CN109428870B

CN109428870B - Network attack processing method, device and system based on Internet of things

Info

Publication number: CN109428870B
Application number: CN201710769846.5A
Authority: CN
Inventors: 朱春晖
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2017-08-31
Filing date: 2017-08-31
Publication date: 2021-10-12
Anticipated expiration: 2037-08-31
Also published as: CN109428870A

Abstract

The embodiment of the application provides a network attack processing method, device and system based on the Internet of things. In the process that the terminal device performs data interaction with the service server through the user plane entity in the core network, the service server judges whether the terminal device has an attack behavior, and when the terminal device is determined to have the attack behavior, the user plane entity is informed to filter a data packet from the terminal device with the attack behavior, so that the attack behavior is intercepted, the influence of network attack on the service server is reduced, and the reliability and the safety of the service server are improved.

Description

Network attack processing method, device and system based on Internet of things

Technical Field

The application relates to the technical field of communication, in particular to a network attack processing method, device and system based on the Internet of things.

Background

The evolution of the communication technology not only brings more bandwidth and more stable wireless network communication, but also provides a solid condition for providing richer service application by taking the communication network as a carrier, and promotes the mutual infiltration and fusion of mobile services and internet services.

The terminal equipment is connected with the service server through a communication network and can acquire the service provided by the service server in a communication mode. Therefore, the user can conveniently obtain various services at any time and any place, such as different services of leisure and entertainment, tool media, business and financial and the like, and the service requirements of the user are met.

In some application scenarios, the number of terminal devices accessing the service server based on the communication network may be large. When a large number of terminal devices are controlled illegally (e.g., by a hacker) or infected with viruses to attack the service server, the service server is seriously affected and even crashed.

Disclosure of Invention

The embodiment of the application provides a network attack processing method, device and system based on the Internet of things, which are used for reducing the influence of network attack on a service server and improving the reliability and safety of the service server.

The embodiment of the application provides a network attack processing method based on the Internet of things, which comprises the following steps:

receiving a data packet from a first terminal device, which is sent by a user plane entity in a core network;

determining that the first terminal device has an attack behavior based on the data packet;

and informing the user plane entity to filter the data packet from the first terminal equipment.

The embodiment of the application also provides a network attack processing method based on the internet of things, which is applied to a user plane entity in a core network, and the method comprises the following steps:

receiving a data packet sent to a service server by a first terminal device, wherein the data packet carries an identifier of the first terminal device;

determining that the first terminal equipment has the attack behavior according to the identification of the first terminal equipment and the identification of the currently effective terminal equipment with the attack behavior;

and forbidding sending the data packet from the first terminal equipment to the service server for filtering.

The embodiment of the application also provides a network attack processing method based on the internet of things, which is applied to a signaling plane entity in a core network, and the method comprises the following steps:

receiving a notification message from a service server, wherein the notification message comprises an identifier of a first terminal device having an attack behavior on the service server;

and forwarding the notification message to a user plane entity in the core network to instruct the user plane entity to filter the data packet from the first terminal device.

An embodiment of the present application further provides a service server, including: a communication component, a memory, and a processor;

the communication component is used for receiving a data packet from the first terminal device, which is sent by a user plane entity in a core network;

the memory is used for storing programs;

the processor, coupled to the memory, to execute the program to:

An embodiment of the present application further provides a user plane entity, including: a communication component, a memory, and a processor;

the communication component is used for receiving a data packet sent by a first terminal device to a service server, wherein the data packet carries an identifier of the first terminal device;

the memory is used for storing programs;

the processor, coupled to the memory, to execute the program to:

and filtering the data packet from the first terminal equipment.

An embodiment of the present application further provides a signaling plane entity, including: a communication component, a memory, and a processor;

the communication component is used for receiving a notification message from a service server, wherein the notification message comprises an identifier of a first terminal device having an attack behavior on the service server;

the memory is used for storing programs;

the processor, coupled to the memory, to execute the program to:

controlling the communication component to forward the notification message to a user plane entity in the core network to instruct the user plane entity to filter a data packet from the first terminal device;

the communication component is further configured to forward the notification message to the user plane entity under control of the processor.

An embodiment of the present application further provides a service system based on the internet of things, including: the service server provided by the embodiment, the user plane entity provided by the embodiment, and the signaling plane entity provided by the embodiment; the service server is located in the internet of things, and the user plane entity and the signaling plane entity are located in a core network.

In the embodiment of the application, in the process that the terminal device performs data interaction with the service server through the user plane entity in the core network, the service server judges whether the terminal device has an attack behavior, and when the terminal device is determined to have the attack behavior, the user plane entity is informed to filter the data packet from the terminal device with the attack behavior, so that interception of the attack behavior is realized, the influence of network attack on the service server is reduced, and the reliability and the safety of the service server are improved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

fig. 1 is a schematic structural diagram of a core network-based service system according to an exemplary embodiment of the present application;

fig. 2a is a schematic structural diagram of an exemplary service system based on the internet of things according to an exemplary embodiment of the present application;

FIG. 2b is a flow diagram illustrating the handling of a network attack by the exemplary business system of FIG. 2 a;

fig. 3a is a schematic structural diagram of another exemplary service system based on the internet of things according to an exemplary embodiment of the present application;

FIG. 3b is a flow diagram illustrating the handling of a network attack by the exemplary business system of FIG. 3 a;

fig. 4a is a schematic structural diagram of another exemplary service system based on the internet of things according to an exemplary embodiment of the present application;

FIG. 4b is a flow diagram illustrating the handling of a network attack by the exemplary business system of FIG. 4 a;

fig. 5 is a schematic flowchart of a network attack processing method described from the perspective of a service server according to an exemplary embodiment of the present application;

fig. 6 is a flowchart illustrating a network attack processing method described from the perspective of a user plane entity according to an exemplary embodiment of the present application;

fig. 7 is a flowchart illustrating a network attack processing method described from the perspective of a signaling plane entity according to an exemplary embodiment of the present application;

fig. 8a is a schematic structural diagram of a network attack processing apparatus according to an exemplary embodiment of the present application;

fig. 8b is a schematic structural diagram of a service server according to an exemplary embodiment of the present application;

fig. 9a is a schematic structural diagram of another network attack processing apparatus according to an exemplary embodiment of the present application;

fig. 9b is a schematic structural diagram of a user plane entity according to an exemplary embodiment of the present application;

fig. 10a is a schematic structural diagram of another network attack processing apparatus according to an exemplary embodiment of the present application;

fig. 10b is a schematic structural diagram of a signaling plane entity according to an exemplary embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

In an application scenario where a service server and a communication core network are integrated, in order to reduce the influence of network attack on the service server and improve the reliability and security of the service server, an embodiment of the present application provides a solution, and the main principle is: in the process that the terminal equipment performs data interaction with the service server through a user plane entity in a core network, the service server judges whether the terminal equipment has an attack behavior; when the terminal equipment is judged to have the attack behavior, the user plane entity is informed to filter the data packet from the terminal equipment with the attack behavior, so that the interception of the attack behavior is realized, the influence of network attack on the service server is reduced, and the reliability and the safety of the service server are improved.

In each implementation of the present application, the terminal device may be a mobile phone, a notebook computer, a tablet computer, a POS device, a vehicle-mounted computer, or other devices that can access the communication core network.

In the embodiments of the present application, the service server mainly refers to a server in the Internet of Things (IoT). The server is mainly responsible for managing any article accessed to the Internet, interacting with information sensing equipment such as two-dimensional code reading equipment, a radio frequency identification device, an infrared sensor, a global positioning system and/or a laser scanner and providing information of related articles for the information sensing equipment so as to realize functions of intelligent identification, positioning, tracking, monitoring, management and the like.

In the embodiments of the present application, the implementation architecture of the core network is not limited. For example, the core network may adopt a 4G core network architecture, may also adopt a 5G core network architecture, and may even adopt other core network architectures that may appear in the future.

In the following embodiments of the present application, technical solutions provided by the embodiments of the present application will be described in detail with reference to the accompanying drawings.

Fig. 1 is a schematic structural diagram of a business system based on the internet of things according to an exemplary embodiment of the present application. As shown in fig. 1, the system includes: a core network 101 and an internet of things 102.

In the core network 101, network elements in the core network 101 are roughly divided into user plane entities and signaling plane entities according to the types of data mainly processed by the network elements. The user plane entity is mainly responsible for processing service data, such as transmitting voice data or packet service data. The signaling plane entity is mainly responsible for processing signaling data, such as controlling call flow establishment, maintenance and release. Wherein, the signaling plane entity is connected with the user plane entity.

The internet of things 102 mainly comprises a business server. Optionally, in addition to the service server, the internet of things 102 may also include some other auxiliary devices, such as a database, a storage device, a router, and the like.

