CN109845215A - A kind of network safety protection method and equipment - Google Patents

A kind of network safety protection method and equipment Download PDF

Info

Publication number
CN109845215A
CN109845215A CN201680090081.6A CN201680090081A CN109845215A CN 109845215 A CN109845215 A CN 109845215A CN 201680090081 A CN201680090081 A CN 201680090081A CN 109845215 A CN109845215 A CN 109845215A
Authority
CN
China
Prior art keywords
rff
terminal
base station
equipment
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201680090081.6A
Other languages
Chinese (zh)
Inventor
洪泓
王爱成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN109845215A publication Critical patent/CN109845215A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

A kind of network safety protection method and equipment, after being replicated to avoid SIM card, the illegal operation bring of pseudo-terminal endangers.When this method includes the corresponding relationship for the radio-frequency fingerprint RFF that equipment of the core network determines the mark module and terminal that do not save terminal, the instruction of RFF initial acquisition is sent to base station, RFF initial acquisition indicates the identification information of carried terminal;Equipment of the core network receives base station according to the RFF of the terminal of RFF initial acquisition indication feedback, saves the corresponding relationship of the mark module of terminal and the RFF of terminal;When equipment of the core network initiates to authenticate to terminal, equipment of the core network sends RFF acquisition instruction, the identification information of RFF acquisition instruction carried terminal to base station;Equipment of the core network receives base station and acquires information according to the RFF that RFF acquires indication feedback, and acquires information according to RFF and judge whether the RFF certification of terminal succeeds.

