 a is a kind of structural schematic diagram for network attack processing unit that one exemplary embodiment of the application provides.Such as figure
Shown in 8a, which includes: receiving module 81, determining module 82 and notification module 83.
Receiving module 81, for receiving the data from first terminal equipment of the transmission of the user entity in core net
Packet.
Determining module 82 determines that first terminal equipment has attack for being based on data packet.
Notification module 83, for notifying user entity to be filtered to from the data packet of the first terminal equipment.
In some exemplary embodiments, notification module 83 is specifically used for: the signaling face entity into core net sends logical
Message is known, so that notification message is forwarded to user entity by signaling face entity.The notification message is used to indicate user entity
Data packet from first terminal equipment is filtered.
In some exemplary embodiments, notification module 83 is specifically used for:
PCRF entity into core net sends a notification message, so that notification message is forwarded to user face reality by PCRF entity
Body;Or
SCEF entity into core net sends a notification message, so that SCEF entity disappears notice through the MME in core net
Breath is forwarded to user entity;Or
SCEF entity into core net sends a notification message, so that SCEF entity is successively through the HSS and MME in core net
Notification message is forwarded to user entity.
In some exemplary embodiments, determining module 82 is also used to the reality of the signaling plane in notification module 83 into core net
Before body sends a notification message, according to the mark of first terminal equipment, signaling face entity is determined, and establish and believe with signaling face entity
It enables face connect, sends a notification message so that the network attack processing unit of local terminal is connected by the signaling plane to user entity.
In some exemplary embodiments, determining module 82 is when determining that first terminal equipment has attack, specifically
For: according to the mark of the first terminal equipment carried in data packet and the currently valid terminal device with attack
Mark determines that first terminal equipment has attack;Alternatively, according to the type of data packet and sending behavior, determine that first is whole
End equipment has attack.
In some exemplary embodiments, which is also used to: to the currently valid end with attack
The mark of end equipment carries out validity timing;At the end of validity timing, to the currently valid terminal with attack
The mark of equipment carries out invalidation.
The foregoing describe the built-in function of network attack processing unit and structures, and as shown in Figure 8 b, in practice, which attacks
Hitting processing unit can realize as service server, comprising: communication component 84, memory 85 and processor 86.
Communication component 84, for receiving the data from first terminal equipment of the transmission of the user entity in core net
Packet.
Memory 85 can be configured to store various other data to support the operation on service server.These numbers
According to example include any application or method for being operated on service server instruction, contact data, phone
Book data, message, picture, video etc..
Memory 85 can be by any kind of volatibility or non-volatile memory device or their combination realization, such as
Static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable is read-only to be deposited
Reservoir (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, disk or
CD.
Processor 86 is coupled to memory 85, for executing the program in memory 85, to be used for:
Based on the data packet that communication component 84 receives, determine that first terminal equipment has attack;
User entity is notified to be filtered the data packet from first terminal equipment by communication component 84.
Optionally, processor 86 disappears specifically for sending notice by signaling face entity of the communication component 84 into core net
Breath, so that notification message is forwarded to user entity by signaling face entity.The notification message is used to indicate user entity to next
It is filtered from the data packet of first terminal equipment.Correspondingly, communication component 84 are also used to disappear to signaling face entity transmission notice
Breath.
Further, communication component 84 is specifically used for when sending a notification message to signaling face entity:
PCRF entity into core net sends a notification message, so that notification message is forwarded to user face reality by PCRF entity
Body;Or
SCEF entity into core net sends the notification message, so that SCEF entity will lead to through the MME in core net
Know that message is forwarded to user entity;Or
SCEF entity into core net sends a notification message, so that SCEF entity is successively through the HSS and MME in core net
Notification message is forwarded to user entity.
Further, processor 86 is also used to: according to the mark of first terminal equipment, being determined signaling face entity, and is controlled logical
Letter component 84 is established signaling plane with signaling face entity and is connect, so that service server is connected by the signaling plane to user entity
It sends a notification message.