As shown in fig. 1, the service server is connected to a user plane entity and a signaling plane entity, respectively, to implement the fusion of the internet of things 102 and the core network 101. The internet of things 102 is integrated with the core network 101, so that richer service applications can be provided for users by taking the core network 101 as a carrier.

For the terminal equipment, the core network 101 can be accessed, the service connection is established with the service server, and then the data interaction is carried out through the user plane entity in the core network 101, so as to achieve the purpose of using the service or service provided by the service server. For example, the terminal device may send a data packet addressed to the service server to the user plane entity; and the user plane entity receives a data packet sent to the service server by the terminal equipment and sends the data packet to the service server. Correspondingly, the service server can send the data packet returned to the terminal equipment to the user plane entity; and the user plane entity receives the data packet returned to the terminal equipment by the service server and sends the data packet to the terminal equipment.

The header of the data packet carries the identifier of the originating device and the identifier of the terminating device. Taking a data packet sent by a terminal device to a service server as an example, a packet header of the data packet carries an identifier of the terminal device and an identifier of the service server. The identifier of the terminal device may be an IP address of the terminal device, or an IP address and a port number of the terminal device, or a mobile network number (e.g., a mobile phone number) of the terminal device, or may also include the IP address, the port number, and the mobile network number of the terminal device, and so on. The identification of the service server may be an IP address of the server, or a name of the server, or a service network number of the server, or include the IP address, the name and the service network number of the server, and so on.

In the process of data interaction between the terminal device and the service server through the user plane entity in the core network 101, the terminal device may be controlled illegally (e.g., by a hacker) or infected with a virus, and further attack is initiated to the service server. When a large number of terminal devices are controlled illegally (e.g., by a hacker) or infected with viruses to attack the service server, the service server is seriously affected and even crashed.

In this embodiment, the service server first has an attack detection function, that is, after receiving a data packet from the terminal device sent by the user plane entity, based on the data packet, it determines whether the terminal device sending the data packet has an attack behavior. For convenience of description and distinction, the terminal device that sends the data packet is referred to as a first terminal device, and the first terminal device may be any terminal device that performs data interaction with the service server.

And when the first terminal equipment is judged not to have the attack behavior, data interaction can be continuously carried out with the first terminal equipment through the user plane entity.

When the first terminal device is determined to have the attack behavior, the conventional method is as follows: and the service server carries out packet loss processing aiming at the first terminal equipment. However, when there are many data packets of the first terminal device or a large number of terminal devices simultaneously launch an attack, the packet loss processing may consume a large amount of software and hardware resources of the service server, for example, the packet header of the data packet needs to be analyzed and whether packet loss is needed is determined according to the originating device identifier in the packet header, which may affect the normal service of the service server, and even lead to the service server being paralyzed.

Therefore, in this embodiment, when it is determined that the first terminal device has the attack behavior, the service server may notify the user plane entity to filter the data packet from the first terminal device. This is equivalent to intercepting the attack behavior of the first terminal device at the user plane entity, and the user plane entity filters the data packet with the attack behavior, so that the data packet sent to the service server can be reduced, even the data packet is not sent to the service server any more, thereby reducing the influence of network attack on the service server, and being beneficial to improving the reliability and the safety of the service server.

Optionally, the service server may notify the user plane entity to filter the data packet from the first terminal device, and may also combine with a packet loss processing manner, that is, discard the identified data packet from the first terminal device having the attack behavior.

The service server may notify the user plane entity to filter the data packet from the first terminal device in various ways. Two alternative embodiments are given below:

in an optional embodiment, the service server may directly send a notification message to the user plane entity, where the notification message is used to instruct the user plane entity to filter the data packets from the first terminal device, so as to reduce data packets with attack to the service server and even to no longer send the data packets to the service server.

In another alternative embodiment, the service server may send the notification message to a signaling plane entity of the core network 101, so that the signaling plane entity forwards the notification message to the user plane entity. For the signaling plane entity, receiving a notification message from the service server, determining a user plane entity providing service for the first terminal device according to the identifier of the first terminal device carried in the notification message, and forwarding the notification message to the user plane entity. The notification message is used for instructing the user plane entity to filter the data packet from the first terminal equipment with the attack behavior.

For the user plane entity, the notification message from the service server forwarded by the signaling plane entity may be received, and the identifier of the first terminal device having the attack behavior may be obtained from the notification message. Then, when the user plane entity receives a data packet sent by the first terminal device to the service server, whether the first terminal device has an attack behavior or not can be judged according to the identifier of the first terminal device carried in the data packet and the identifier of the currently effective terminal device having an attack behavior.

If the currently valid identifier of the terminal device having the attack behavior includes the identifier of the first terminal device, the user plane entity may determine that the first terminal device has the attack behavior, and then filter the data packet from the first terminal device.

If the currently valid identifier of the terminal device having the attack behavior does not include the identifier of the first terminal device, the user plane entity may determine that the first terminal device does not have the attack behavior, and then send the data packet from the first terminal device to the service server.

Optionally, there are various ways for the user plane entity to filter the data packets from the first terminal device. Several approaches are listed below:

mode 1): the user plane entity discards the data packet from the first terminal device, i.e. a common packet loss manner.

Mode 2): and the user plane entity is disconnected with the user plane of the first terminal equipment, namely the first terminal equipment is kicked off.

Mode 3): the data packets from the first terminal device are selectively transmitted to the service server.

For example, a part of the data packets from the first terminal device may be selected to be transmitted to the service server according to the maximum packet transmission amount within a certain time.

For another example, the data packets with the size within the set range may be selected from the data packets from the first terminal device according to the size of the data packets, and sent to the service server, that is, the data packets with too large or too small size are filtered out.

No matter which mode is adopted, the number of data packets with attack behaviors received by the service server can be reduced or even not received, so that the software and hardware resources consumed by processing the attack data packets can be reduced, and the safety and the reliability of the service server can be improved.

Wherein, the user plane entity and the signaling plane entity are different according to different core network implementation architectures. In the following embodiments of the present application, a network attack processing method implemented by combining a user plane entity and a signaling plane entity will be described by taking several core network architectures in a 4G Long Term Evolution (LTE) system as an example.

Fig. 2a is a schematic structural diagram of an exemplary service system based on the internet of things according to an exemplary embodiment of the present application. As shown in fig. 2a, the service system includes: a core network 201 and an internet of things 202.

The core network 201 mainly includes: an enhanced radio base station (eNodeB, eNB), a Gateway (GW), a Mobility Management Entity (MME), a Home Subscriber Server (HSS), and a Policy and Charging Rules Function (PCRF) Entity.

The eNB is connected with the MME through an S1-MME interface and is connected with the GW through an S1-U interface. The MME is connected to the GW through an S11 interface and to the HSS through an S6a interface. And the GW is connected with the PCRF entity through a Gx interface.

The eNB is a control device of main air interface resources of a next generation radio access network, and can provide higher uplink and downlink rates, lower transmission delay and more reliable radio transmission. The main functions of the MME include: and participating in authentication, authentication and authorization of the UE, managing the position of the UE and establishing user plane data connection from the UE to the GW.

Among them, the GW may be divided into a Serving Gateway (S-GW) and a Packet Data Network Gateway (P-GW). The S-GW is a mobile anchor point between Evolved Universal Radio Access networks (E-UTRAN). The P-GW is a border gateway between the core network 201 and the internet of things 202, and is responsible for accessing the internet of things 202, forwarding data between the core network 201 and the internet of things 202, and the like. For ease of illustration, only the GW is shown in fig. 2 a.

The HSS stores the user subscription information and the configuration file and executes the authentication and authorization of the user. The PCRF entity is a policy and charging control policy decision point of the service data stream and the IP bearer resource and provides an available policy and charging control decision for the GW. The PCRF entity is connected to the service server, and is a signaling plane node of the core network 201 to which the service server is accessed.

The internet of things 202 mainly comprises: and a service server. Optionally, in addition to the service server, the internet of things 202 may also include some other auxiliary devices, such as a database, a storage device, a router, and the like.

In the exemplary traffic system shown in fig. 2a, the traffic server may handle network attacks in cooperation with the GW and the PCRF entity. The GW may be used as a user plane entity involved in the network attack processing procedure, and the PCRF entity may be used as a signaling plane entity involved in the network attack processing procedure.

With reference to the interaction flow shown in fig. 2b, a detailed description is given of a process of processing a network attack by interworking between a GW, a PCRF entity, and a service server in the exemplary service system shown in fig. 2 a. For the convenience of distinction and description, the first terminal device is exemplified in the following flow. The first terminal device may be one or a plurality of.

Referring to step 20, the first terminal device accesses the core network 201 through the eNB, MME, HSS, GW, and PCRF entity.