Description

A kind of network safety protection method and equipment Technical field
The present embodiments relate to field of communication technology more particularly to a kind of network safety protection method and equipment.
Background technique
With the development of mobile payment field and network technology, there is higher security requirement to the identification of terminal.Existing terminal identity identification technology relies on subscriber identification module (Subscriber Identity Module, SIM) the digital forms such as card and fuselage sequence, and with the promotion of the technical capabilities such as physical attacks and bypass attack, these terminal identity identification technologies become less reliable.Attacker may be by operating pseudo-terminal, the operation implementing finance theft or endangering public security, as shown in Figure 1, current long term evolution (Long Term Evolution, LTE) network can not identify terminal and pseudo-terminal with identical SIM card.
Specifically, refering to shown in Fig. 2, authentication process of the existing network to terminal are as follows: equipment of the core network (Evolved Packet Core, EPC) to user equipment (User Equipment, UE authentication request) is initiated, terminal calculates number of responses (RES) value according to the parameter saved in the parameter and itself SIM card in authentication request and returns to EPC.Whether number of responses (XRES) value that EPC checks that the parameter in local parameter and authentication request according in the SIM card deposited calculates is consistent with the RES value that terminal reports, and authenticates success if consistent.
It can thus be appreciated that, network is based on SIM card to the authentication of terminal, when being inserted into another terminal after SIM card is replicated, enabling the corresponding terminal of former SIM card is target terminal, the corresponding terminal of SIM card after duplication is pseudo-terminal, which, can be with the authentication is passed due to identical as the SIM card information of target terminal, the legal identity completely the same with target terminal is obtained, implementable transfer accounts waits financial operations after pseudo-terminal accesses network.
Therefore, existing network can not resist after SIM card is replicated the authentication process of terminal, and the illegal operation of pseudo-terminal brings harm.
Summary of the invention
The embodiment of the present invention provides a kind of network safety protection method and equipment, and after being replicated to avoid SIM card, the illegal operation bring of pseudo-terminal endangers.
First aspect, a kind of network safety protection method is provided, it include: that equipment of the core network is indicated to base station transmission radio-frequency fingerprint RFF initial acquisition, the identification information of the RFF initial acquisition instruction carried terminal, then the base station is received according to the RFF of the terminal of the RFF initial acquisition indication feedback, and saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal.The RFF for entering network termination for the first time is obtained by the above method.Later when the equipment of the core network initiates to authenticate to the terminal, RFF acquisition instruction is sent to the base station, the RFF acquisition instruction carries the identification information of the terminal, then it receives the base station and information is acquired according to the RFF that the RFF acquires indication feedback, and information is acquired according to the RFF and judges whether the RFF certification of the terminal succeeds, it is compared using the RFF saved with freshly harvested RFF, judge whether the RFF certification of terminal succeeds, after avoiding SIM card from being replicated, pseudo-terminal is successfully accessed network, implements illegal operation and endangers to user's bring.Since network only identifies whether SIM is legal in compared to the prior art, the physical layer attributes of perception terminal have not increased the extraction to terminal radio frequency fingerprint and analysis authentication newly using method provided in an embodiment of the present invention in terminal authentication procedure.Due to increasing the certification of terminal physical layer feature, true terminal and pseudo-terminal can be distinguished, therefore the deficiency of current scheme can be solved, significantly improve network side to the security protection ability of terminal.
In one possible implementation, the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.Therefore, method provided in an embodiment of the present invention is not limited to the type of identification module, can also be the following possible identification module.
In one possible implementation, the RFF acquisition instruction also carries the RFF of the corresponding terminal of the mark module;At this time, the equipment of the core network receives the RFF acquisition information of the base station feedback, and information is acquired according to the RFF and judges whether the RFF certification of the terminal succeeds, it include: that the equipment of the core network receives the RFF acquisition information that the base station acquires indication feedback according to the RFF, the RFF acquisition information carries RFF comparison information, the RFF comparison information is that the base station is generated according to the RFF that the collected RFF in the base station and RFF acquisition instruction carries, i.e., completes to have protected by base station The comparison of RFF and new acquisition RFF are deposited, and comparison result is fed back into equipment of the core network.If the RFF comparison information indicates that the collected RFF in the base station is consistent with the RFF that the RFF acquires instruction carrying, the equipment of the core network judges that the RFF of the terminal is authenticated successfully, otherwise, judges the RFF authentification failure of the terminal.
In one possible implementation, the equipment of the core network receives the base station and acquires information according to the RFF that the RFF acquires indication feedback, and information is acquired according to the RFF and judges whether the RFF certification of the terminal succeeds, it include: the RFF acquisition information that the equipment of the core network receives the base station feedback, the RFF acquisition information carries the collected RFF in base station, and the collected RFF in base station is the RFF of the corresponding terminal of identification information for the terminal that RFF acquisition instruction carries;The equipment of the core network judges whether the RFF of the collected RFF in base station terminal corresponding with the mark module of storage is consistent, if unanimously, judging that the RFF of the terminal is authenticated successfully, otherwise, judges the RFF authentification failure of the terminal.Therefore, method provided in an embodiment of the present invention provides a variety of implementations being compared for having saved RFF with new acquisition RFF.
In one possible implementation, further includes: when the equipment of the core network judges the RFF authentification failure of the terminal, start the user identity identification of the terminal;The equipment of the core network determines that the user identity identification result of the terminal is when being identified by, and the base station Xiang Suoshu sends the instruction of RFF initial acquisition, and the RFF initial acquisition instruction carries the identification information of the terminal;The equipment of the core network receives the base station according to the RFF of the terminal of the RFF initial acquisition indication feedback, and updates the mark module of the terminal and the RFF corresponding relationship of the terminal.Therefore, using method provided in an embodiment of the present invention when RFF authentification failure, it is contemplated that may be that user replaces mobile phone, execute user identity identification process at this time and resurvey the RFF of current identification module counterpart terminal when being identified by.