Further, processor 86 is determined that first terminal equipment has and attacked in the data packet received based on communication component 84
When hitting behavior, it is specifically used for:
According to the mark of the first terminal equipment carried in the received data packet of communication component 84 and currently valid have
The mark of the terminal device of attack determines that first terminal equipment has attack;Or
According to the type of the received data packet of communication component 84 and behavior is sent, determines that first terminal equipment has attack row
For.
Further, according to the type of the received data packet of communication component 84 and behavior is sent in processor 86, determines first
In the case that terminal device has attack, processor 86 can also be using the mark of first terminal equipment as currently valid
The mark of terminal device with attack is stored in memory 85.
Further, processor 86 is also used to: being had to the mark of the currently valid terminal device with attack
The timing of effect property;At the end of validity timing, it is invalid to carry out to the mark of the currently valid terminal device with attack
Processing.
Further, as shown in Figure 8 b, electronic equipment further include: display 87, power supply module 88, audio component 89 etc. are other
Component.Members are only schematically provided in Fig. 8 b, are not meant to that electronic equipment only includes component shown in Fig. 8 b.
Correspondingly, the embodiment of the present application also provides a kind of computer readable storage medium for being stored with computer program, institute
Stating computer program and being performed can be realized:
Receive the data packet from first terminal equipment that the user entity in core net is sent;
Based on received data packet, determine that first terminal equipment has attack;
Notice user entity is filtered the data packet from first terminal equipment.
In addition to functions described above, the computer program be performed can also realize in above method embodiment with business
The relevant other functions of server.
Fig. 9 a is the structural schematic diagram for another network attack processing unit that one exemplary embodiment of the application provides.Such as
Shown in Fig. 9 a, which includes: receiving module 91, determining module 92 and filtering module 93.
Receiving module 91, the data packet for being sent to service server for receiving first terminal equipment, the data packet carry
The mark of first terminal equipment.
Determining module 92, according to the mark of first terminal equipment and the currently valid terminal device with attack
Mark, determine first terminal equipment have attack.
Filtering module 93, for being filtered to the data packet from first terminal equipment.
In some exemplary embodiments, receiving module 91 is specifically used for:
Receive the notification message of the PCRF entity forwarding in core net;Or
Receive the notification message of the MME forwarding in core net.
In some exemplary embodiments, determining module 92 is sent to the data of service server in reception first terminal equipment
Before packet, it is also used to:
During first terminal equipment accesses the core net, according to the mark of institute's first terminal equipment and currently
The mark of the effective terminal device with attack determines that first terminal equipment does not have attack, and described in permission
First terminal equipment accesses the core net.
In some exemplary embodiments, receiving module 91 determines that first terminal equipment has attack row in determining module 92
Before, to be also used to:
Receive the notification message from the service server of the signaling face entity forwarding in core net, the notification message
Mark including first terminal equipment is mainly used for that user entity is notified to carry out the data packet from first terminal equipment
Filter.
In some exemplary embodiments, filtering module 93 was carried out to the data packet from the first terminal equipment
When filter, it is specifically used for:
By the data packet discarding from first terminal equipment;Or
Disconnection is connect with the user face of first terminal equipment;Or
Selectively the data packet from the first terminal equipment is sent to the service server.
The foregoing describe the built-in function of network attack processing unit and structures, and as shown in figure 9b, in practice, which attacks
Hitting processing unit can realize as user entity, comprising: communication component 94, memory 95 and processor 96.
Communication component 94, the data packet for being sent to service server for receiving first terminal equipment, the data packet carry
The mark of the first terminal equipment.
Memory 95 can be configured to store various other data to support the operation on service server.These numbers
According to example include any application or method for being operated on service server instruction, contact data, phone
Book data, message, picture, video etc..
Memory 95 can be by any kind of volatibility or non-volatile memory device or their combination realization, such as
Static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable is read-only to be deposited
Reservoir (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, disk or
CD.
Processor 96 is coupled to memory 95, for executing the program in memory 95, to be used for:
According to the mark of first terminal equipment and the mark of the currently valid terminal device with attack, determine
First terminal equipment has attack;
Data packet from first terminal equipment is filtered.