Step 20 mainly comprises the following operations: a first terminal device establishes (Radio Resource Control, RRC) connection with an eNB; the eNB establishes S1 connection with the MME; MME sends an authentication request to HSS; HSS returns authentication response to MME; MME requests GW to establish user plane connection, GW selects PCRF entity, and establishes management association to the user plane connection with the selected PCRF entity, the management association is mainly used for controlling QoS and/or charging strategy of the user plane connection; after receiving the QoS and/or charging policy determined by the PCRF entity for the first terminal device, the GW replies a connection establishment success message to the MME, and the MME returns the connection establishment success message to the first terminal device, until the user plane connection establishment between the first terminal device and the GW is completed, which also means that the first terminal device successfully accesses the core network 201.

Continuing with steps 21 and 22, after the first terminal device successfully accesses the core network 201, the first terminal device sends the data packet addressed to the service server to the GW; and the GW forwards the data packet sent to the service server by the first terminal equipment to the service server.

Steps 21 and 22 mainly describe the basic interaction process between the first terminal device and the service server. The interaction process may vary from service server implementation to service server implementation and from service provided.

In an exemplary embodiment, the interaction process between the first terminal device and the service server may include an access authentication process and a service interaction process. The first terminal device may send an authentication request to the service server, and send the authentication request carrying identity information of the first terminal device in the core network 201, such as a mobile network number, an IP address, a port number, and other information required for authentication, such as a random number or a password calculated according to a key, to the service server, and the service server performs access authentication on the first terminal device according to the information. After passing the authentication, the first terminal device may initiate a service request to the service server, thereby entering a service interaction process. During the process that the service server authenticates the first terminal device, or after the first terminal device passes the authentication, the service server may determine, according to the identifier of the first terminal device, a PCRF entity that provides QoS and/or a charging policy for the first terminal device, and establish, according to a protocol between an operator and a provider corresponding to the service server, a signaling plane connection with the PCRF entity, so that the service server manages a user plane connection between the first terminal device and a GW.

In the above exemplary embodiment, the data packet sent by the first terminal device to the service server may include an authentication request that the first terminal device requests the service server to perform access authentication, may also include a service request that is initiated to the service server after the authentication is passed, and may also include related data and the like sent to the service server according to a request of the service server in a service interaction process.

In the interaction process of the first terminal device and the service server, the first terminal device may be illegally controlled, and the service request is not initiated according to the legal device behavior rule any more, but an attack is initiated to the service server. Therefore, in the interaction process between the first terminal device and the service server, the service server detects whether the first terminal device has an attack behavior based on the data packet sent by the first terminal device (see step 23).

Optionally, for the service server, no matter what way to detect whether the terminal device has the attack behavior, whenever the terminal device having the attack behavior is detected, the identifier of the detected terminal device having the attack behavior is recorded and marked as the currently valid identifier of the terminal device having the attack behavior, so as to provide convenience for subsequently detecting whether other terminal devices have the attack behavior. Based on this, in an exemplary embodiment of step 23, the service server may parse the identifier of the first terminal device from the data packet of the first terminal device; and judging whether the first terminal equipment has the attack behavior or not according to the identification of the first terminal equipment and the identification of the current effective terminal equipment with the attack behavior. If the currently effective identifier of the terminal device with the attack behavior comprises the identifier of the first terminal device, determining that the first terminal device has the attack behavior; on the contrary, if the currently valid identifier of the terminal device with the attack behavior does not include the identifier of the first terminal device, it may be determined that the first terminal device does not have the attack behavior.

One exemplary, but not exclusive, embodiment of step 23 is described above. For example, in another exemplary embodiment of step 23, the service server determines whether the first terminal device has an attack behavior directly according to the type and transmission behavior of the data packet from the first terminal device. In an example of an attack behavior, the first terminal device may repeatedly establish and tear down a service connection with the service server for a short period of time, but no valid service data is involved in each connection. Based on this, the service server may parse the data packet sent by the first terminal device, recognize that the data packet in a period of time is almost all (for example, the occupation ratio is up to 90% or more) the data packet for requesting to establish the connection or remove the connection, and there is almost no data packet requesting valid service data, and determine the frequency of establishing and removing the connection, for example, 30 times within 1 minute, according to the identifier of the first terminal device in the data packet, and when the frequency of establishing and removing the connection reaches a set upper limit value, determine that the first terminal device has an attack behavior; otherwise, the first terminal device is determined not to have the attack behavior.

When it is determined that the first terminal device has an aggressive behavior, step 24 is entered. As shown in step 24, the service server sends a notification message to the PCRF entity based on the signaling plane connection with the PCRF entity, so that the PCRF entity forwards the notification message to the GW. The notification message carries an identifier of the first terminal device, and is mainly used for notifying the GW that the first terminal device has an attack behavior and needs to filter a data packet from the first terminal device.

Continuing with steps 25 and 26, the PCRF entity receives the notification message sent by the service server and forwards the notification message to the GW; and the GW receives the notification message forwarded by the PCRF entity, and learns that the first terminal equipment has the attack behavior according to the notification message and needs to filter the data packet from the first terminal equipment.

Continuing to refer to steps 27 and 28, the GW receives a data packet sent by the first terminal device to the service server, where the data packet carries an identifier of the first terminal device; and the GW judges whether the first terminal equipment has the attack behavior or not according to the identification of the first terminal equipment and the identification of the currently effective terminal equipment with the attack behavior. If the currently effective identifier of the terminal device with the attack behavior comprises the identifier of the first terminal device, determining that the first terminal device has the attack behavior; on the contrary, if the currently valid identifier of the terminal device with the attack behavior does not include the identifier of the first terminal device, it may be determined that the first terminal device does not have the attack behavior.

When it is determined that the first terminal device has an aggressive behavior, the GW filters the data packets from the first terminal device, see step 29. For example, the data packet from the first terminal device may be discarded, or the connection with the first terminal device may be disconnected, or the data packet from the first terminal device may be selectively transmitted to the service server.

In some exemplary embodiments, when the traffic server detects the terminal devices with the attack behavior in step 23, the identities of the terminal devices with the attack behavior may be recorded so as to identify the terminal devices with the attack behavior. In practical applications, the terminal device may be illegally controlled within a period of time, and in order to ensure that the terminal device can still normally access the service server after being not illegally controlled, the service server may set a validity time within which the terminal device having an attack behavior is prohibited from accessing the service server. Based on this, the service server needs to perform validity timing for the currently valid identifier of the terminal device with the attack behavior in addition to recording the identifier of the terminal device with the attack behavior, and performs invalidation processing on the currently valid identifier of the terminal device with the attack behavior after the validity timing is finished. The invalidation process comprises the following steps: deleting the identifier of the terminal equipment with the end of validity timing, or adding a legal mark to the identifier of the terminal equipment with the end of validity timing, which means that the terminal equipment does not have an attack behavior any more.

In some exemplary embodiments, in steps 25 and/or 26, when receiving the notification message, the PCRF entity and/or the GW may also store the identifier of the terminal device with the attack behavior carried in the notification message as the currently valid identifier of the terminal device with the attack behavior locally. Similarly, the PCRF entity and/or the GW may also set validity time, and only in the validity time, the terminal devices identified by the identifiers are considered to have an attack behavior, and after the validity time is over, the terminal devices may be used as normal devices to initiate a service flow with the service server again. Based on this, the PCRF entity and/or the GW need to perform validity timing on the currently valid identifier of the terminal device with the attack behavior, in addition to storing the identifier of the terminal device with the attack behavior carried in the notification message; and when the validity timing is ended, carrying out invalidation processing on the currently valid identifier of the terminal equipment with the attack behavior. The invalidation process is described in the previous embodiment, and is not described herein.

Further, in some exemplary embodiments, based on the identity of the currently valid terminal device with the attack behavior stored by the PCRF entity and/or the GW, in the process of accessing the core network 201 by the first terminal device (i.e., the process described in step 20), it may be determined whether the first terminal device has the attack behavior according to the identity of the first terminal device and the identity of the currently valid terminal device with the attack behavior. When it is determined that the first terminal device does not have the attack behavior, the first terminal device is allowed to access the core network 201. And when the first terminal device is determined to have the attack behavior, rejecting the first terminal device to access the core network 201.

For example, in the process of establishing the S1 connection between the eNB and the MME, the MME may determine whether the first terminal device has an attack behavior according to the identifier of the first terminal device and the identifier of the currently valid terminal device having an attack behavior stored by the MME. When it is determined that the first terminal device has an aggressive behavior, the establishment of a connection for the first terminal device is refused S1.

For another example, in the process that the MME initiates the authentication request to the HSS and the HSS returns the authentication response to the MME, the HSS may determine whether the first terminal device has the attack behavior according to the identifier of the first terminal device and the identifier of the currently valid terminal device having the attack behavior stored in the HSS. When it is determined that the first terminal device has the aggressive behavior, the HSS may return an authentication failure message to the MME.

For another example, in the process that the MME and the GW request to establish the user plane connection, the GW may determine whether the first terminal device has the attack behavior according to the identifier of the first terminal device and the identifier of the currently valid terminal device having the attack behavior stored by the GW. And when the first terminal equipment is determined to have the attack behavior, refusing to establish the user plane connection with the first terminal equipment.