It should be understood that, when equipment of the core network judges the RFF authentification failure of terminal, showing terminal not is to network for the first time, it at this time may be that user has been mounted in other terminals using the mark module of former mark module or the mark module or bootlegging newly made up, it is thus possible to which the scene of illegal operation will be carried out by pseudo-terminal occur.
If the user identity identification result of terminal is to be identified by, the mark module for being shown to be former mark module or newly making up has been mounted in other terminals, is not that the mark module of bootlegging has been mounted on other In terminal.Therefore, since mark module has been mounted in other terminals, i.e. mark module is not in former terminal, it has been mounted on new terminal, so former terminal needs to release with mark module binding relationship, RFF certification can not pass through, and need the corresponding relationship of the mark module of more new terminal and the RFF of terminal, at this time to establish mark module and new terminal binding relationship.
If the user identity identification result of terminal is that identification does not pass through, the mark module for being then shown to be bootlegging has been mounted in other terminals, RFF certification can not pass through, at this time, equipment of the core network refusal provides follow-up service for the terminal, the illegal operation bring harm that mark module is copied illegally rear terminal is avoided, improves network side to the security protection ability of terminal.
Second aspect, a kind of network safety protection method, comprising: base station receives the RFF initial acquisition instruction that the equipment of the core network is sent, the identification information of the RFF initial acquisition instruction carried terminal;The base station is according to the identification information of the terminal, acquire the RFF of the identification information counterpart terminal, and collected RFF is fed back into the equipment of the core network, so that the equipment of the core network saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;;Base station receives the RFF that equipment of the core network is sent and acquires instruction, and the RFF acquisition instruction carries the identification information of the terminal;The base station acquires the RFF of the identification information counterpart terminal according to the identification information of the terminal;The base station generates RFF acquisition information according to collected RFF and feeds back to the equipment of the core network, so that the equipment of the core network, which acquires information according to the RFF, judges whether the RFF certification of the terminal succeeds.Therefore, base station executes the RFF initial acquisition instruction that equipment of the core network is sent, so that equipment of the core network saves the mark module of the terminal and the RFF corresponding relationship of the terminal, base station subsequent execution RFF acquisition instruction, so that equipment of the core network judges whether the RFF and RFF deposited of this acquisition is consistent, RFF certification is carried out to terminal.
In one possible implementation, the RFF acquisition instruction also carries the RFF of the corresponding terminal of mark module;The base station generates RFF according to collected RFF and acquires information, comprising: the base station generates RFF comparison information as RFF according to the RFF that collected RFF and RFF acquisition instruction carries and acquires information.
In one possible implementation, the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
In one possible implementation, the base station generates RFF acquisition letter according to collected RFF Breath, comprising: collected RFF is acquired information by the base station.Therefore, base station can acquire information to equipment of the core network feedback RFF using various ways.
The third aspect, a kind of network safety prevention equipment, comprising: transceiver and the processor with the transceiver couples;The processor, is used for: sending the instruction of radio-frequency fingerprint RFF initial acquisition, the identification information of the RFF initial acquisition instruction carried terminal to base station by the transceiver;The base station is received according to the RFF of the terminal of the RFF initial acquisition indication feedback by the transceiver, and saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;When initiating to authenticate to the terminal, RFF acquisition instruction is sent to the base station by the transceiver, the RFF acquisition instruction carries the identification information of the terminal;Information is acquired according to the RFF that the RFF acquires indication feedback by receiving the base station, and information is acquired according to the RFF and judges whether the RFF certification of the terminal succeeds.
In one possible implementation, the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
In one possible implementation, the RFF acquisition instruction also carries the RFF of the corresponding terminal of the mark module;The processor, it is specifically used for: information is acquired by the RFF that the transceiver receives the base station feedback, and according to the RFF acquire information judge the terminal RFF certification it is whether successful when, the base station is received by the transceiver, and information is acquired according to the RFF that the RFF acquires indication feedback, the RFF acquisition information carries RFF comparison information, and the RFF comparison information is that the base station is generated according to the RFF that the collected RFF in the base station and RFF acquisition instruction carries;If the RFF comparison information indicates that the collected RFF in the base station is consistent with the RFF that the RFF acquires instruction carrying, judges that the RFF of the terminal is authenticated successfully, otherwise, judge the RFF authentification failure of the terminal.
In one possible implementation, the processor, it is specifically used for: the base station is received by the transceiver, information is acquired according to the RFF that the RFF acquires indication feedback, and according to the RFF acquire information judge the terminal RFF certification it is whether successful when, information is acquired by the RFF that the transceiver receives the base station feedback, the RFF acquisition information carries the collected RFF in base station, and the collected RFF in base station is the RFF of the corresponding terminal of identification information for the terminal that RFF acquisition instruction carries;Judge the collected RFF in base station terminal corresponding with the mark module of storage RFF it is whether consistent, if unanimously, judging that the RFF of the terminal is authenticated successfully, otherwise, judge the RFF authentification failure of the terminal.
In one possible implementation, the processor, is also used to: when judging the RFF authentification failure of the terminal, starting the user identity identification of the terminal;The user identity identification result for determining the terminal is when being identified by, and the base station Xiang Suoshu sends the instruction of RFF initial acquisition, and the RFF initial acquisition instruction carries the identification information of the terminal;The base station is received according to the RFF of the terminal of the RFF initial acquisition indication feedback by the transceiver, and updates the mark module of the terminal and the RFF corresponding relationship of the terminal.