Further, processor 96 is specifically used for when being filtered to the data packet from first terminal equipment:
By the received data packet discarding from first terminal equipment of communication component 94;Or
Disconnection is connect with the user face of first terminal equipment;Or
Selectively the data packet from the first terminal equipment is sent to the service server.
In some exemplary embodiments, communication component 94 is specifically used for:
Receive the notification message of the PCRF entity forwarding in core net;Or
Receive the notification message of the MME forwarding in core net.
In some exemplary embodiments, communication component 94 determines that first terminal equipment has attack in processor 96
Before, it is also used to:
The notification message from service server of the signaling face entity forwarding in core net is received, which includes
The mark of first terminal equipment with attack.
In some exemplary embodiments, processor 96 receives first terminal equipment in communication component 94 and is sent to business service
Before the data packet of device, it is also used to:
During first terminal equipment core network access, according to the mark of first terminal equipment and currently valid
The mark of terminal device with attack determines that first terminal equipment does not have attack, and first terminal is allowed to set
Standby core network access.
In some exemplary embodiments, processor 96 is also used to:
Validity timing is carried out to the mark of the currently valid terminal device with attack;
At the end of validity timing, the mark of the currently valid terminal device with attack is located in vain
Reason.
Further, as shown in figure 9b, electronic equipment further include: display 97, power supply module 98, audio component 99 etc. are other
Component.Members are only schematically provided in Fig. 9 b, are not meant to that electronic equipment only includes component shown in Fig. 9 b.
Correspondingly, the embodiment of the present application also provides a kind of computer readable storage medium for being stored with computer program, institute
Stating computer program and being performed can be realized:
The data packet that first terminal equipment is sent to service server is received, which carries the mark of first terminal equipment
Know;
According to the mark of first terminal equipment and the mark of the currently valid terminal device with attack, determine
First terminal equipment has attack;
Data packet from first terminal equipment is filtered.
In addition to functions described above, the computer program be performed can also realize in above method embodiment with user
The relevant other functions of face entity.
Figure 10 a is the structural schematic diagram for another network attack processing unit that one exemplary embodiment of the application provides.
As shown in Figure 10 a, which includes: receiving module 1001 and forwarding module 1002.
Receiving module 1001, for receiving the notification message from service server, which includes taking to business
The mark for first terminal equipment of the device with attack of being engaged in.
Forwarding module 1002, for received notification message to be forwarded to the user entity in core net, to indicate to use
Family face entity is filtered the data packet from first terminal equipment.
In some exemplary embodiments, which further includes memory module, is used for: being come from the reception of receiving module 1001
After the notification message of service server, by the mark of first terminal equipment as the currently valid terminal with attack
The mark of equipment is stored in local.
In some exemplary embodiments, which further includes access control module, for accessing in first terminal equipment
During institute's core net, according to the mark of first terminal equipment and the currently valid terminal device with attack
Mark determines that first terminal equipment does not have attack, and first terminal equipment is allowed to access the core net.
Further, in some exemplary embodiments, access control module is also used to: being accessed again in first terminal equipment
During the core net, according to the mark of first terminal equipment and the currently valid terminal device with attack
Mark, determine that first terminal equipment has attack, and refuse first terminal equipment core network access.
In some exemplary embodiments, network attack processing unit can be used as the realization of the signaling face entity in core net.
Based on this, network attack processing unit specifically: PCRF entity, SCEF entity, MME or HSS in core net.
In some exemplary embodiments, which further includes timing module, for having attack row to currently valid
For terminal device mark carry out validity timing;And at the end of validity timing, there is attack row to currently valid
For terminal device mark carry out invalidation.
The foregoing describe the built-in function of network attack processing unit and structures, as shown in fig. lob, in practice, the network
Attack processing unit can be realized as signaling face entity, comprising: communication component 1004, memory 1005 and processor 1006;
Communication component 1004, for receiving the notification message from service server, which includes to the industry
The mark for first terminal equipment of the server with attack of being engaged in;
Memory 1005, for storing program;
Processor 1006 is coupled to memory 1005, for executing described program, to be used for:
It controls communication component 1004 and notification message is forwarded to the user entity in the core net, to indicate user face
Entity is filtered the data packet from first terminal equipment;
Communication component 1004 is also used to that notification message is forwarded to user entity under the control of processor 1006.