The process of accessing the core network 201 by the first terminal device may be a process of accessing the core network 201 by the first terminal device for the first time, or a process of accessing the core network 201 by the first terminal device again. For example, in the case where the GW disconnects from the first terminal device in step 29, the first terminal device is likely to request access to the core network 201 again. Therefore, whether the first terminal device is accessed to the core network 201 for the first time or the first terminal device is accessed to the core network 201 again, the security and the reliability of the service server are ensured by judging whether the first terminal device has the attack behavior or not and refusing the first terminal device to access to the core network 201 when the first terminal device is judged to have the attack behavior.

Fig. 3a is a schematic structural diagram of another exemplary service system based on the internet of things according to an exemplary embodiment of the present application. As shown in fig. 3a, the service system includes: a core network 301 and an internet of things 302.

The core network 301 mainly includes: eNB, GW, MME, HSS, and Service Capability Exposure Function (SCEF) entity. The SCEF entity is a network capability open platform introduced into the core network 301 to satisfy the requirement of a network capability open application scenario, and implements authentication, authorization, charging, information interaction with a network element on the core network 301 side, information hiding, and encapsulation invocation of a third party application (e.g., the internet of things 302). Through the SCEF entity, the core network 301 can securely open services and network capabilities to third parties.

The eNB is connected with the MME through an S1-MME interface and is connected with the GW through an S1-U interface. The MME is connected to the GW through an S11 interface and to the HSS through an S6a interface. The MME is connected to the SCEF entity through a T6 interface, and the HSS is connected to the SCEF entity through an S6T interface. The SCEF entity is connected to the service server, and is a signaling plane node of the service server accessing to the core network 301.

The internet of things 302 mainly includes: and a service server. Optionally, the internet of things 302 may include some other auxiliary devices, such as a database, a storage device, a router, etc., in addition to the service server.

In the exemplary service system shown in fig. 3a, the service server may handle network attacks in cooperation with the GW, MME, HSS and SCEF entities. The GW may serve as a user plane entity involved in the network attack processing procedure, and the MME, HSS, and SCEF entity may serve as a signaling plane entity involved in the network attack processing procedure.

With reference to the interaction flow shown in fig. 3b, a detailed description will be given of a process of processing a network attack by interworking among the GW, the MME, the HSS, the SCEF entity, and the service server in the exemplary service system shown in fig. 3 a. For the convenience of distinction and description, the first terminal device is exemplified in the following flow. The first terminal device may be one or a plurality of.

Referring to step 30, the first terminal device accesses the core network 301 through the eNB, MME, HSS, GW, and SCEF entities.

Step 30 mainly comprises the following operations: the first terminal equipment establishes RRC connection with the eNB; the eNB establishes S1 connection with the MME; MME sends an authentication request to HSS; HSS returns authentication response to MME; MME requests GW to establish user plane connection, and GW replies a connection establishment success message to MME; the MME returns a connection establishment success message to the first terminal device, and establishes a management association with the SCEF entity for the connection, so that the establishment of the user plane connection between the first terminal device and the GW is completed, which also means that the first terminal device successfully accesses the core network 301.

Continuing with steps 31 and 32, after the first terminal device successfully accesses the core network 201, the first terminal device sends the data packet addressed to the service server to the GW; and the GW forwards the data packet sent to the service server by the first terminal equipment to the service server.

Referring to step 33, the service server detects whether the first terminal device has an attack behavior based on the data packet sent by the first terminal device. When it is determined that the first terminal device has an aggressive behavior, step 34 is entered.

For the detailed description of steps 31-33, refer to steps 21-23 in the embodiment shown in FIG. 2b, and are not described herein again. It should be noted that, in steps 31 to 32, during the process that the service server authenticates the first terminal device, or after the first terminal device passes the authentication, the service server may determine the SCEF entity in the core network 301 according to the identifier of the first terminal device, and establish a signaling plane connection with the SCEF entity according to the protocol between the provider corresponding to the service server and the operator, so that the service server manages the user plane connection between the first terminal device and the GW.

Referring to step 34, when it is determined that the first terminal device has the attack behavior, the service server sends the notification message to the SCEF entity through a signaling plane connection with the SCEF entity, so that the SCEF entity forwards the notification message to the HSS. The notification message carries an identifier of the first terminal device, and is mainly used for notifying the GW that the first terminal device has an attack behavior and needs to filter a data packet from the first terminal device.

Continuing with steps 35-38, the SCEF entity receives the notification message sent by the service server and forwards the notification message to the HSS; the HSS receives the notification message forwarded by the SCEF entity and forwards the notification message to the MME; MME receives the notification message forwarded by HSS and forwards the notification message to GW; and the GW receives the notification message forwarded by the MME, and learns that the first terminal equipment has an attack behavior according to the notification message and needs to filter the data packet from the first terminal equipment.

Continuing with steps 39 and 40, the GW receives a data packet sent by the first terminal device to the service server, where the data packet carries an identifier of the first terminal device; and the GW determines that the first terminal equipment has the attack behavior according to the identification of the first terminal equipment and the identification of the currently effective terminal equipment with the attack behavior. If the currently effective identifier of the terminal device with the attack behavior comprises the identifier of the first terminal device, determining that the first terminal device has the attack behavior; on the contrary, if the currently valid identifier of the terminal device with the attack behavior does not include the identifier of the first terminal device, it may be determined that the first terminal device does not have the attack behavior.

Continuing with step 41, the GW filters packets from the first end device when it is determined that the first end device has aggressive behavior. For example, the data packet from the first terminal device may be discarded, or the connection with the first terminal device may be disconnected, or the data packet from the first terminal device may be selectively transmitted to the service server.

In some exemplary embodiments, when the traffic server detects the terminal devices with the attack behavior in step 33, the identities of the terminal devices with the attack behavior may be recorded so as to identify the terminal devices with the attack behavior. In addition, the service server can also perform validity timing on the currently valid identifier of the terminal device with the attack behavior, and perform invalidation processing on the currently valid identifier of the terminal device with the attack behavior after the validity timing is finished. A detailed description of this exemplary embodiment may be found in relation to step 23.

In some exemplary embodiments, in step 35, step 36, step 37, and/or step 38, when the SCEF entity, HSS, MME, and/or GW receives the notification message, the identity of the terminal device with the attack behavior carried in the notification message may also be stored locally as the identity of the currently valid terminal device with the attack behavior. Similarly, validity time may also be set on the SCEF entity, HSS, MME and/or GW, and only in the validity time, the terminal devices identified by the identifiers are considered to have an attack behavior, and after the validity time is over, the terminal devices may be used as normal devices to initiate a service flow with the service server. Based on this, the SCEF entity, HSS, MME and/or GW need to time validity of the currently valid identifier of the terminal device with the attack behavior in addition to storing the identifier of the terminal device with the attack behavior carried in the notification message; and when the validity timing is ended, carrying out invalidation processing on the currently valid identifier of the terminal equipment with the attack behavior.

Further, in some exemplary embodiments, based on the identifier of the currently valid terminal device with an attack behavior stored by the SCEF entity, the HSS, the MME and/or the GW, in the process of accessing the core network 301 by the first terminal device (i.e., the process described in step 30), it may be determined whether the first terminal device has an attack behavior according to the identifier of the first terminal device and the identifier of the currently valid terminal device with an attack behavior. When it is determined that the first terminal device does not have the attack behavior, the first terminal device is allowed to access the core network 301. When it is determined that the first terminal device has an attack behavior, the first terminal device is denied access to the core network 301.

The process of accessing the core network 301 by the first terminal device may be a process of accessing the core network 301 by the first terminal device for the first time, or a process of accessing the core network 301 by the first terminal device for the second time. For example, in the case where the GW disconnects from the first terminal device in step 41, the first terminal device may generally re-request access to the core network 301. Therefore, whether the first terminal device is accessed to the core network 301 for the first time or the first terminal device is accessed to the core network 301 again, the security and the reliability of the service server are ensured by judging whether the first terminal device has the attack behavior or not and directly refusing the first terminal device to access to the core network 301 when the first terminal device is judged to have the attack behavior.

Fig. 4a is a schematic structural diagram of another exemplary mobile network-based service system according to an exemplary embodiment of the present application. As shown in fig. 4a, the service system includes: a core network 401 and an internet of things 402.

The core network 401 mainly includes: eNB, GW, MME and SCEF. The eNB is connected with the MME through an S1-MME interface and is connected with the GW through an S1-U interface. The MME is connected to the GW through an S11 interface. The MME is connected to the SCEF entity through a T6 interface. The SCEF entity is connected to the service server, and is a node of the service server accessing to the signaling plane of the core network 401.

The internet of things 402 mainly includes: and a service server. Optionally, the internet of things 402 may include some other auxiliary devices, such as a database, a storage device, a router, etc., in addition to the service server.