Fourth aspect, a kind of network safety prevention equipment, comprising: transceiver and the processor with the transceiver couples;The processor, is used for: the RFF initial acquisition that the equipment of the core network is sent received by the transceiver and is indicated, the identification information of the RFF initial acquisition instruction carried terminal;According to the identification information of the terminal, the RFF of the identification information counterpart terminal is acquired, and collected RFF is fed back into the equipment of the core network, so that the equipment of the core network saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;The RFF that equipment of the core network is sent is received by the transceiver and acquires instruction, and the RFF acquisition instruction carries the identification information of the terminal;According to the identification information of the terminal, the RFF of the identification information counterpart terminal is acquired;RFF acquisition information is generated according to collected RFF and feeds back to the equipment of the core network, so that the equipment of the core network, which acquires information according to the RFF, judges whether the RFF certification of the terminal succeeds.
In one possible implementation, the RFF acquisition instruction also carries the RFF of the corresponding terminal of mark module;The processor, is specifically used for: when generating RFF acquisition information according to collected RFF, generating RFF comparison information as RFF according to the RFF that collected RFF and RFF acquisition instruction carries and acquires information.
In one possible implementation, the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
In one possible implementation, the processor, is specifically used for: generating RFF according to collected RFF and acquires information, acquires information for collected RFF as RFF.
Detailed description of the invention
Fig. 1 is the schematic diagram that attacker implements illegal operation using pseudo-terminal in background of invention;
Fig. 2 is network in background of invention to the authentication process schematic diagram of terminal;
Fig. 3 is the general introduction flow chart of network safety protection method in the embodiment of the present invention;
Fig. 4 is that the schematic diagram that base station acquisition terminal RFF stores mark module and RFF corresponding relationship is crossed by core Netcom in the embodiment of the present invention;
Fig. 5 (a) is core net in the embodiment of the present invention to one of the RFF verification process schematic diagram of terminal;
Fig. 5 (b) be in the embodiment of the present invention core net to the two of the RFF verification process schematic diagram of terminal;
Fig. 6 is the detailed process of RFF verification process in the embodiment of the present invention;
Fig. 7 is one of the structural schematic diagram of network safety prevention equipment in the embodiment of the present invention;
Fig. 8 is the second structural representation of network safety prevention equipment in the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiments are some of the embodiments of the present invention, instead of all the embodiments.
Radio-frequency fingerprint (the Radio Frequency Fingerprint mentioned in the embodiment of the present invention, RFF) refer to according to the analog devices such as circuit trace, RF power amplification, antenna in wireless terminal radio circuit unique and unique radio frequency features of the different model extracted there are intrinsic tolerance by receiver and the corresponding transmitting electromagnetic wave of same model different radio terminal.
Wherein, existing radio-frequency fingerprint extraction algorithm is more, can be roughly divided into (frequency hopping) algorithm for extracting transient response feature, extracts the algorithm of steady-state response feature and based on constellation trajectory diagram distortion algorithm etc..
As shown in fig.3, the embodiment of the present invention provides a kind of network safety protection method, this method comprises:
Step 300: when equipment of the core network determines the corresponding relationship of the radio-frequency fingerprint RFF of the mark module and the terminal that do not save terminal, sending the instruction of radio-frequency fingerprint RFF initial acquisition to base station, RFF initial acquisition indicates the identification information of carried terminal.
Step 310: base station acquires the RFF of identification information counterpart terminal according to the identification information of terminal.
Step 320: base station indicates the RFF to equipment of the core network feedback terminal according to RFF initial acquisition.
Step 330: equipment of the core network saves the corresponding relationship of the mark module of terminal and the RFF of terminal.
Specifically, for 300~step 330 of above-mentioned steps, when equipment of the core network determines the mark module of not stored terminal corresponding RFF, show that terminal is to network for the first time, that is the mark module of terminal has not been used, at this point, refering to shown in Fig. 4, equipment of the core network needs to send the instruction of RFF initial acquisition to base station, and RFF initial acquisition indicates the identification information of carried terminal.Base station acquires the RFF of identification information counterpart terminal according to the identification information of terminal, and collected RFF is fed back to equipment of the core network.Equipment of the core network receives base station according to the RFF of the terminal of RFF initial acquisition indication feedback, and save the corresponding relationship of the RFF of the mark module and terminal that save terminal, i.e. when terminal is to network for the first time, the RFF of terminal where needing to acquire current identification module by base station establishes the mark module and installs the binding relationship of the mark module terminal.
Optionally, mark module is SIM or Global Subscriber identification module Global Subscriber identification module (Universal Subscriber Identity Module, USIM).
It is alternatively possible to which cell ID is added identification information of the terminal iidentification as terminal, in addition, identification information of the other information of unique identification terminal as terminal also may be selected, it is not specifically limited here.
Step 340: equipment of the core network initiates to authenticate to terminal.
It should be understood that equipment of the core network to the RFF verification process of terminal, can carry out simultaneously with authentication process of the equipment of the core network to terminal, or start to execute after equipment of the core network is to terminal authentication success.
Equipment of the core network is consistent with the prior art to the authentication process of terminal, and details are not described herein again.
Step 350: equipment of the core network sends RFF acquisition instruction, the identification information of RFF acquisition instruction carried terminal to base station.
Specifically, equipment of the core network has stored the corresponding relationship of the mark module of terminal and the RFF of terminal, showing terminal not is to network for the first time, that is the mark module of terminal had used, the RFF of the mark module counterpart terminal was acquired via base station, and the corresponding relationship of the mark module of terminal and RFF is stored in equipment of the core network, since the RFF of each terminal is only, therefore the mark module and the installation mark module terminal are with binding relationship, equipment of the core network utilizes this binding relationship, is adopted again by base station The RFF of collection terminal analyzes whether present terminal is pseudo-terminal to determine whether to meet former binding relationship.
Step 360: base station acquires the RFF of identification information counterpart terminal according to the identification information of terminal.