In some exemplary embodiments, processor 1006 is received logical from service server in communication component 1004
Before knowing message, it is also used to:
During first terminal equipment accesses the core net, according to the mark of first terminal equipment and currently have
The mark of the terminal device with attack of effect determines that first terminal equipment does not have attack, and permission first is eventually
End equipment core network access.
In other exemplary embodiments, processor 1006 is received from service server in communication component 1004
It after notification message, is also used to: by the mark of first terminal equipment as the currently valid terminal device with attack
Mark be stored in memory 1005.
In other exemplary embodiment, processor 1006 is using the mark of first terminal equipment as currently valid
After the mark of terminal device with attack is stored in local, it is also used to:
During first terminal equipment accesses the core net again, according to the mark of first terminal equipment and work as
The mark of the preceding effective terminal device with attack determines that first terminal equipment has attack, and refuses first
Terminal device accesses the core net.
In other example embodiments, processor 1006 is also used to: to the currently valid end with attack
The mark of end equipment carries out validity timing;At the end of validity timing, to the currently valid terminal with attack
The mark of equipment carries out invalidation.
Further, as shown in fig. lob, electronic equipment further include: display 1007, power supply module 1008, audio component
Other components such as 1009.Members are only schematically provided in Figure 10 b, are not meant to that electronic equipment only includes shown in Figure 10 b
Component.
Correspondingly, the embodiment of the present application also provides a kind of computer readable storage medium for being stored with computer program, institute
Stating computer program and being performed can be realized: receive the notification message from service server, which includes to industry
The mark for first terminal equipment of the server with attack of being engaged in;
Notification message is forwarded to the user entity in core net, to forbid user entity to send to service server
Data packet from first terminal equipment.
In addition to functions described above, the computer program be performed can also realize in above method embodiment with signaling
The relevant other functions of face entity.
Communication component in Fig. 8 b, Fig. 9 b and Figure 10 b can be configured to set convenient for communication component corresponding device with other
The communication of wired or wireless way between standby.Communication component corresponding device can access the wireless network based on communication standard, such as
WiFi, 2G or 3G or their combination.In one exemplary embodiment, communication component is received via broadcast channel from outer
The broadcast singal or broadcast related information of portion's broadcasting management systems.In one exemplary embodiment, the communication component also wraps
Near-field communication (NFC) module is included, to promote short range communication.For example, it can be based on radio frequency identification (RFID) technology in NFC module, it is red
Outer data association (IrDA) technology, ultra wide band (UWB) technology, bluetooth (BT) technology and other technologies are realized.
Display in Fig. 8 b, Fig. 9 b and Figure 10 b, may include screen, and screen may include liquid crystal display
(LCD) and touch panel (TP).If screen includes touch panel, screen may be implemented as touch screen, be used by oneself with receiving
The input signal at family.Touch panel includes one or more touch sensors to sense the hand on touch, slide, and touch panel
Gesture.The touch sensor can not only sense the boundary of a touch or slide action, but also detect and the touch or sliding
Operate relevant duration and pressure.
Power supply module in Fig. 8 b, Fig. 9 b and Figure 10 b, the various assemblies for power supply module corresponding device provide electric power.
Power supply module may include power-supply management system, one or more power supplys and other with for power supply module corresponding device generate, pipe
Reason and the distribution associated component of electric power.
Audio component in Fig. 8 b, Fig. 9 b and Figure 10 b, is configured as output and/or input audio signal.For example, sound
Frequency component includes a microphone (MIC), when audio component corresponding device is in operation mode, such as call model, logging mode
When with speech recognition mode, microphone is configured as receiving external audio signal.The received audio signal can be further
It is stored in memory or is sent via communication component.In some embodiments, audio component further includes a loudspeaker, for defeated
Audio signal out.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, net
Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or
The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium
Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves
State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable
Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM),
Digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices
Or any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, it calculates
Machine readable medium does not include temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability
It include so that the process, method, commodity or the equipment that include a series of elements not only include those elements, but also to wrap
Include other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic want
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including described want
There is also other identical elements in the process, method of element, commodity or equipment.