In the exemplary traffic system shown in fig. 4a, the traffic server may handle network attacks in cooperation with the GW, MME and SCEF entities. The GW may serve as a user plane entity involved in the network attack processing procedure, and the MME and the SCEF entity may serve as a signaling plane entity involved in the network attack processing procedure.

With reference to the interaction flow shown in fig. 4b, a detailed description will be given of a process of handling a network attack by interworking among the GW, the MME, the SCEF entity, and the service server in the exemplary service system shown in fig. 4 a. For the convenience of distinction and description, the first terminal device is exemplified in the following flow. The first terminal device may be one or a plurality of.

Referring to step 50, the first terminal device accesses the core network 401 through the eNB, MME, HSS, GW, and PCRF entity.

Step 50 mainly comprises the following operations: the first terminal equipment establishes RRC connection with the eNB; the eNB establishes S1 connection with the MME; MME requests GW to establish user plane connection, and GW replies a connection establishment success message to MME; the MME returns a connection establishment success message to the first terminal device, and establishes a management association with the SCEF entity for the connection, so that the establishment of the user plane connection between the first terminal device and the GW is completed, which also means that the first terminal device successfully accesses the core network 401.

Continuing with steps 51 and 52, after the first terminal device successfully accesses the core network 401, the first terminal device sends the data packet addressed to the service server to the GW; and the GW forwards the data packet sent to the service server by the first terminal equipment to the service server.

Referring to step 53, the service server detects whether the first terminal device has an attack behavior based on the data packet sent by the first terminal device. When it is determined that the first terminal device has an aggressive behavior, step 54 is entered.

For the detailed description of steps 51-53, refer to steps 21-23 in the embodiment shown in FIG. 2b, and are not described herein again. It should be noted that, in step 51-52, during the process that the service server authenticates the first terminal device, or after the first terminal device passes the authentication, the service server may determine the SCEF entity in the core network 401 according to the identifier of the first terminal device, and establish a signaling plane connection with the SCEF entity according to the protocol between the provider corresponding to the service server and the operator, so that the service server manages the user plane connection between the first terminal device and the GW.

Referring to step 54, when it is determined that the first terminal device has the attack behavior, the service server sends the notification message to the SCEF entity through the signaling plane connection with the SCEF entity, so that the SCEF entity forwards the notification message to the MME. The notification message carries an identifier of the first terminal device, and is mainly used for notifying the GW that the first terminal device has an attack behavior and needs to filter a data packet from the first terminal device.

Continuing to refer to steps 55-57, the SCEF entity receives the notification message sent by the service server and forwards the notification message to the MME; MME receives the notification message forwarded by SCEF entity and forwards the notification message to GW; and the GW receives the notification message forwarded by the MME, and learns that the first terminal equipment has an attack behavior according to the notification message and needs to filter the data packet from the first terminal equipment.

Continuing with steps 58 and 59, the GW receives a data packet sent by a first terminal device to a service server, where the data packet carries an identifier of the first terminal device; and the GW determines that the first terminal equipment has the attack behavior according to the identification of the first terminal equipment and the identification of the currently effective terminal equipment with the attack behavior. If the currently effective identifier of the terminal device with the attack behavior comprises the identifier of the first terminal device, determining that the first terminal device has the attack behavior; on the contrary, if the currently valid identifier of the terminal device with the attack behavior does not include the identifier of the first terminal device, it may be determined that the first terminal device does not have the attack behavior.

Continuing with step 60, the GW filters packets from the first terminal device when it is determined that the first terminal device has aggressive behavior. For example, the data packet from the first terminal device may be discarded, or the connection with the first terminal device may be disconnected, or the data packet from the first terminal device may be selectively transmitted to the service server.

In some exemplary embodiments, when the traffic server detects the terminal devices with the attack behavior in step 53, the identities of these terminal devices with the attack behavior may be recorded so as to identify the terminal devices with the attack behavior. In addition, the service server can also perform validity timing on the currently valid identifier of the terminal device with the attack behavior, and perform invalidation processing on the currently valid identifier of the terminal device with the attack behavior after the validity timing is finished. A detailed description of this exemplary embodiment may be found in relation to step 23.

In some exemplary embodiments, in step 55, step 56, and/or step 57, when receiving the notification message, the SCEF entity, MME, and/or GW may also store the identifier of the terminal device with the attack behavior carried in the notification message as the identifier of the currently valid terminal device with the attack behavior locally. Similarly, validity time may also be set on the SCEF entity, the MME, and/or the GW, and only in the validity time, the terminal devices identified by the identifiers are considered to have an attack behavior, and after the validity time is over, the terminal devices may be used as normal devices to initiate a service flow with the service server again. Based on this, the SCEF entity, MME and/or GW need to perform validity timing on the currently valid identifier of the terminal device with the attack behavior in addition to storing the identifier of the terminal device with the attack behavior carried in the notification message; and when the validity timing is ended, carrying out invalidation processing on the currently valid identifier of the terminal equipment with the attack behavior.

Further, in some exemplary embodiments, based on the identifier of the currently valid terminal device with an attack behavior stored by the SCEF entity, the MME and/or the GW, in the process of accessing the first terminal device to the core network 401 (i.e., the process described in step 50), it may be determined whether the first terminal device has an attack behavior according to the identifier of the first terminal device and the identifier of the currently valid terminal device with an attack behavior. When it is determined that the first terminal device does not have the attack behavior, the first terminal device is allowed to access the core network 401. When the first terminal device is determined to have the attack behavior, the first terminal device is denied access to the core network 401.

The process of accessing the core network 401 by the first terminal device may be a process of accessing the core network 401 by the first terminal device for the first time, or a process of accessing the core network 301 by the first terminal device again. For example, in the case where the GW disconnects from the first terminal device in step 60, the first terminal device is likely to re-request access to the core network 401. Therefore, whether the first terminal device is accessed to the core network 401 for the first time or the first terminal device is accessed to the core network 401 again, the security and the reliability of the service server are ensured by judging whether the first terminal device has the attack behavior or not and directly refusing the first terminal device to access to the core network 401 when the first terminal device is judged to have the attack behavior.

The foregoing embodiments of the present application mainly combine with a service system to provide the technical solutions of the embodiments of the present application in detail. In the following embodiments, the technical solutions provided in the embodiments of the present application will be described in detail from different network element perspectives.

Fig. 5 is a flowchart illustrating a network attack processing method described from the perspective of a service server according to an exemplary embodiment of the present application. As shown in fig. 5, the method includes:

501. and receiving a data packet from the first terminal device, which is sent by a user plane entity in the core network.

502. Determining that the first terminal device has the attack behavior based on the data packet from the first terminal device.

503. And informing the user plane entity to filter the data packet from the first terminal equipment.

In an alternative embodiment, the notification message may be sent to a signaling plane entity in the core network, so that the signaling plane entity forwards the notification message to the user plane entity. The notification message is used to instruct the user plane entity to filter the data packets from the first terminal device.

The user plane entity and the signaling plane entity may be different according to different core network implementation architectures.

For example, taking the LTE core network architecture shown in fig. 2a as an example, the user plane entity may be a GW, and the signaling plane entity may be a PCRF entity. Based on this, the notification message may be sent to a PCRF entity in the core network, so that the PCRF entity forwards the notification message to the GW.

For another example, taking the LTE core network architecture shown in fig. 3a as an example, the user plane entity may be a GW, and the signaling plane entity may include an MME, an HSS and an SCEF entity. Based on this, the notification message may be sent to the SCEF entity in the core network, so that the SCEF entity forwards the notification message to the GW via the MME in the core network.

For another example, taking the LTE core network architecture shown in fig. 4a as an example, the user plane entity may be a GW, and the signaling plane entity may include an MME and an SCEF entity. Based on this, the notification message may be sent to the SCEF entity in the core network, so that the SCEF entity forwards the notification message to the GW sequentially via the HSS and the MME in the core network.

In some exemplary embodiments, the service server needs to determine a signaling plane entity in advance according to the identifier of the first terminal device, and establish a signaling plane connection with the signaling plane entity, so that the service server sends the notification message to the user plane entity through the signaling plane connection.

Generally, the service server may determine the signaling plane entity during the authentication of the first terminal device or after the first terminal device passes the authentication.

In some exemplary embodiments, in step 502, it may be determined that the first terminal device has an attack behavior according to the identifier of the first terminal device carried in the data packet from the first terminal device and the identifier of the currently valid terminal device having an attack behavior; alternatively, it may be determined that the first terminal device has the attack behavior according to the type and transmission behavior of the packet from the first terminal device.

In some exemplary embodiments, the service server may store the identifier of the terminal device with the attack behavior, and may also perform validity timing on the currently valid identifier of the terminal device with the attack behavior; and when the validity timing is ended, carrying out invalidation processing on the currently valid identifier of the terminal equipment with the attack behavior.