Specifically, terminal during being communicated with base station, can send uplink signal to base station, base station can be based on the uplink signal, obtain RFF by radio-frequency fingerprint extraction algorithm.
Step 370: base station generates RFF acquisition information according to collected RFF and feeds back to equipment of the core network.
Refering to shown in Fig. 5 (a) and Fig. 5 (b), when executing step 370, base station, which can use but be not limited to following two mode, generates RFF acquisition information:
First way: when RFF acquisition instruction also carries the RFF of the corresponding terminal of mark module, base station generates RFF comparison information as RFF according to the RFF that collected RFF and RFF acquisition instruction carries and acquires information.
The second way: collected RFF is acquired information directly as RFF by base station.
Step 380: equipment of the core network receives base station and acquires information according to the RFF that RFF acquires indication feedback, and acquires information according to RFF and judge whether the RFF certification of terminal succeeds.
Refering to shown in Fig. 5 (a) and Fig. 5 (b), corresponding step 380 can use when equipment of the core network executes step 370 but be not limited to following two mode:
First way: when RFF acquisition instruction also carries the RFF of the corresponding terminal of mark module, equipment of the core network receives base station and acquires information according to the RFF that RFF acquires indication feedback, RFF acquires information and carries RFF comparison information, and RFF comparison information is that base station is generated according to the RFF that the collected RFF in base station and RFF acquisition instruction carries.
If RFF comparison information indicates that the collected RFF in base station is consistent with the RFF that RFF acquires instruction carrying, equipment of the core network judges that the RFF of terminal is authenticated successfully, otherwise, judges the RFF authentification failure of terminal.
The second way: the RFF that equipment of the core network receives base station feedback acquires information, and RFF acquires information and carries the collected RFF in base station, wherein the collected RFF in base station is the RFF that RFF acquisition instruction carries the corresponding terminal of identification information.
Equipment of the core network judges whether the collected RFF in base station RFF corresponding with the mark module of storage be consistent, if unanimously, judging that the RFF of terminal is authenticated successfully, otherwise, judges the RFF authentification failure of terminal.
In addition, when equipment of the core network judges the RFF authentification failure of terminal, starting the user identity identification of terminal after executing the step 340.
It should be understood that, user identity identification process for terminal can be existing process, such as, user identity identification is carried out to current end user according to information reserved before terminal user, here reserved information can be the answer for default problem, for example, the title of primary school, most likes fruit eaten etc..The application is not specifically limited user identity identification process.
Equipment of the core network determines that the user identity identification result of terminal is to send the instruction of RFF initial acquisition to base station, RFF initial acquisition indicates the identification information of carried terminal when being identified by.Base station acquires the RFF of identification information counterpart terminal according to the identification information of terminal, and collected RFF is fed back to equipment of the core network.Equipment of the core network receives base station according to the RFF of the terminal of RFF initial acquisition indication feedback, and the corresponding relationship of the RFF of the mark module and terminal of more new terminal.Here consistent with process as shown in Figure 4.
It should be understood that, when equipment of the core network judges the RFF authentification failure of terminal, showing terminal not is to network for the first time, it at this time may be that user has been mounted in other terminals using the mark module of former mark module or the mark module or bootlegging newly made up, it is thus possible to which the scene of illegal operation will be carried out by pseudo-terminal occur.
If the user identity identification result of terminal is to be identified by, the mark module for being shown to be former mark module or newly making up has been mounted in other terminals, is not that the mark module of bootlegging has been mounted in other terminals.Therefore, since mark module has been mounted in other terminals, i.e. mark module is not in former terminal, it has been mounted on new terminal, so former terminal needs to release with mark module binding relationship, RFF certification can not pass through, and need the corresponding relationship of the mark module of more new terminal and the RFF of terminal, at this time to establish mark module and new terminal binding relationship.
If the user identity identification result of terminal is that identification does not pass through, the mark module for being then shown to be bootlegging has been mounted in other terminals, RFF certification can not pass through, at this time, equipment of the core network refusal provides follow-up service for the terminal, the illegal operation bring harm that mark module is copied illegally rear terminal is avoided, improves network side to the security protection ability of terminal.
As shown in fig.6, the detailed process of RFF verification process are as follows:
S601:EPC starts the authentication process to UE.
S602:EPC judges whether UE is to network for the first time.
EPC is by whether the RFF of the corresponding UE of the SIM for being stored with UE judges whether UE is to network for the first time, if otherwise execution S603 executes S608.
S603:EPC sends RFF acquisition instruction to eNB.
The RFF acquires the identification information that UE is carried in instruction, the mark of mark and cell where UE including UE in the identification information.
The RFF acquisition instruction acquisition RFF that S604:eNB is sent according to EPC, generates RFF acquisition information and feeds back to EPC.
Specifically, RFF of the eNB according to the EPC RFF acquisition instruction acquisition identification information corresponding UE sent, and EPC is fed back to using collected RFF as RFF acquisition information.
Whether S605:EPC acquires information judgement according to RFF and succeeds for the RFF certification of UE.
If so, executing S606, S607 is otherwise executed.
S606:EPC continues to provide service after authenticating successfully for the authentication process of UE for UE, process terminates.
S607:EPC starting is directed to the user identity identification process of UE.Judge whether user identity identification result is to be identified by, if executing S608, otherwise executes S611.
Such as, EPC sends reserved problem to UE, and receive the answer for reserved problem of UE reply, when being directed to of having deposited that the answer for reserved problem and UE reply reserve the answer of problem it is consistent when, then EPC determines that user identity identification result is to be identified by, when the answer for reserved problem replied for the answer of reserved problem and UE deposited is inconsistent, then EPC determines that user identity identification result does not pass through for identification.
S608:EPC sends the instruction of RFF initial acquisition to eNB.
The identification information of UE is carried in RFF initial acquisition instruction.
S609:eNB indicates acquisition RFF according to RFF initial acquisition, and reports to EPC.
S610:EPC receives the RFF of eNB feedback, and stores the corresponding relationship of the SIM Yu the collected RFF of eNB, and process terminates.
S611:EPC determines that the RFF certification of the UE does not pass through, and refuses to provide follow-up service for the UE, Process terminates.