The above description is only an example of the present application, is not intended to limit this application.For those skilled in the art
For, various changes and changes are possible in this application.All any modifications made within the spirit and principles of the present application are equal
Replacement, improvement etc., should be included within the scope of the claims of this application.
Claims (15)
1. a kind of network attack processing method based on Internet of Things characterized by comprising
Receive the data packet from first terminal equipment that the user entity in core net is sent;
It wraps based on the data, determines that the first terminal equipment has attack;
The user entity is notified to be filtered to from the data packet of the first terminal equipment.
2. the method according to claim 1, wherein described notify the user entity to from described first
The data packet of terminal device is filtered, comprising:
Signaling face entity into the core net sends a notification message, so that the signaling face entity turns the notification message
It is sent to the user entity, the notification message is used to indicate the user entity to from the first terminal equipment
Data packet is filtered.
3. according to the method described in claim 2, it is characterized in that, the signaling face entity into the core net sends and leads to
Message is known, so that the notification message is forwarded to the user entity by the signaling face entity, comprising:
Strategy into the core net sends the notification message with charging rule functions PCRF entity, so that the PCRF is real
The notification message is forwarded to the user entity by body;Or
Opening service capability network SCEF entity into the core net sends the notification message, for the SCEF entity
The notification message is forwarded to the user entity through the mobility management entity MME in the core net;Or
SCEF entity into the core net sends the notification message, so that the SCEF entity is successively through the core net
In home signature user server HSS and MME the notification message is forwarded to the user entity.
4. a kind of network attack processing method based on Internet of Things, applied to the user entity in core net, which is characterized in that
The described method includes:
The data packet that first terminal equipment is sent to service server is received, the data packet carries the first terminal equipment
Mark;
According to the mark of the first terminal equipment and the mark of the currently valid terminal device with attack, determine
The first terminal equipment has attack;
Data packet from the first terminal equipment is filtered.
5. according to the method described in claim 4, it is characterized in that, the described pair of data packet from the first terminal equipment into
Row filtering, comprising:
By the data packet discarding from the first terminal equipment;Or
Disconnection is connect with the user face of the first terminal equipment;Or
Selectively the data packet from the first terminal equipment is sent to the service server.
6. according to the method described in claim 4, it is characterized in that, according to the mark of the first terminal equipment and current
The mark of the effective terminal device with attack, it is described before determining that the first terminal equipment has attack
Method further include:
The notification message from the service server of the signaling face entity forwarding in the core net is received, the notice disappears
Breath, which is used to indicate, is filtered the data packet from the first terminal equipment.
7. according to the method described in claim 6, it is characterized in that, the signaling face entity forwarding received in the core net
The notification message from the service server, comprising:
Receive the strategy and the notification message of charging rule functions PCRF entity forwarding in the core net;Or
Receive the notification message of the mobility management entity MME forwarding in the core net.
8. according to the described in any item methods of claim 4-7, which is characterized in that be sent to business clothes receiving first terminal equipment
It is engaged in front of the data packet of device, the method also includes:
During the first terminal equipment accesses the core net, according to the mark of the first terminal equipment and work as
The mark of the preceding effective terminal device with attack, determines that the first terminal equipment does not have attack, and permit
Perhaps the described first terminal equipment accesses the core net.
9. according to the described in any item methods of claim 4-7, which is characterized in that further include:
Validity timing is carried out to the mark of the currently valid terminal device with attack;
At the end of validity timing, invalidation is carried out to the mark of the currently valid terminal device with attack.
10. a kind of network attack processing method, applied to the signaling face entity in core net, which is characterized in that the method packet
It includes:
The notification message from service server is received, the notification message includes having attack to the service server
First terminal equipment mark;
The notification message is forwarded to the user entity in the core net, to indicate the user entity to from institute
The data packet for stating first terminal equipment is filtered.
11. according to the method described in claim 10, it is characterized in that, receive the notification message from service server it
Before, the method also includes:
During the first terminal equipment accesses the core net, according to the mark of the first terminal equipment and work as
The mark of the preceding effective terminal device with attack, determines that the first terminal equipment does not have attack, and permit
Perhaps the described first terminal equipment accesses the core net.