Fig. 6 is a flowchart illustrating a network attack processing method described from the perspective of a user plane entity according to an exemplary embodiment of the present application. As shown in fig. 6, the method includes:

601. and receiving a data packet sent to the service server by the first terminal equipment, wherein the data packet carries the identifier of the first terminal equipment.

602. And determining that the first terminal equipment has the attack behavior according to the identification of the first terminal equipment and the identification of the currently effective terminal equipment with the attack behavior.

603. And filtering the data packet from the first terminal equipment.

In this embodiment, the user plane entity is matched with the service server, and when a data packet sent by the first terminal device to the service server is received in a process of data interaction between the terminal device and the service server, whether the first terminal device has an attack behavior is determined based on a currently effective identifier of the terminal device having the attack behavior; and when the first terminal equipment is judged to have the attack behavior, filtering the data packet from the first terminal equipment, intercepting the attack behavior, reducing the influence of network attack on the service server, and improving the reliability and the safety of the service server.

In some exemplary embodiments, in step 603, the user plane entity may drop the data packet from the first terminal device, so that the data packet from the first terminal device may not be sent to the traffic server any more, and the impact of the attack behavior on the traffic server is mitigated. Or, in step 603, the user plane entity may disconnect the user plane connection with the first terminal device, and may no longer send the data packet from the first terminal device to the service server, so as to mitigate the influence of the attack behavior on the service server. Alternatively, in step 603, the user plane entity may selectively send the data packet from the first terminal device to the service server, so as to reduce the data packet sent to the service server and mitigate the influence of the attack on the service server.

In some exemplary embodiments, the user plane entity may send the data packet from the first terminal device to the service server when determining that the first terminal device does not have the attack behavior.

In some exemplary embodiments, the service server may detect whether the first terminal device has an attack behavior according to a data packet from the first terminal device, and send a notification message to the user plane entity through the signaling plane entity when detecting that the first terminal device has the attack behavior, and carry an identifier of the first terminal device in the notification message. Based on this, the user plane entity may receive a notification message from the service server forwarded by a signaling plane entity in the core network, where the notification message includes an identifier of the first terminal device having the attack behavior. Based on this, if the user plane entity receives the data packet from the first terminal device after receiving the notification message, it may be determined whether the identifier of the first terminal device is included in the currently valid identifier of the terminal device having the attack behavior; if so, the first terminal device can be determined to have the attack behavior, and the data packet from the first terminal device is forbidden to be sent to the service server.

For example, taking the LTE core network architecture shown in fig. 2a as an example, the user plane entity may be a GW, and the signaling plane entity may be a PCRF entity. Based on this, in the process of receiving the notification message from the service server forwarded by the signaling plane entity, the GW may receive the notification message forwarded by the PCRF entity.

For another example, taking the LTE core network architecture shown in fig. 3a as an example, the user plane entity may be a GW, and the signaling plane entity may include an MME, an HSS and an SCEF entity. Based on this, in the process of receiving the notification message from the service server forwarded by the signaling plane entity, the GW may receive the notification message forwarded by the MME, where the MME receives the notification message forwarded by the HSS, and the HSS receives the notification message forwarded by the SCEF entity.

For another example, taking the LTE core network architecture shown in fig. 4a as an example, the user plane entity may be a GW, and the signaling plane entity may include an MME and an SCEF entity. Based on this, in the process of receiving the notification message from the service server forwarded by the signaling plane entity, the GW may receive the notification message forwarded by the MME, where the MME receives the notification message forwarded by the SCEF entity.

In some exemplary embodiments, the first terminal device needs to access the core network before step 601. Based on the current effective identifier of the terminal device with the attack behavior stored in the user plane entity, whether the first terminal device has the attack behavior or not can be judged according to the identifier of the first terminal device and the current effective identifier of the terminal device with the attack behavior in the process that the first terminal device is accessed into the core network; and if the currently effective identifier of the terminal equipment with the attack behavior does not contain the identifier of the first terminal equipment, determining that the first terminal equipment does not have the attack behavior, and allowing the first terminal equipment to access the core network. In addition, if the identifier of the currently effective terminal device with the attack behavior contains the identifier of the first terminal device, the first terminal device is determined to have the attack behavior, and the first terminal device is refused to access the core network.

Further, the user plane entity can perform validity timing on the currently valid identifier of the terminal device with the attack behavior; and when the validity timing is ended, carrying out invalidation processing on the currently valid identifier of the terminal equipment with the attack behavior. The invalidation process comprises the following steps: deleting the identifier of the terminal equipment with the end of validity timing, or adding a legal mark to the identifier of the terminal equipment with the end of validity timing, which means that the terminal equipment does not have an attack behavior any more. Therefore, the first terminal equipment can still normally access the service server after being controlled illegally.

Fig. 7 is a flowchart illustrating a network attack processing method described from the perspective of a signaling plane entity according to an exemplary embodiment of the present application. As shown in fig. 7, the method includes:

701. and receiving a notification message from the service server, wherein the notification message comprises the identification of the first terminal equipment having the attack behavior on the service server.

702. And forwarding the notification message to a user plane entity in the core network to instruct the user plane entity to filter the data packet from the first terminal equipment.

In this embodiment, the signaling plane entity is matched with the service server, and forwards the notification message from the service server to the user plane entity, so that the user plane entity learns that the first terminal device has an attack behavior and filters the data packet from the first terminal device, thereby intercepting the attack behavior, reducing the influence of network attack on the service server, and improving the reliability and the security of the service server.

In some exemplary embodiments, prior to step 701, the first terminal device needs to access the core network. Optionally, in the process that the first terminal device accesses the core network, the signaling plane entity may determine that the first terminal device does not have the attack behavior according to the identifier of the first terminal device and the identifier of the currently valid terminal device having the attack behavior, and allow the first terminal device to access the core network. In addition, if the first terminal device is determined to have the attack behavior in the process of accessing the core network by the first terminal device, the first terminal device can be refused to access the core network.

In some exemplary embodiments, the signaling plane entity may store the identifier of the first terminal device carried in the notification message as the identifier of the currently valid terminal device with the attack behavior locally. Based on this, in the process that the first terminal device accesses the core network again, whether the first terminal device has the attack behavior or not can be judged according to the identifier of the first terminal device and the identifier of the currently effective terminal device with the attack behavior; and if the currently effective identifier of the terminal equipment with the attack behavior contains the identifier of the first terminal equipment, determining that the first terminal equipment has the attack behavior, and refusing the first terminal equipment to access the core network. In addition, if the identifier of the first terminal device is not included in the currently valid identifier of the terminal device with the attack behavior, it is determined that the first terminal device does not have the attack behavior, and the first terminal device is allowed to access the core network.

Furthermore, the signaling plane entity can also perform validity timing on the currently valid identifier of the terminal equipment with the attack behavior; and when the validity timing is ended, carrying out invalidation processing on the currently valid identifier of the terminal equipment with the attack behavior. The invalidation process comprises the following steps: deleting the identifier of the terminal equipment with the end of validity timing, or adding a legal mark to the identifier of the terminal equipment with the end of validity timing, which means that the terminal equipment does not have an attack behavior any more. Therefore, the first terminal equipment can still normally access the service server after being controlled illegally.

It should be noted that the execution subjects of the steps of the methods provided in the above embodiments may be the same device, or different devices may be used as the execution subjects of the methods. For example, the execution subjects of steps 501 to 503 may be device a; for another example, the execution subjects of

steps

501 and 502 may be device a, and the execution subject of step 503 may be device B; and so on.

In addition, in some of the flows described in the above embodiments and the drawings, a plurality of operations are included in a specific order, but it should be clearly understood that the operations may be executed out of the order presented herein or in parallel, and the sequence numbers of the operations, such as 501, 502, etc., are merely used for distinguishing different operations, and the sequence numbers themselves do not represent any execution order. Additionally, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first", "second", etc. in this document are used for distinguishing different messages, devices, modules, etc., and do not represent a sequential order, nor limit the types of "first" and "second" to be different.

Fig. 8a is a schematic structural diagram of a network attack processing apparatus according to an exemplary embodiment of the present application. As shown in fig. 8a, the apparatus comprises: a receiving module 81, a determining module 82 and a notification module 83.

A receiving module 81, configured to receive a data packet from a first terminal device sent by a user plane entity in a core network.

A determining module 82, configured to determine that the first terminal device has an attack behavior based on the data packet.

A notification module 83, configured to notify a user plane entity to filter the data packet from the first terminal device.

In some exemplary embodiments, the notification module 83 is specifically configured to: and sending a notification message to a signaling plane entity in the core network so that the signaling plane entity forwards the notification message to a user plane entity. The notification message is used to instruct the user plane entity to filter the data packets from the first terminal device.

In some exemplary embodiments, the notification module 83 is specifically configured to:

sending a notification message to a PCRF entity in a core network, so that the PCRF entity forwards the notification message to a user plane entity; or

Sending a notification message to an SCEF entity in a core network, so that the SCEF entity forwards the notification message to a user plane entity through an MME in the core network; or

And sending a notification message to the SCEF entity in the core network, so that the SCEF entity forwards the notification message to the user plane entity sequentially through the HSS and the MME in the core network.

In some exemplary embodiments, the determining module 82 is further configured to determine, before the notifying module 83 sends the notification message to the signaling plane entity in the core network, the signaling plane entity according to the identifier of the first terminal device, and establish a signaling plane connection with the signaling plane entity, so that the network attack processing apparatus at the local end sends the notification message to the user plane entity through the signaling plane connection.

In some exemplary embodiments, when determining that the first terminal device has the attack behavior, the determining module 82 is specifically configured to: determining that the first terminal equipment has the attack behavior according to the identification of the first terminal equipment carried in the data packet and the identification of the currently effective terminal equipment with the attack behavior; or determining that the first terminal equipment has the attack behavior according to the type and the sending behavior of the data packet.

In some exemplary embodiments, the determination module 82 is further configured to: carrying out validity timing on the currently valid identifier of the terminal equipment with the attack behavior; and when the validity timing is ended, carrying out invalidation processing on the currently valid identifier of the terminal equipment with the attack behavior.

Having described the internal functions and structure of the network attack processing apparatus, as shown in fig. 8b, in practice, the network attack processing apparatus may be implemented as a service server, including: a communication component 84, a memory 85, and a processor 86.

A communication component 84, configured to receive a data packet from the first terminal device sent by the user plane entity in the core network.

The memory 85 may be configured to store other various data to support operations on the service server. Examples of such data include instructions for any application or method operating on the business server, contact data, phonebook data, messages, pictures, videos, and the like.

The memory 85 may be implemented by any type or combination of volatile or non-volatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.

The processor 86 is coupled to the memory 85 for executing programs in the memory 85 for:

determining that the first terminal device has an aggressive behavior based on the data packets received by the communication component 84;

the user plane entity is informed via the communication component 84 to filter data packets from the first terminal device.

Optionally, the processor 86 is specifically configured to send the notification message to a signaling plane entity in the core network through the communication component 84, so that the signaling plane entity forwards the notification message to the user plane entity. The notification message is used to instruct the user plane entity to filter the data packets from the first terminal device. Accordingly, the communication component 84 is further configured to send a notification message to the signaling plane entity.

Further, when sending the notification message to the signaling plane entity, the communication component 84 is specifically configured to:

Sending the notification message to an SCEF entity in a core network, so that the SCEF entity forwards the notification message to a user plane entity through an MME in the core network; or

Further, the processor 86 is also configured to: according to the identifier of the first terminal device, a signaling plane entity is determined, and the communication component 84 is controlled to establish a signaling plane connection with the signaling plane entity, so that the service server sends a notification message to the user plane entity through the signaling plane connection.

Further, when determining that the first terminal device has an attack behavior based on the data packet received by the communication component 84, the processor 86 is specifically configured to:

determining that the first terminal device has the attack behavior according to the identifier of the first terminal device carried in the data packet received by the communication component 84 and the identifier of the currently effective terminal device having the attack behavior; or

Based on the type and transmission behavior of the data packets received by the communication component 84, it is determined that the first end device has an attack behavior.

Further, in the event that the processor 86 determines that the first terminal device has an aggressive behavior based on the type and transmission behavior of the data packet received by the communication component 84, the processor 86 may also store the identity of the first terminal device in the memory 85 as the identity of the currently valid terminal device having an aggressive behavior.

Further, the processor 86 is also configured to: carrying out validity timing on the currently valid identifier of the terminal equipment with the attack behavior; and when the validity timing is ended, carrying out invalidation processing on the currently valid identifier of the terminal equipment with the attack behavior.

Further, as shown in fig. 8b, the electronic device further includes: a display 87, a power supply component 88, an audio component 89, and the like. Only some of the components are schematically shown in fig. 8b and it is not meant that the electronic device comprises only the components shown in fig. 8 b.

Accordingly, the present application further provides a computer readable storage medium storing a computer program, which when executed, can implement:

determining that the first terminal device has an attack behavior based on the received data packet;

In addition to the above-described functions, the computer program may also implement other functions related to the service server in the above-described method embodiments when executed.

Fig. 9a is a schematic structural diagram of another network attack processing apparatus according to an exemplary embodiment of the present application. As shown in fig. 9a, the apparatus comprises: a receiving module 91, a determining module 92 and a filtering module 93.

The receiving module 91 is configured to receive a data packet sent by the first terminal device to the service server, where the data packet carries an identifier of the first terminal device.

The determining module 92 determines that the first terminal device has the attack behavior according to the identifier of the first terminal device and the identifier of the currently valid terminal device having the attack behavior.

And a filtering module 93, configured to filter the data packet from the first terminal device.

In some exemplary embodiments, the receiving module 91 is specifically configured to:

receiving a notification message forwarded by a PCRF entity in a core network; or

And receiving the notification message forwarded by the MME in the core network.

In some exemplary embodiments, the determining module 92, before receiving the data packet sent by the first terminal device to the service server, is further configured to:

and in the process of accessing the first terminal device into the core network, determining that the first terminal device does not have the attack behavior according to the identifier of the first terminal device and the identifier of the currently effective terminal device with the attack behavior, and allowing the first terminal device to access the core network.

In some exemplary embodiments, the receiving module 91, before the determining module 92 determines that the first terminal device has the attack behavior, is further configured to:

and receiving a notification message from the service server forwarded by a signaling plane entity in the core network, wherein the notification message comprises an identifier of the first terminal device and is mainly used for notifying a user plane entity to filter a data packet from the first terminal device.

In some exemplary embodiments, the filtering module 93, when filtering the data packet from the first terminal device, is specifically configured to:

discarding the data packet from the first terminal device; or

Disconnecting the user plane connection with the first terminal equipment; or

And selectively sending the data packet from the first terminal equipment to the service server.

Having described the internal functions and structure of the network attack processing apparatus, as shown in fig. 9b, in practice, the network attack processing apparatus can be implemented as a user plane entity, including: a communication component 94, a memory 95, and a processor 96.

A communication component 94, configured to receive a data packet sent by a first terminal device to a service server, where the data packet carries an identifier of the first terminal device.

The memory 95 may be configured to store other various data to support operations on the service server. Examples of such data include instructions for any application or method operating on the business server, contact data, phonebook data, messages, pictures, videos, and the like.

The memory 95 may be implemented by any type or combination of volatile or non-volatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.

The processor 96 is coupled to the memory 95 for executing programs in the memory 95 for:

and filtering the data packet from the first terminal equipment.

Further, when filtering the data packet from the first terminal device, the processor 96 is specifically configured to:

discarding the data packets received from the first terminal device by the communication component 94; or

Disconnecting the user plane connection with the first terminal equipment; or

In some exemplary embodiments, the communication component 94 is specifically configured to:

In some exemplary embodiments, the communication component 94 is further configured to, before the processor 96 determines that the first terminal device has the attack behavior:

and receiving a notification message from a service server forwarded by a signaling plane entity in the core network, wherein the notification message comprises the identification of the first terminal equipment with the attack behavior.

In some exemplary embodiments, the processor 96 is further configured to, before the communication component 94 receives the data packet sent by the first terminal device to the traffic server:

In some exemplary embodiments, the processor 96 is further configured to:

carrying out validity timing on the currently valid identifier of the terminal equipment with the attack behavior;

and when the validity timing is ended, carrying out invalidation processing on the currently valid identifier of the terminal equipment with the attack behavior.

Further, as shown in fig. 9b, the electronic device further includes: display 97, power supply 98, audio 99, and other components. Only some of the components are schematically shown in fig. 9b and it is not meant that the electronic device comprises only the components shown in fig. 9 b.

and filtering the data packet from the first terminal equipment.

The computer program may also, when executed, implement other functions associated with the user plane entity in the above-described method embodiments, in addition to the functions described above.

Fig. 10a is a schematic structural diagram of another network attack processing apparatus according to an exemplary embodiment of the present application. As shown in fig. 10a, the apparatus comprises: a receiving module 1001 and a forwarding module 1002.

A receiving module 1001, configured to receive a notification message from a service server, where the notification message includes an identifier of a first terminal device having an attack behavior on the service server.

A forwarding module 1002, configured to forward the received notification message to a user plane entity in a core network, so as to instruct the user plane entity to filter a data packet from the first terminal device.

In some exemplary embodiments, the apparatus further comprises a storage module for: after the receiving module 1001 receives the notification message from the service server, the identity of the first terminal device is stored locally as the identity of the currently valid terminal device with the attack behavior.

In some exemplary embodiments, the apparatus further includes an access control module, configured to determine, according to the identifier of the first terminal device and a currently valid identifier of a terminal device with an attack behavior, that the first terminal device does not have the attack behavior during an access of the first terminal device to the core network, and allow the first terminal device to access the core network.