As shown in fig.7, the embodiment of the present invention provides a kind of network safety prevention equipment, for example, equipment of the core network, comprising: transceiver 701 and the processor 702 with the transceiver couples;
The processor 702, is used for: sending the instruction of radio-frequency fingerprint RFF initial acquisition, the identification information of the RFF initial acquisition instruction carried terminal to base station by the transceiver;The base station is received according to the RFF of the terminal of the RFF initial acquisition indication feedback by the transceiver, and saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;When initiating to authenticate to the terminal, RFF acquisition instruction is sent to the base station by the transceiver, the RFF acquisition instruction carries the identification information of the terminal;Information is acquired according to the RFF that the RFF acquires indication feedback by receiving the base station, and information is acquired according to the RFF and judges whether the RFF certification of the terminal succeeds.
In one possible implementation, the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
In one possible implementation, the RFF acquisition instruction also carries the RFF of the corresponding terminal of the mark module;
The processor 702, it is specifically used for: information is acquired by the RFF that the transceiver receives the base station feedback, and according to the RFF acquire information judge the terminal RFF certification it is whether successful when, the base station is received by the transceiver, and information is acquired according to the RFF that the RFF acquires indication feedback, the RFF acquisition information carries RFF comparison information, and the RFF comparison information is that the base station is generated according to the RFF that the collected RFF in the base station and RFF acquisition instruction carries;If the RFF comparison information indicates that the collected RFF in the base station is consistent with the RFF that the RFF acquires instruction carrying, judges that the RFF of the terminal is authenticated successfully, otherwise, judge the RFF authentification failure of the terminal.
In one possible implementation, the processor 702, it is specifically used for: the base station is received by the transceiver, information is acquired according to the RFF that the RFF acquires indication feedback, and according to the RFF acquire information judge the terminal RFF certification it is whether successful when, information is acquired by the RFF that the transceiver receives the base station feedback, the RFF acquisition information carries the collected RFF in base station, and the collected RFF in base station is the RFF of the corresponding terminal of identification information for the terminal that RFF acquisition instruction carries;Judge the collected RFF in base station terminal corresponding with the mark module of storage RFF it is whether consistent, if unanimously, judging that the RFF of the terminal is authenticated successfully, otherwise, judge the RFF authentification failure of the terminal.
In one possible implementation, the processor 702, is also used to: when judging the RFF authentification failure of the terminal, starting the user identity identification of the terminal;The user identity identification result for determining the terminal is when being identified by, and the base station Xiang Suoshu sends the instruction of RFF initial acquisition, and the RFF initial acquisition instruction carries the identification information of the terminal;The base station is received according to the RFF of the terminal of the RFF initial acquisition indication feedback by the transceiver, and updates the mark module of the terminal and the RFF corresponding relationship of the terminal.
As shown in fig.8, the embodiment of the present invention provides a kind of network safety prevention equipment, such as base station, comprising: transceiver 801 and the processor 802 with the transceiver couples;
The processor 802, is used for: the RFF initial acquisition that the equipment of the core network is sent received by the transceiver and is indicated, the identification information of the RFF initial acquisition instruction carried terminal;According to the identification information of the terminal, the RFF of the identification information counterpart terminal is acquired, and collected RFF is fed back into the equipment of the core network, so that the equipment of the core network saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;The RFF that equipment of the core network is sent is received by the transceiver and acquires instruction, and the RFF acquisition instruction carries the identification information of the terminal;According to the identification information of the terminal, the RFF of the identification information counterpart terminal is acquired;RFF acquisition information is generated according to collected RFF and feeds back to the equipment of the core network, so that the equipment of the core network, which acquires information according to the RFF, judges whether the RFF certification of the terminal succeeds.
In one possible implementation, the RFF acquisition instruction also carries the RFF of the corresponding terminal of mark module;
The processor 802, is specifically used for: when generating RFF acquisition information according to collected RFF, generating RFF comparison information as RFF according to the RFF that collected RFF and RFF acquisition instruction carries and acquires information.
In one possible implementation, the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
In one possible implementation, the processor 802, is specifically used for: according to collected RFF generates RFF and acquires information, acquires information for collected RFF as RFF.
In conclusion the physical layer attributes of perception terminal have not increased the extraction to terminal radio frequency fingerprint and analysis authentication newly using method provided in an embodiment of the present invention in terminal authentication procedure since network only identifies whether SIM is legal in compared to the prior art.Due to increasing the certification of terminal physical layer feature, true terminal and pseudo-terminal can be distinguished, therefore the deficiency of current scheme can be solved, significantly improve network side to the security protection ability of terminal.
Those of ordinary skill in the art will appreciate that implementing the method for the above embodiments is that can be completed by program come instruction processing unit, the program can store in computer readable storage medium, the storage medium is non-transitory (English: non-transitory) medium, such as random access memory, read-only memory, flash memory, hard disk, solid state hard disk, tape (English: magnetic tape), floppy disk (English: floppy disk), CD (English: optical disc) and any combination thereof.
The present invention is described referring to the method and apparatus respective flow chart and block diagram of the embodiment of the present invention.It should be understood that the combination of each process in flow chart and block diagram and the process in box and flow chart and block diagram and box can be realized by computer program instructions.These computer program instructions be can provide to the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to generate a machine, so that generating by the instruction that computer or the processor of other programmable data processing devices execute for realizing the device for the function of specifying in one or more flows of the flowchart and one or more blocks of the block diagram.
It is described above; it is merely preferred embodiments of the present invention, but scope of protection of the present invention is not limited thereto, anyone skilled in the art is in the technical scope disclosed by the present invention; any changes or substitutions that can be easily thought of, should be covered by the protection scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.

Claims (18)

  1. A kind of network safety protection method characterized by comprising
    When equipment of the core network determines the corresponding relationship of the radio-frequency fingerprint RFF of the mark module and the terminal that do not save terminal, the instruction of RFF initial acquisition is sent to base station, the RFF initial acquisition instruction carries the identification information of the terminal;
    The equipment of the core network receives the base station according to the RFF of the terminal of the RFF initial acquisition indication feedback, saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;
    When the equipment of the core network initiates to authenticate to the terminal, the equipment of the core network sends RFF acquisition instruction to the base station, and the RFF acquisition instruction carries the identification information of the terminal;
    The equipment of the core network receives the base station and acquires information according to the RFF that the RFF acquires indication feedback, and acquires information according to the RFF and judge whether the RFF certification of the terminal succeeds.
  2. The method as described in claim 1, which is characterized in that the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
  3. It is method according to claim 1 or 2, which is characterized in that the RFF acquisition instruction also carries the RFF of the corresponding terminal of the mark module;
    The equipment of the core network receives the RFF acquisition information of the base station feedback, and acquires information according to the RFF and judge whether the RFF certification of the terminal succeeds, comprising:
    The equipment of the core network receives the base station and acquires information according to the RFF that the RFF acquires indication feedback, the RFF acquisition information carries RFF comparison information, and the RFF comparison information is that the base station is generated according to the RFF that the collected RFF in the base station and RFF acquisition instruction carries;
    If the RFF comparison information indicates that the collected RFF in the base station is consistent with the RFF that the RFF acquires instruction carrying, the equipment of the core network judges that the RFF of the terminal is authenticated successfully, otherwise, judges the RFF authentification failure of the terminal.
  4. It is method according to claim 1 or 2, which is characterized in that the equipment of the core network receives the base station and acquires information according to the RFF that the RFF acquires indication feedback, and acquires information according to the RFF and judge whether the RFF certification of the terminal succeeds, comprising:
    The equipment of the core network receives the RFF acquisition information of the base station feedback, and the RFF acquisition information carries the collected RFF in base station, and the collected RFF in base station is the RFF of the corresponding terminal of identification information for the terminal that RFF acquisition instruction carries;
    The equipment of the core network judges whether the RFF of the collected RFF in base station terminal corresponding with the mark module of storage is consistent, if unanimously, judging that the RFF of the terminal is authenticated successfully, otherwise, judges the RFF authentification failure of the terminal.
  5. The method as claimed in claim 3 or 4, which is characterized in that further include:
    When the equipment of the core network judges the RFF authentification failure of the terminal, start the user identity identification of the terminal;
    The equipment of the core network determines that the user identity identification result of the terminal is when being identified by, and the base station Xiang Suoshu sends the instruction of RFF initial acquisition, and the RFF initial acquisition instruction carries the identification information of the terminal;
    The equipment of the core network receives the base station according to the RFF of the terminal of the RFF initial acquisition indication feedback, and updates the mark module of the terminal and the RFF corresponding relationship of the terminal.
  6. A kind of network safety protection method characterized by comprising
    Base station receives the RFF initial acquisition instruction that the equipment of the core network is sent, the identification information of the RFF initial acquisition instruction carried terminal;
    The base station is according to the identification information of the terminal, acquire the RFF of the identification information counterpart terminal, and collected RFF is fed back into the equipment of the core network, so that the equipment of the core network saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;
    Base station receives the RFF that equipment of the core network is sent and acquires instruction, and the RFF acquisition instruction carries the identification information of the terminal;
    The base station acquires the RFF of the identification information counterpart terminal according to the identification information of the terminal;
    The base station generates RFF acquisition information according to collected RFF and feeds back to the equipment of the core network, so that the equipment of the core network, which acquires information according to the RFF, judges whether the RFF certification of the terminal succeeds.
  7. Method as claimed in claim 6, which is characterized in that the RFF acquisition instruction also carries mark Know the RFF of the corresponding terminal of module;
    The base station generates RFF according to collected RFF and acquires information, comprising:
    The base station generates RFF comparison information as RFF according to the RFF that collected RFF and RFF acquisition instruction carries and acquires information.
  8. The method of claim 7, which is characterized in that the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
  9. Method as claimed in claim 6, which is characterized in that the base station generates RFF according to collected RFF and acquires information, comprising:
    Collected RFF is acquired information by the base station.
  10. A kind of network safety prevention equipment characterized by comprising transceiver and the processor with the transceiver couples;
    The processor, is used for:
    The instruction of radio-frequency fingerprint RFF initial acquisition, the identification information of the RFF initial acquisition instruction carried terminal are sent to base station by the transceiver;
    The base station is received according to the RFF of the terminal of the RFF initial acquisition indication feedback by the transceiver, and saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;
    When initiating to authenticate to the terminal, RFF acquisition instruction is sent to the base station by the transceiver, the RFF acquisition instruction carries the identification information of the terminal;
    Information is acquired according to the RFF that the RFF acquires indication feedback by receiving the base station, and information is acquired according to the RFF and judges whether the RFF certification of the terminal succeeds.
  11. Equipment as claimed in claim 10, which is characterized in that the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
  12. Equipment as described in claim 10 or 11, which is characterized in that the RFF acquisition instruction also carries the RFF of the corresponding terminal of the mark module;
    The processor, is specifically used for:
    Acquire information by the RFF that the transceiver receives the base station feedback, and according to the RFF acquire information judge the terminal RFF certification it is whether successful when, pass through the transceiver and receive the base station Information is acquired according to the RFF that the RFF acquires indication feedback, the RFF acquisition information carries RFF comparison information, and the RFF comparison information is that the base station is generated according to the RFF that the collected RFF in the base station and RFF acquisition instruction carries;
    If the RFF comparison information indicates that the collected RFF in the base station is consistent with the RFF that the RFF acquires instruction carrying, judges that the RFF of the terminal is authenticated successfully, otherwise, judge the RFF authentification failure of the terminal.
  13. Equipment as described in claim 10 or 11, which is characterized in that the processor is specifically used for:
    The base station is received by the transceiver, and information is acquired according to the RFF that the RFF acquires indication feedback, and according to the RFF acquire information judge the terminal RFF certification it is whether successful when, information is acquired by the RFF that the transceiver receives the base station feedback, the RFF acquisition information carries the collected RFF in base station, and the collected RFF in base station is the RFF of the corresponding terminal of identification information for the terminal that RFF acquisition instruction carries;
    Judge whether the RFF of the collected RFF in base station terminal corresponding with the mark module of storage is consistent, if unanimously, judging that the RFF of the terminal is authenticated successfully, otherwise, judges the RFF authentification failure of the terminal.
  14. Equipment as described in claim 12 or 13, which is characterized in that the processor is also used to:
    When judging the RFF authentification failure of the terminal, start the user identity identification of the terminal;
    The user identity identification result for determining the terminal is when being identified by, and the base station Xiang Suoshu sends the instruction of RFF initial acquisition, and the RFF initial acquisition instruction carries the identification information of the terminal;
    The base station is received according to the RFF of the terminal of the RFF initial acquisition indication feedback by the transceiver, and updates the mark module of the terminal and the RFF corresponding relationship of the terminal.
  15. A kind of network safety prevention equipment characterized by comprising transceiver and the processor with the transceiver couples;
    The processor, is used for:
    The RFF initial acquisition instruction that the equipment of the core network is sent is received by the transceiver, it is described The identification information of RFF initial acquisition instruction carried terminal;
    According to the identification information of the terminal, the RFF of the identification information counterpart terminal is acquired, and collected RFF is fed back into the equipment of the core network, so that the equipment of the core network saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;
    The RFF that equipment of the core network is sent is received by the transceiver and acquires instruction, and the RFF acquisition instruction carries the identification information of the terminal;
    According to the identification information of the terminal, the RFF of the identification information counterpart terminal is acquired;
    RFF acquisition information is generated according to collected RFF and feeds back to the equipment of the core network, so that the equipment of the core network, which acquires information according to the RFF, judges whether the RFF certification of the terminal succeeds.
  16. Equipment as claimed in claim 15, which is characterized in that the RFF acquisition instruction also carries the RFF of the corresponding terminal of mark module;
    The processor, is specifically used for:
    When generating RFF acquisition information according to collected RFF, RFF comparison information is generated as RFF according to the RFF that collected RFF and RFF acquisition instruction carries and acquires information.
  17. Equipment as claimed in claim 16, which is characterized in that the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
  18. Equipment as claimed in claim 15, which is characterized in that the processor is specifically used for:
    RFF is generated according to collected RFF and acquires information, acquires information for collected RFF as RFF.
CN201680090081.6A 2016-11-29 2016-11-29 A kind of network safety protection method and equipment Pending CN109845215A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/107756 WO2018098641A1 (en) 2016-11-29 2016-11-29 Network security protection method and device

Publications (1)

Publication Number Publication Date
CN109845215A true CN109845215A (en) 2019-06-04

Family

ID=62241028

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201680090081.6A Pending CN109845215A (en) 2016-11-29 2016-11-29 A kind of network safety protection method and equipment

Country Status (2)

Country Link
CN (1) CN109845215A (en)
WO (1) WO2018098641A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112383958A (en) * 2020-11-11 2021-02-19 武汉虹信科技发展有限责任公司 Host, individual soldier and system for wireless positioning and wireless positioning method

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101174873A (en) * 2006-10-30 2008-05-07 华为技术有限公司 Relay station equipment and communication forwarding method
CN102056293A (en) * 2010-12-10 2011-05-11 北京星网锐捷网络技术有限公司 Radio frequency fingerprint positioning method and system as well as access controller (AC) and positioning server
CN103945428A (en) * 2013-01-21 2014-07-23 华为技术有限公司 Radio frequency fingerprint database updating method, device and system
CN104838680A (en) * 2012-11-12 2015-08-12 东莞宇龙通信科技有限公司 Realizing method, system and communication terminal for virtual subscriber identity module
CN104935575A (en) * 2015-04-29 2015-09-23 努比亚技术有限公司 Login method, and authentication method and device
CN105162778A (en) * 2015-08-19 2015-12-16 电子科技大学 Radio frequency fingerprint based cross-layer authentication method
CN105631472A (en) * 2015-12-24 2016-06-01 东南大学 Wireless device identity identification method based on constellation locus diagram

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101174873A (en) * 2006-10-30 2008-05-07 华为技术有限公司 Relay station equipment and communication forwarding method
CN102056293A (en) * 2010-12-10 2011-05-11 北京星网锐捷网络技术有限公司 Radio frequency fingerprint positioning method and system as well as access controller (AC) and positioning server
CN104838680A (en) * 2012-11-12 2015-08-12 东莞宇龙通信科技有限公司 Realizing method, system and communication terminal for virtual subscriber identity module
CN103945428A (en) * 2013-01-21 2014-07-23 华为技术有限公司 Radio frequency fingerprint database updating method, device and system
CN104935575A (en) * 2015-04-29 2015-09-23 努比亚技术有限公司 Login method, and authentication method and device
CN105162778A (en) * 2015-08-19 2015-12-16 电子科技大学 Radio frequency fingerprint based cross-layer authentication method
CN105631472A (en) * 2015-12-24 2016-06-01 东南大学 Wireless device identity identification method based on constellation locus diagram

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112383958A (en) * 2020-11-11 2021-02-19 武汉虹信科技发展有限责任公司 Host, individual soldier and system for wireless positioning and wireless positioning method
CN112383958B (en) * 2020-11-11 2022-07-19 武汉虹信科技发展有限责任公司 Host, individual soldier and system for wireless positioning and wireless positioning method

Also Published As

Publication number Publication date
WO2018098641A1 (en) 2018-06-07

Similar Documents

Publication Publication Date Title
US10887318B2 (en) Method and apparatus for downloading profile on embedded universal integrated circuit card of terminal
KR101504855B1 (en) Method for exporting on a secure server data comprised on a uicc comprised in a terminal
CN105933888B (en) A kind of eSIM card method for burn-recording and device based on NFC
CN108881296B (en) Block chain real-name authentication method, device, equipment and storage medium
CN102711110A (en) Wi-Fi (wireless fidelity) network management method and wireless router
CN104168557A (en) Upgrading method for operating systems and upgrading device for operating systems
EP2343852A1 (en) Key distribution method and system
CN106209900B (en) A kind of method that smart lock is registered to repeater
CN108200568B (en) Mobile communication electronic SIM card data processing method and device
CN107835204A (en) The security control of configuration file policing rule
US10397001B2 (en) Secure mechanism for subsidy lock enforcement
CN103679000A (en) Apparatus and method for remotely deleting critical information
KR20160143333A (en) Method for Double Certification by using Double Channel
WO2016134587A1 (en) Wifi connection verification method, wifi hotspot device and terminal
US20220070655A1 (en) Method and apparatus for recovering profile in case of device change failure
DK2595417T3 (en) A method of selecting an application in a terminal and the terminal for implementing this method.
CN107508784B (en) Application login method and terminal equipment
CN108055692A (en) A kind of radio network extending method and wearable device
CN107241714B (en) Method, device and storage medium for establishing communication
CN109845215A (en) A kind of network safety protection method and equipment
CN104918244A (en) Terminal and terminal communication method
CN105704705A (en) Method for switching terminals with shared eSIM information, terminal and server
EP2982185B1 (en) Soft activation of cellular modems in tablets
CN103281693A (en) Wireless communication authentication method, network translation equipment and terminal
CN113853779A (en) Method, device and system for guaranteeing terminal safety

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20190604

WD01 Invention patent application deemed withdrawn after publication