12. a kind of service server characterized by comprising communication component, memory and processor;
The communication component, for receiving the data packet from first terminal equipment of the transmission of the user entity in core net;
The memory, for storing program;
The processor is coupled to the memory, for executing described program, to be used for:
It wraps based on the data, determines that the first terminal equipment has attack;
The user entity is notified to be filtered to from the data packet of the first terminal equipment by the communication component.
13. a kind of user entity characterized by comprising communication component, memory and processor;
The communication component, the data packet for being sent to service server for receiving first terminal equipment, the data packet carry
The mark of the first terminal equipment;
The memory, for storing program;
The processor is coupled to the memory, for executing described program, to be used for:
According to the mark of the first terminal equipment and the mark of the currently valid terminal device with attack, determine
The first terminal equipment has attack;
Data packet from the first terminal equipment is filtered.
14. a kind of signaling face entity characterized by comprising communication component, memory and processor;
The communication component, for receiving the notification message from service server, the notification message includes to the business
Server has the mark of the first terminal equipment of attack;
The memory, for storing program;
The processor is coupled to the memory, for executing described program, to be used for:
The user entity that the notification message is forwarded in the core net by the communication component is controlled, to indicate the use
Family face entity is filtered the data packet from the first terminal equipment;
It is real to be also used under the control of the processor for the notification message being forwarded to the user face for the communication component
Body.
15. a kind of operation system based on Internet of Things characterized by comprising service server described in claim 12, power
Benefit require 13 described in signaling face entity described in user entity and claim 14;The service server is located at Internet of Things
In net, the user entity and the signaling plane are physically located in core net.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710769846.5A CN109428870B (en) | 2017-08-31 | 2017-08-31 | Network attack processing method, device and system based on Internet of things |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710769846.5A CN109428870B (en) | 2017-08-31 | 2017-08-31 | Network attack processing method, device and system based on Internet of things |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109428870A true CN109428870A (en) | 2019-03-05 |
| CN109428870B CN109428870B (en) | 2021-10-12 |
Family
ID=65504643
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710769846.5A Active CN109428870B (en) | 2017-08-31 | 2017-08-31 | Network attack processing method, device and system based on Internet of things |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109428870B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110933069A (en) * | 2019-11-27 | 2020-03-27 | 上海明耿网络科技有限公司 | Network protection method, device and storage medium |
| CN114338166A (en) * | 2021-12-29 | 2022-04-12 | 支付宝(杭州)信息技术有限公司 | Edge device risk processing method, device, equipment and cloud server |
| CN115529156A (en) * | 2022-08-08 | 2022-12-27 | 北京雪诺科技有限公司 | Access authentication method and device, storage medium and computer equipment |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101399853A (en) * | 2007-09-24 | 2009-04-01 | 中国移动通信集团公司 | Customer identification server, data service processing system and method |
| CN102625490A (en) * | 2011-01-31 | 2012-08-01 | 电信科学技术研究院 | LTE-LAN system and GW equipment |
| CN103051633A (en) * | 2012-12-25 | 2013-04-17 | 华为技术有限公司 | Attack prevention method and equipment |
| CN105357180A (en) * | 2015-09-30 | 2016-02-24 | 华为技术有限公司 | Network system, attack message intercepting method, attack message intercepting apparatus, and device |
| CN105577608A (en) * | 2014-10-08 | 2016-05-11 | 腾讯科技(深圳)有限公司 | Network attack behavior detection method and network attack behavior detection device |
| US20160294851A1 (en) * | 2015-03-31 | 2016-10-06 | Juniper Networks, Inc. | Detecting a malicious file infection via sandboxing |
| CN106713301A (en) * | 2016-12-16 | 2017-05-24 | 四川长虹电器股份有限公司 | Internet of Things security defense system for intelligent terminal |