Further, in some exemplary embodiments, the access control module is further configured to: and in the process that the first terminal equipment accesses the core network again, determining that the first terminal equipment has the attack behavior according to the identification of the first terminal equipment and the identification of the currently effective terminal equipment with the attack behavior, and refusing the first terminal equipment to access the core network.

In some example embodiments, the network attack processing apparatus may be implemented as a signaling plane entity in a core network. Based on this, the network attack processing device is specifically: a PCRF entity, a SCEF entity, an MME or an HSS in the core network.

In some exemplary embodiments, the apparatus further includes a timing module, configured to time validity of an identifier of a currently valid terminal device with an aggressive behavior; and when the validity timing is finished, carrying out invalidation processing on the currently valid identifier of the terminal equipment with the attack behavior.

Having described the internal functions and structure of the network attack processing device, as shown in fig. 10b, in practice, the network attack processing device can be implemented as a signaling plane entity, including: a communication component 1004, a memory 1005, and a processor 1006;

a communication component 1004 for receiving a notification message from a traffic server, the notification message comprising an identification of a first terminal device having an attack behavior on the traffic server;

a memory 1005 for storing programs;

a processor 1006 coupled to the memory 1005 for executing the program for:

the control communication component 1004 forwards the notification message to the user plane entity in the core network to instruct the user plane entity to filter the data packets from the first terminal device;

a communication component 1004 for forwarding the notification message to the user plane entity under control of the processor 1006.

In some exemplary embodiments, the processor 1006, prior to receiving the notification message from the service server by the communication component 1004, is further configured to:

In other exemplary embodiments, the processor 1006, after receiving the notification message from the service server by the communication component 1004, is further configured to: the identity of the first terminal device is stored in the memory 1005 as the identity of the currently valid terminal device with the aggressive behavior.

In still other exemplary embodiments, the processor 1006, after locally storing the identity of the first terminal device as the identity of the currently valid terminal device with the aggressive behavior, is further configured to:

and in the process that the first terminal equipment accesses the core network again, determining that the first terminal equipment has the attack behavior according to the identification of the first terminal equipment and the identification of the currently effective terminal equipment with the attack behavior, and refusing the first terminal equipment to access the core network.

In further exemplary embodiments, the processor 1006 is further configured to: carrying out validity timing on the currently valid identifier of the terminal equipment with the attack behavior; and when the validity timing is ended, carrying out invalidation processing on the currently valid identifier of the terminal equipment with the attack behavior.

Further, as shown in fig. 10b, the electronic device further includes: a display 1007, a power component 1008, an audio component 1009, and other components. Only some of the components are schematically shown in fig. 10b and it is not meant that the electronic device comprises only the components shown in fig. 10 b.

Accordingly, the present application further provides a computer readable storage medium storing a computer program, which when executed, can implement: receiving a notification message from a service server, wherein the notification message comprises an identifier of a first terminal device having an attack behavior on the service server;

and forwarding the notification message to a user plane entity in the core network so as to prohibit the user plane entity from sending the data packet from the first terminal equipment to the service server.

In addition to the above-described functions, the computer program may also perform other functions related to the signaling plane entity in the above-described method embodiments when executed.

The communication components in fig. 8b, 9b and 10b may be configured to facilitate communication between the device to which the communication component belongs and other devices in a wired or wireless manner. The device to which the communication component belongs may access a wireless network based on a communication standard, such as WiFi, 2G or 3G, or a combination thereof. In an exemplary embodiment, the communication component receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, Ultra Wideband (UWB) technology, Bluetooth (BT) technology, and other technologies.

The displays in fig. 8b, 9b and 10b may include a screen, which may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation.

The power supply components in fig. 8b, 9b and 10b provide power to the various components of the device to which the power supply component belongs. The power components may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the devices to which the power components belong.

The audio component in fig. 8b, 9b and 10b is configured to output and/or input an audio signal. For example, the audio component includes a Microphone (MIC) configured to receive an external audio signal when the device to which the audio component belongs is in an operating mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signal may further be stored in a memory or transmitted via a communication component. In some embodiments, the audio assembly further comprises a speaker for outputting audio signals.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims

1. A network attack processing method based on the Internet of things is characterized by being applicable to a service server in the Internet of things, wherein the service server is connected with a user plane entity and a signaling plane entity in a core network, the Internet of things is fused with the core network, and the method comprises the following steps:

determining that the first terminal device has an attack behavior based on the data packet, including: analyzing the identifier of the first terminal equipment from the data packet, and determining that the first terminal equipment has the attack behavior according to the identifier of the first terminal equipment and the identifier of the currently effective terminal equipment with the attack behavior;

informing the user plane entity to filter the data packet from the first terminal device; after receiving the notification, the user plane entity determines that the first terminal device has the attack behavior according to the identifier of the first terminal device and the identifier of the currently effective terminal device having the attack behavior, and filters the data packet from the first terminal device.

2. The method of claim 1, wherein the notifying the user plane entity to filter the data packets from the first terminal device comprises:

and sending a notification message to a signaling plane entity in the core network, so that the signaling plane entity forwards the notification message to the user plane entity, where the notification message is used to instruct the user plane entity to filter the data packet from the first terminal device.

3. The method of claim 2, wherein the sending a notification message to a signaling plane entity in the core network for the signaling plane entity to forward the notification message to the user plane entity comprises:

sending the notification message to a Policy and Charging Rules Function (PCRF) entity in the core network, so that the PCRF entity forwards the notification message to the user plane entity; or

Sending the notification message to a service capability opennetwork (SCEF) entity in the core network, so that the SCEF entity forwards the notification message to the user plane entity through a Mobility Management Entity (MME) in the core network; or

And sending the notification message to the SCEF entity in the core network, so that the SCEF entity forwards the notification message to the user plane entity sequentially through a Home Subscriber Server (HSS) and an MME) in the core network.

4. A network attack processing method based on the Internet of things is applied to a user plane entity in a core network, and is characterized in that the user plane entity is connected with a service server in the Internet of things, and the Internet of things is fused with the core network, and the method comprises the following steps:

receiving a notification message from the service server forwarded by a signaling plane entity in the core network, where the notification message is used to indicate that a data packet from the first terminal device is to be filtered, and the notification message is sent after the service server determines that the first terminal device has an attack behavior according to an identifier of the first terminal device and an identifier of a currently effective terminal device having an attack behavior;

and filtering the data packet from the first terminal equipment.

5. The method of claim 4, wherein the filtering the data packets from the first terminal device comprises:

discarding the data packet from the first terminal device; or

Disconnecting the user plane connection with the first terminal equipment; or

6. The method of claim 4, wherein the receiving the notification message from the service server forwarded by the signaling plane entity in the core network comprises:

receiving the notification message forwarded by a Policy and Charging Rules Function (PCRF) entity in the core network; or

And receiving the notification message forwarded by a Mobility Management Entity (MME) in the core network.

7. The method according to any of claims 4-6, wherein prior to receiving the data packet from the first terminal device to the traffic server, the method further comprises:

and in the process that the first terminal equipment is accessed to the core network, determining that the first terminal equipment does not have the attack behavior according to the identification of the first terminal equipment and the identification of the currently effective terminal equipment with the attack behavior, and allowing the first terminal equipment to be accessed to the core network.

8. The method of any of claims 4-6, further comprising:

9. A service server, located in the internet of things, the internet of things being integrated with a core network, and the service server being interconnected with a user plane entity and a signaling plane entity in the core network, the service server comprising: a communication component, a memory, and a processor;

the memory is used for storing programs;

the processor, coupled to the memory, to execute the program to:

notifying the user plane entity through the communication component to filter data packets from the first terminal device; after receiving the notification, the user plane entity determines that the first terminal device has the attack behavior according to the identifier of the first terminal device and the identifier of the currently effective terminal device having the attack behavior, and filters the data packet from the first terminal device.

10. A user plane entity, located in a core network, the core network is integrated with the Internet of things, and the user plane entity is interconnected with a service server in the Internet of things, the user plane entity comprises: a communication component, a memory, and a processor;

the communication component is used for receiving a data packet sent by a first terminal device to a service server, wherein the data packet carries an identifier of the first terminal device; receiving a notification message from the service server forwarded by a signaling plane entity in the core network, where the notification message is used to indicate to filter a data packet from the first terminal device, and the notification message is sent after the service server determines that the first terminal device has an attack behavior according to the identifier of the first terminal device and the identifier of the currently effective terminal device having the attack behavior;

the memory is used for storing programs;

the processor, coupled to the memory, to execute the program to:

and filtering the data packet from the first terminal equipment.

11. A business system based on the Internet of things is characterized by comprising: the service server of claim 9, the user plane entity of claim 10 and the signaling plane entity; the service server is located in the internet of things, and the user plane entity and the signaling plane entity are located in a core network.