| CN107071781A (en) * | 2017-05-04 | 2017-08-18 | 国网江苏省电力公司电力科学研究院 | A kind of security protection performance assessment method suitable for electric power wireless private network core net |
-
2017
- 2017-08-31 CN CN201710769846.5A patent/CN109428870B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101399853A (en) * | 2007-09-24 | 2009-04-01 | 中国移动通信集团公司 | Customer identification server, data service processing system and method |
| CN102625490A (en) * | 2011-01-31 | 2012-08-01 | 电信科学技术研究院 | LTE-LAN system and GW equipment |
| CN103051633A (en) * | 2012-12-25 | 2013-04-17 | 华为技术有限公司 | Attack prevention method and equipment |
| CN105577608A (en) * | 2014-10-08 | 2016-05-11 | 腾讯科技(深圳)有限公司 | Network attack behavior detection method and network attack behavior detection device |
| US20160294851A1 (en) * | 2015-03-31 | 2016-10-06 | Juniper Networks, Inc. | Detecting a malicious file infection via sandboxing |
| CN105357180A (en) * | 2015-09-30 | 2016-02-24 | 华为技术有限公司 | Network system, attack message intercepting method, attack message intercepting apparatus, and device |
| CN106713301A (en) * | 2016-12-16 | 2017-05-24 | 四川长虹电器股份有限公司 | Internet of Things security defense system for intelligent terminal |
| CN107071781A (en) * | 2017-05-04 | 2017-08-18 | 国网江苏省电力公司电力科学研究院 | A kind of security protection performance assessment method suitable for electric power wireless private network core net |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110933069A (en) * | 2019-11-27 | 2020-03-27 | 上海明耿网络科技有限公司 | Network protection method, device and storage medium |
| CN114338166A (en) * | 2021-12-29 | 2022-04-12 | 支付宝(杭州)信息技术有限公司 | Edge device risk processing method, device, equipment and cloud server |
| CN115529156A (en) * | 2022-08-08 | 2022-12-27 | 北京雪诺科技有限公司 | Access authentication method and device, storage medium and computer equipment |
| CN115529156B (en) * | 2022-08-08 | 2023-08-01 | 北京雪诺科技有限公司 | Access authentication method and device, storage medium and computer equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109428870B (en) | 2021-10-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110351229B (en) | Terminal UE (user equipment) management and control method and device | |
| US10812461B2 (en) | Connecting IMSI-less devices to the EPC | |
| US11937177B2 (en) | Method and apparatus for handling non-integrity protected reject messages in non-public networks | |
| KR102224368B1 (en) | Method and system for charging information recording in device to device(d2d) communication | |
| TWI604745B (en) | Method and apparatus for seamless delivery of services through a virtualized network | |
| CN104937966B (en) | Communication between devices authorization and packet sniffing in wireless communication system | |
| US20200053136A1 (en) | Originating caller verification via insertion of an attestation parameter | |
| CN105635084A (en) | Apparatus and method for authenticating terminal | |
| WO2021151335A1 (en) | Network event processing method and apparatus, and readable storage medium | |
| EP2498528A1 (en) | Radio base station, communication system and communication control method | |
| CN109428870A (en) | Network attack processing method based on Internet of Things, apparatus and system | |
| WO2013185709A1 (en) | Call authentication method, device, and system | |
| JP2020501440A (en) | Emergency number setting method, acquisition method and device | |
| CN105027526A (en) | System to protect a mobile network | |
| US20240196217A1 (en) | Forcing re-authentication of users for accessing online services | |
| WO2010121645A1 (en) | Priority service invocation and revocation | |
| CN107787024B (en) | Shutdown method and device and home subscriber server | |
| EP3213541A1 (en) | Radius/diameter authentication based gx policy management triggered by user location change | |
| CN115348192A (en) | Method, communication device and communication system for detecting abnormality | |
| EP2721859A1 (en) | Handling of operator connection offers in a communication network | |
| US11991190B2 (en) | Counteractions against suspected identity imposture | |
| US20220174488A1 (en) | Communication method and related device | |
| CN108282775A (en) | Dynamic Additional Verification method towards mobile ad hoc network and system | |
| WO2024092801A1 (en) | Authentication methods and apparatuses, communication device and storage medium | |
| EP4123995A1 (en) | Voice call method, terminal and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |