CN110621019A - Method and device for preventing flow fraud - Google Patents

Abstract

The present application provides a method and device for preventing traffic fraud. The method includes: when the visited network reports the network usage status, the user equipment also reports the network usage status, and the home network compares the network usage status reported by the two to determine whether there is a possibility Traffic fraud, if there is traffic fraud, it will be processed according to the preset policy. Through the technical solution provided by the invention, measures can be taken against traffic fraud, thereby reducing billing disputes between users and operators as much as possible.

Description

A method and device for preventing traffic fraud

technical field

The present application relates to the communication field, and more specifically, to a method and device for preventing traffic fraud in the communication field.

Background technique

With the continuous development of communication systems, the service based architecture (SBA) has been widely used. In the service based network architecture, the network entities that can provide specific network functions are called network functions (network functions). function, NF) module, network functions can be provided as services.

As shown in Figure 1, in a service-based network architecture, any two network function modules can interact in the form of network function service calls through service interfaces. When the user is roaming, in the home network routing scenario, the user traffic is sent to the hUPF of the home network through the User Plane Function (vUPF) of the visited network, and then reported to the hSMF of the visited network by the hUPF of the visited network. The hSMF sends the traffic to the network elements related to charging. (The prefix v in the following text indicates the visited network, and h indicates the home network).

In the roaming scenario, if the visited network uses a revenue sharing model, the visited network may perform traffic fraud (such as falsely reporting more traffic to the home network), which may lead to billing disputes.

Contents of the invention

This application provides a method and device for preventing traffic fraud. When the visited network reports the network usage, the UE also reports the used network usage. The home network judges whether there is possible traffic fraud by comparing the two reported network usage. , if there is traffic fraud, it will be processed according to the preset policy. Through the technical solution provided by the invention, measures can be taken against traffic fraud, thereby reducing billing disputes between users and operators as much as possible.

In a first aspect, the present application provides a method for preventing traffic fraud, the method includes: a first network element receives a first network usage condition sent by a user equipment, wherein the first network element is a network element in a home network ; The first network element obtains the second network usage information sent by the second network element, wherein the second network element is a network element in the visited network that provides services for the user equipment; if the first network If the usage situation does not match the second network usage situation, it will be processed according to a preset policy.

For example, the first network element may be an access and mobility management function (Access and Mobility Management Function, AMF), a session management network element (Session Management Function, SMF), a security edge protection agent (Security Edge Protection) in the home network Proxy, SEPP), authentication server (Authentication Server Function, AUSF), or unified data management network element (Unified Data Management, UDM). The first network element may be an AMF in the visited network.

In addition, it should be pointed out that the first network usage is the traffic used by the UE within a preset time period, or the number of data packets sent and received within a preset time period, or the business of a certain slice Usage information, or service usage information of a certain session. Correspondingly, the second network usage status is the traffic used by the UE within the preset time period, or the number of data packets sent and received within the preset time period, or the service usage information of a certain slice (such as traffic used by a certain slice or the number of sent and received data packets), or service usage information of a certain session (such as the traffic used by a certain session or the number of sent and received data packets). For example, the first network usage is the network usage of the user equipment or the first slice or the first session collected by the user equipment; the second network usage is the second network element The network usage of the user equipment or the first slice or the first session is counted, wherein the network usage is traffic information, or the duration of network usage, or the number of data packets sent and received; wherein, the first The slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.

In combination with the first aspect, it should be pointed out that, in order to ensure the integrity of the information reported by the UE during transmission, the UE will send a first message authentication code to the first network element, wherein the message authentication code is based on the shared The key and the first network usage are generated. Correspondingly, the first network element receives the first message authentication code sent by the user equipment; the first network element obtains a second message authentication code, where the second message authentication code is also based on the shared secret key and the second network usage; if the first message authentication code and the second message authentication code are the same, then determine whether the first network usage matches the second network usage.

It can be understood that if the first message authentication code is the same as the second message authentication code, it means that the message reported by the UE has not been tampered with during transmission. Wherein, the judging whether the first network usage situation matches the second network usage situation includes: judging whether the first network usage situation is the same as the second network usage situation; or, if the first network usage situation If both the usage status and the second network usage status are numerical values, it is determined whether the two numerical values are smaller than a preset threshold.

Further, if the first network usage situation does not match the second network usage situation, processing is performed according to a preset policy. Among them, there can be one or more preset policies, for example, the session can be released, or the server can be reported. For example, the processing according to the preset policy includes: terminating the session, or reporting to the server, or recording a detailed log of the user's network usage.

Combining with the first aspect, it should be further pointed out that there are many mechanisms to prompt the UE and the visited network to report the network usage respectively, for example, it may be triggered by the network element in the home network, it may be triggered by vAMF, or it may be triggered by vUPF It may also be triggered by hUPF, which is not limited here. For example, before the first network element receives the first network usage information sent by the user equipment, the method further includes: the first network element sends a service usage query request to the second network element; the service The use query request is used to instruct the second network element to feed back the network usage used by the user equipment.

The second aspect of the present invention discloses a method for preventing traffic fraud, the method includes: a second network element receives the first network usage information sent by the user equipment, wherein the second network element is a network element in the visited network ; The second network element obtains the second network usage statistics of the visited network; if the first network usage does not match the second network usage, process according to a preset policy.

It should be noted that the second network element may be a vAMF. The first network usage status is the traffic used by the UE within a preset time period, or the number of data packets sent and received within a preset time period, or the service usage information of a certain slice, or a certain The business usage information of the session. Correspondingly, the second network usage status is the traffic used by the UE within a preset time period, or the number of data packets sent and received within a preset time period, or the service usage information of a certain slice, which is counted by the network side, or It is the service usage information of a certain session. For example, the first network usage is the network usage of the user equipment or the first slice or the first session collected by the user equipment; the second network usage is the second network element The network usage of the user equipment or the first slice or the first session is counted, wherein the network usage is traffic information, or the duration of network usage, or the number of data packets sent and received; wherein, the first The slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.

Wherein, the judging whether the first network usage situation matches the second network usage situation includes: judging whether the first network usage situation is the same as the second network usage situation; or, if the first network usage situation If both the usage status and the second network usage status are numerical values, it is determined whether the two numerical values are smaller than a preset threshold. Further, if the first network usage situation does not match the second network usage situation, processing is performed according to a preset policy. Among them, there can be one or more preset policies. For example, you can choose to release the session, and the message of releasing the session carries the reason value of the session termination; another example is that vAMF will continue to serve and record the specific service usage records of the UE for later use. Evidence is provided when a dispute arises; for another example, vAMF will report inconsistent traffic information to the operation and maintenance system; for example, vAMF will report inconsistent traffic information to the home network. It should be pointed out that, for the above multiple preset policies, the vAMF can select one or more to operate. For example, the processing according to the preset policy includes: terminating the session, or reporting to the server, or recording a detailed log of the user's network usage.

It can be understood that the purpose of comparing the network usage reported by the UE with the network usage statistics of the UE at the network side is to determine whether the UE has tampered with the data of the UE's network usage. Furthermore, access to the network can be recorded for subsequent verification. Of course, the comparison result can also be sent to the home network, so that the home network can also record.

It can be understood that, in order to let the home network know whether the network usage of the UE is normal, the first network usage and the second network usage are also sent to the first network element; wherein, the first The network element is a network element in the home network. Furthermore, the home network judges whether there is an abnormality in traffic statistics according to the first network usage situation and the second network usage situation.

It should further be pointed out that if the home network subscribes to the message of querying the network usage of the UE, then the second network element periodically sends a traffic query request to the user equipment according to the subscription information of the first network element . So that the UE feeds back the network usage statistics of the UE according to the traffic query request.

The third aspect of the present invention discloses a method for preventing traffic fraud. The method includes: the user equipment generates a first message authentication code according to the network usage and a shared key; the user equipment sends the network usage to the visited network and a first message authentication code.

It can be understood that, in order to prevent the visited network from arbitrarily tampering with the UE's network usage, the UE will also send its own network usage and message authentication code to the visited network, and then the visited network forwards it to the home network, and finally the home network The network judges whether the network usage reported by the UE is consistent with the network usage of the UE reported by the visited network.

It can be understood that the UE needs to use the shared key to generate the first message authentication code. That is to say, before generating the first message authentication code, it is necessary to generate a shared key. The shared key is shared between the UE and the home network, so the UE and the home network know how to generate or obtain the shared key. For example, the user equipment generates the shared key according to the identifier of the visited network and an intermediate key; the intermediate key is a key generated during access authentication of the user equipment, and the identifier of the visited network includes the The name. Wherein, the first message authentication code may be one or more; the network usage includes at least one of the following parameters: the network usage of the user equipment, the network usage of the first slice, and the second A network usage status corresponding to a session; correspondingly, the first message authentication code corresponds to parameters in the network usage status; wherein, the network usage status is traffic information, or the duration of network usage, or The number of data packets sent and received; wherein, the first slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.

It should be further pointed out that after the home network compares the network usage reported by the UE with the network usage of the UE reported by the visited network, it will feed back the comparison result to the UE. In order to ensure the integrity of the message during transmission, The message authentication code will also be fed back. So that the UE takes measures according to the feedback comparison result. Specifically, the user equipment receives the comparison result and the second message authentication code fed back by the visited network; the user equipment verifies the second message authentication code; if the second message authentication code is verified successfully , then process it according to the comparison result and the preset strategy. Wherein, the user equipment may verify the message authentication code according to the shared key.

The fourth aspect of the present invention discloses a device (the device is a network element in the home network), which can be used to execute the method described in the first aspect. Specifically, the device includes:

The receiving unit is configured to receive the first network usage status sent by the user equipment, wherein the device is a network element in the home network; the acquiring unit is configured to acquire the second network usage status sent by the second network element, wherein the The second network element is a network element in the visited network that provides services for the user equipment;

A processing unit, configured to perform processing according to a preset policy if the first network usage situation does not match the second network usage situation.

Optionally, the device further includes a judging unit;

The receiving unit is further configured to receive a first message authentication code sent by the user equipment; wherein, the message authentication code is generated according to a shared key and the usage of the first network; the obtaining unit is also Used to obtain a second message authentication code, wherein the second message authentication code is generated according to the shared key and the second network usage; the judging unit is configured to code is the same as the second message authentication code, it is judged whether the first network usage situation matches the second network usage situation.

Optionally, the device further includes a sending unit;

The sending unit is configured to send a service usage query request to the second network element;

The receiving unit is configured to receive the second network usage condition sent by the second network element.

The fifth aspect of the present invention discloses a device (the device is a network element in the visited network, such as AMF), which can be used to execute the method described in the second aspect. Specifically, the device includes a receiving unit, an acquiring unit and a processing unit;

The receiving unit is configured to receive the first network usage information sent by the user equipment, wherein the device is a network element in the visited network; the acquiring unit is configured to acquire the second network usage statistics of the visited network ; The processing unit is configured to perform processing according to a preset strategy if the first network usage situation does not match the second network usage situation.

Optionally, the device further includes a sending unit;

The sending unit is configured to send the first network usage situation and the second network usage situation to a first network element; wherein the first network element is a network element in a home network.

Further, the sending unit is further configured to periodically send a traffic query request to the user equipment according to the subscription information of the first network element; the receiving unit is configured to receive the first network traffic information sent by the user equipment. A use case, wherein the device is a network element in a visited network.

A sixth aspect of the present invention discloses a user equipment, where the user equipment is configured to execute the method described in the third aspect. Specifically, the user equipment includes a generating unit and a sending unit;

The generating unit is configured to generate a first message authentication code according to network usage and a shared key;

The sending unit is configured to send the network usage situation and the first message authentication code to the visited network.

Optionally, the generating unit is further configured to generate the shared key according to the identifier of the visited network and an intermediate key; the intermediate key is a key generated during access authentication of the user equipment, and the identifier of the visited network includes The name of the visited network.

Optionally, the user equipment further includes a receiving unit, a verification unit and a processing unit;

The receiving unit is configured to receive the comparison result fed back by the visited network and the second message authentication code; the verification unit is configured to verify the second message authentication code; the processing unit is configured to if If the second message authentication code is successfully verified, it will be processed according to the comparison result and a preset policy.

In a seventh aspect, the present application provides a network element, which includes a memory, a processor, a transceiver, and a computer program stored in the memory and operable on the processor. When the computer program in the memory is executed , the transceiver and the processor execute the method in the foregoing first aspect or any possible implementation manner of the first aspect.

In an eighth aspect, the present application provides a network element, which includes a memory, a processor, a transceiver, and a computer program stored in the memory and operable on the processor. When the computer program in the memory is executed , the transceiver and the processor execute the method in the foregoing second aspect or any possible implementation manner of the second aspect.

In the ninth aspect, the present application provides a user equipment (such as a mobile phone, a tablet computer, a wearable device, and other electronic equipment capable of sending and receiving information), the network element includes a memory, a processor, a transceiver, and is stored in the memory and can be used in The computer program running on the processor, when the computer program in the memory is executed, the transceiver and the processor execute the method in the above third aspect or any possible implementation manner of the third aspect.

In a tenth aspect, the present application provides a computer-readable medium for storing a computer program, where the computer program includes instructions for executing the method in the first aspect or any possible implementation manner of the first aspect.

In an eleventh aspect, the present application provides a computer-readable medium for storing a computer program, and the computer program includes instructions for executing the method in the second aspect or any possible implementation manner of the second aspect.

In a twelfth aspect, the present application provides a computer-readable medium for storing a computer program, where the computer program includes instructions for executing the method in the third aspect or any possible implementation manner of the third aspect.

In a thirteenth aspect, the present application provides a computer program product containing instructions, which, when run on a computer, cause the computer to execute the method in the above first aspect or any possible implementation manner of the first aspect.

In a fourteenth aspect, the present application provides a computer program product containing instructions, which, when run on a computer, cause the computer to execute the method in the above-mentioned second aspect or any possible implementation manner of the second aspect.

In a fifteenth aspect, the present application provides a computer program product containing instructions, which, when run on a computer, cause the computer to execute the method in the above third aspect or any possible implementation manner of the third aspect.

In a sixteenth aspect, the present application provides a chip, including: an input interface, an output interface, at least one processor, and a memory, the input interface, the output interface, the processor, and the memory are connected through a bus, The processor is configured to execute codes in the memory, and when the codes are executed, the processor is configured to execute the method in the foregoing first aspect or any possible implementation manner of the first aspect.

In a seventeenth aspect, the present application provides a chip, including: an input interface, an output interface, at least one processor, and a memory, the input interface, the output interface, the processor, and the memory are connected through a bus, The processor is configured to execute codes in the memory, and when the codes are executed, the processor is configured to execute the method in the above second aspect or any possible implementation manner of the second aspect.

In an eighteenth aspect, the present application provides a chip, including: an input interface, an output interface, at least one processor, and a memory, the input interface, the output interface, the processor, and the memory are connected through a bus, The processor is configured to execute codes in the memory, and when the codes are executed, the processor is configured to execute the above third aspect or the method in any possible implementation manner of the third aspect.

Description of drawings

FIG. 1 is a 5G roaming architecture diagram provided by an embodiment of the present application;

FIG. 2 is a schematic flowchart of a method for preventing traffic fraud provided by an embodiment of the present application;

Fig. 3 is a schematic flowchart of another method for preventing traffic fraud provided by the embodiment of the present application;

FIG. 4 is a logical structural diagram of a network element of a home network provided by an embodiment of the present application;

FIG. 5 is a logical structural diagram of a network element of a visited network provided by an embodiment of the present application;

FIG. 6 is a logical structure diagram of a user equipment provided in an embodiment of the present application;

Fig. 7 is a physical structure diagram of a device according to an embodiment of the present application.

Detailed ways

The technical solution in this application will be described below with reference to the accompanying drawings.

Fig. 1 shows a schematic block diagram of a 5G roaming architecture provided by an embodiment of the present application. The network architecture is based on services, and various types of network function modules are obtained, and the network function modules interact with each other through service interfaces in the form of network function service calls.

It should be understood that the network function modules in the embodiments of the present application have specific functions and network interfaces, and may be network elements on dedicated hardware, software instances running on dedicated hardware, or related platforms (such as on cloud infrastructure) ), which is not limited in this embodiment of the present application.

The following will introduce each module in the service-based network architecture with reference to Figure 1:

Radio access network (radio access network, RAN): responsible for user equipment (user equipment, UE) access. It can be understood that, in the actual expression process, RAN can also be abbreviated as AN.

Optionally, the UE in this embodiment of the present application may be mobile or fixed, and the UE may refer to an access terminal, a terminal device, a mobile terminal, a subscriber unit, a subscriber station, a mobile station, a mobile station, a remote station, or a remote terminal , mobile device, user terminal, terminal, wireless communication device, user agent or user device, etc. The access terminal can be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), a wireless communication function Handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, user equipment in future fifth generation (5th generation, 5G) systems or new radio (new radio, NR) systems.

Access and mobility management function (access and mobility management function, AMF) module: responsible for functions similar to the mobility management in the existing mobile management entity (mobile management entity, MME), used to control UE's access to network resources and manage the mobility of the UE. The AMF module and the RAN module communicate with each other to process the control plane of the access network, wherein N2 is not a service interface.

Authentication server function (authentication server function, AUSF) module: responsible for key generation and two-way authentication with the UE.

Session management function (session management function, SMF) module: responsible for managing the session of the UE, including establishing, modifying and releasing the session.

Network exposure function (NEF) module: Responsible for securely providing network function services in the core network to external network entity services, as well as information conversion between internal and external networks.

Network function (network function) module: refers to a network element capable of providing network services, such as AUSF, AMF or UDM.

Network repository function (NRF) module: responsible for functions such as service discovery. Of course, the full English name of the network function database can also be NF repository function.

Policy control function (PCF) module: a unified policy framework responsible for managing network behavior; providing policy rules for control plane execution and other functions.

Unified data management (unified data management, UDM) module: including front end (front end, FE) and user database (user data repository, UDR). Among them, FE is responsible for credit rating processing, location management, subscription management and other functions, and can access user subscription data stored in UDR. UDR is a user subscription data storage server and is responsible for providing user subscription data to the front end.

Application function (application function, AF) module: provides application services.

User Plane Function (UPF) module: It can provide functions such as data packet detection, forwarding, and traffic usage reporting.

Wherein, each of the above modules can also be interpreted as each network element or functional network element. For example, UDM can be understood as a UDM network element or a UDM functional network element, and NRF can be understood as an NRF network element or an NRF functional network element.

As shown in Figure 1, the AMF module has a service interface NAMF, the SMF module has a service interface NSMF, the AUSF module has a service interface NAUSF, the NEF module has a service interface NNEF, the NRF module has a service interface NNRF, and the PCF module has The service interface NPCF and the UDM module have a service interface NUDM, and the AF module has a service interface NAF.

It should be understood that the service interface of each network function module in the embodiment of the present application may also have other names, which is not limited in the embodiment of the present application.

It should be pointed out that in the roaming scenario, if the visited network adopts a revenue sharing model (for example, the visited network settles and charges the home network according to the traffic used by the user), the visited network may conduct some traffic fraud. For example, when vUPF forwards traffic to hUPF (network elements with v prefixes are network elements in the visited network, and network elements with h prefixes are network elements in the home network), some garbage traffic will be added, which will cause user Inconsistencies between the actual traffic used and the traffic reported by the visited network lead to billing disputes.

Aiming at the above problems, the present invention provides a solution: while the visited network reports the network usage (such as traffic data, duration data, message number) to the home network, the UE will also report the network usage used, and the home network By comparing the network usage reported by the two, it is judged whether there is possible traffic fraud. Optionally, the home network may feed back the judgment result to the visited network. Further, in order to protect the network usage reported by the UE from being tampered with by the visited network, the UE will perform integrity protection on the network usage that needs to be reported; if the home network verifies that the integrity protection of the data sent by the UE is no problem, it will compare the UE and the network usage reported by the visiting network. In addition, it should be pointed out that the home network may actively query or subscribe to the network usage data when the UE roams.

In addition, the visited network can also perform traffic consistency detection: the vAMF in the home network actively queries the network usage statistics of the UE and the network usage statistics of the UE statistics of the vSMF, if the two data are inconsistent or the difference between the two data If it is greater than the preset threshold, the visited network thinks that the UE may report traffic information maliciously, and the vAMF can handle it according to the preset policy, such as releasing the session, or refusing to provide services to the UE, or continuing to serve, and recording the specific service usage records of the UE, so that Provide evidence or inconsistent information with the flow information reported to the operation and maintenance system when disputes arise later. In addition, the vAMF may report inconsistent traffic information to the home network.

FIG. 2 shows a schematic flowchart of a method for preventing traffic fraud provided by an embodiment of the present application, and the method can be applied to the network architecture shown in FIG. 1 . The methods include:

S101. UE sends network usage to vAMF;

It should be pointed out that the UE may send the network usage status to the vAMF at a preset time interval; the preset time interval may be delivered by the vAMF or by a network element in the home network.

Optionally, the UE may send the network usage status to the vAMF according to the instruction of the vAMF. For example, the UE receives a query request sent by the AMF; in response to the query request, the UE sends the network usage situation to the vAMF.

In addition, it should be noted that the network usage may be the traffic used by the UE within the preset time interval. For example, if the UE needs to send the network usage status to the vAMF every 10 minutes, then the sent network usage status is the traffic used by the UE within these 10 minutes. In addition, 10 minutes is just an example, and it may also be half an hour, an hour, etc., and there is no limit to the preset time interval here.

Optionally, the network usage status may be service usage information of a certain slice (for example, the traffic usage status of a certain slice).

Optionally, the network usage may be service usage information of a certain type of slice (for example, the traffic usage of a certain type of handover within a preset time period). Common types include eMBB (Enhanced Mobile Broadband, enhanced mobile bandwidth), URLLC (Ultra-Reliable and Low-Latency Communication, extremely reliable and extremely low-latency communication), and mMTC (massive machine type communication, massive Internet of Things communication).

Optionally, the network usage may also be the traffic usage of a certain session.

In addition, it should be pointed out that in a possible implementation of the present invention, a network element (such as AMF, AUSF or hSEEP) in the home network may have subscribed to the service usage information of a certain user or the information of a certain slice of the user. service or service usage information of a certain APN (access point name, access point name), then the network element in the home network will call the service interface of the vAMF to query the network usage status of the UE. Specifically, if the network element in the home network subscribes to the service usage information of a certain user or the service usage information of a certain slice of the user or the service usage information of a certain APN, then the subscription information will be saved in the vAMF, and the subsequent The vAMF will send a network usage acquisition request to the UE according to the subscription information; correspondingly, if the UE receives the network usage acquisition request, it will feed back the network usage status to the vAMF.

In a possible implementation manner of the present invention, the UE sends a first message to the vAMF, where the first message includes network usage conditions. For example, the network usage can be the total traffic used by the UE within a preset time period, or the number of data packets sent and received by the UE within a preset time period; of course, it can also be the count value of a certain slice or session, It can be understood that if the network usage is the count value of a certain slice or the traffic used by a certain slice, then the first message should include the identifier of the slice. Correspondingly, if the network usage is the count value of a certain session or the traffic used by a certain session, then the first message should include the identifier of the session. In addition, integrity protection is required to ensure that the data sent by the UE is not tampered with. Specifically, the UE may include a message verification code in the first message, so that after the network element of the home network verifies the message verification code successfully, Only then will the network usage sent by the UE be further compared with the network usage of the UE collected by the visited network.

In combination with the above possible implementation methods, it should be pointed out that there are many ways to generate message verification codes. For example, the UE can generate the message verification code according to the serving network identity (SNID); for example, the UE can also generate the message verification code according to Kausf and SNID. The message verification code; for example, the UE can also generate a message verification code according to the session identifier; another example, the UE can also generate a message verification code according to the slice identifier, which will not be listed here.

Wherein, the Kausf is a key generated during the authentication process of the UE by the home network. The process of generating Kausf includes: during the process of UE accessing the network, the UE will send the identity of the UE to the AMF, and then the AMF will send the identity of the UE and the identity of the serving network to the AUSF (the identity of the serving network can be the name of the serving network ), then the AUSF will send the UE ID and the serving network ID to the UDM, and the UDM will generate a Kausf based on the serving network ID, and send the Kausf to the AUSF. Specifically, the generation process of Kausf can refer to section A.2 in TS33.501.

In addition, the N1Message needs to carry an identifier of the UE, such as a Subscription Permanent Identifier (SUPI) or a Subscription Concealed Identifier (SUCI).

S102. The vAMF obtains the network usage of the UE from the network side;

Specifically, the vAMF can call the service interface of the vSMF or use the interface message to query the network usage of the UE in the statistics of the network side. If there are multiple vSMFs serving the UE, call the service interface of each SMF to query The network usage of the UE collected by the network side. Specifically, after the vSMF receives the first query message sent by the vAMF, the vSMF queries the user service usage information from the vUPF. If there is a scenario where one vSMF corresponds to multiple vUPFs, the vSMF sends the second query message to multiple vUPFs respectively. ; In response to the second query message, the vUPF returns network-side user service usage information to the vSMF; in response to the first query message, the vSMF returns network-side user service usage information to the vAMF.

Optionally, when the vAMF invokes the service of the vSMF, slice information and/or session information may also be carried.

Optionally, the vAMF compares the network usage reported by the UE with the network usage statistics of the network side. If the network usage sent by the UE does not match the network usage of the UE collected by the network side, the vAMF handles it according to the configured policy. Specifically, if the network usage reported by the UE does not match the network usage of the UE reported by the network side, the vAMF will have many optional operations, such as selecting to release the session, and optionally in the message of releasing the session carry session termination; for example, vAMF will continue to serve, and record the specific service usage records of UE, so as to provide evidence in case of later disputes; for another example, vAMF will report traffic information inconsistency to the operation and maintenance system; for example, vAMF will send The home network reports inconsistent traffic information. It should be pointed out that, for the above optional operations, vAMF can choose one operation, and can choose multiple operations, such as continuing to provide services to the UE, recording the network usage information of the UE, and sending information to the home network. The network element sends an alarm prompt indicating that the traffic information is inconsistent.

S103. The vAMF sends the network usage reported by the UE and the network usage of the UE statistics by the visited network to the home network;

It can be understood that the vAMF sends a second message to a network element of the home network (such as hAUSF, hAMF or hSEPP); the second message includes the network usage reported by the UE and the network usage of the UE reported by the visited network. situation and a message authentication code; in addition, the second message also includes the identifier of the UE and the identifier of the visited network.

In addition, it can be understood that the network usage reported by the UE, the network usage of the UE statistics by the visited network, the message verification code, the identity of the UE, and the identity of the visited network, the above parameters can be sent in one message, It can also be sent separately.

In addition, it can be understood that the data reported by the UE and the statistical data obtained by the vAMF on the network side may be sent to the home network respectively. For example, the vAMF sends a UE report message to the home network, and the message reported by the UE includes the UE's network usage, message verification code, UE ID, and the ID of the visited network; the vAMF can also send the visited network ID to the home network. The message reported by the visited network includes the network usage of the UE, the identifier of the UE, and the identifier of the visited network collected by the visited network.

S104. The home network determines a processing measure according to the network usage reported by the UE and the network usage of the UE collected by the visited network.

It should be pointed out that before judging whether the data reported by the UE matches the data reported by the visited network, it is also necessary to verify whether the data reported by the UE has been modified. Therefore, it is necessary to verify whether the message verification code matches.

Specifically, after receiving the second message, the network element of the home network (such as hAUSF, hAMF or hSEPP) first generates a message verification code according to the method negotiated with the UE (that is, the network element of the home network generates the message verification code. The method is the same as the method for UE to generate a message verification code), and then compare the generated message verification code with the message verification code in the second message, if the two message verification codes do not match, it means that the message reported by the UE has been modified, At this time, the home network can terminate the session or report to the server according to the preset policy;

If the two message verification codes match, compare the network usage reported by the UE with the network usage statistics of the visited network. If the network usage reported by the UE does not match the network usage statistics of the visited network, the home network can select Release the session, or report to the server.

Optionally, the home network returns the comparison result to the vAMF of the visited network, so that the vAMF operates according to the comparison result and a preset policy. For example, if the comparison result indicates that the network usage reported by the UE does not match the network usage of the UE reported by the visited network, the vAMF will choose to release the session; of course, the vAMF may continue to serve, but will record the match The result is abnormal.

Optionally, the home network may use the integrity encryption key to generate a message authentication code MAC-result of the comparison result; and send the comparison result and the message authentication code MAC-result of the comparison result to the UE. Correspondingly, after receiving the comparison result and the message authentication code MAC-result of the comparison result, the UE will verify whether the message authentication code has been modified, and perform subsequent processing according to the verification result.

It can be seen that, through the technical solution provided by the embodiment of the present invention, the network element in the visited network can obtain the network usage reported by the UE and the network usage of the UE in the statistics of the visited network, and then match the two, and then according to the matching The result and the preset policy are processed; further, since the UE will also feed back the message authentication code of the UE's network usage, the home network can verify whether the data fed back by the UE has been tampered with through the message authentication code, Furthermore, the authenticity of the data fed back by the UE is determined; furthermore, the network usage fed back by the UE can be used to verify whether the data fed back by the visited network is true, thereby reducing the possibility of billing disputes.

Based on the idea of preventing traffic fraud described in FIG. 2 , FIG. 3 shows a specific method for preventing traffic fraud, which can be applied to the network architecture shown in FIG. 1 . The methods include:

1. When the preset policy is met, the UE sends an N1 interface message (N1Message) to the vAMF;

It should be pointed out that the preset policy may be that the traffic used by the UE reaches a preset threshold, or that the UE uses the network for a preset usage time. The preset policy may also be that the current time meets the requirements of a preset period (for example, every Report once every 1 hour, or once every 5 minutes, there is no limit to the preset period here).

Optionally, before step 1, the method further includes: the vAMF sends a traffic query request to the UE; then the implementation of step 1 may be: in response to the traffic query request sent by the vAMF, the UE sends N1 Interface message (N1Message) to vAMF. It should be pointed out that if the network element of the home network (such as AUSF, hSEEP, UDM) calls the service interface of vAMF, then vAMF will send a traffic query request to the UE; in addition, if the network element of the home network subscribes to a user service usage information, then the vAMF will save the subscription information, and initiate a traffic query request to the UE according to the subscription information. Of course, it is understandable that the traffic query request can be periodic or real-time. Do limit. In another scenario, if the network element of the home network queries the service usage information of a certain user or the service usage information of a certain slice of the user or the service usage information of a certain APN, then the vAMF will also be triggered to send a service usage query request to the UE. Correspondingly, the UE reports the network traffic usage of the UE or the service usage information of a certain slice or a certain APN. The service usage information can be the network traffic usage of a certain UE, or the number of data packets sent and received by a certain UE within a preset time period, or the network traffic usage of a certain slice, or the network traffic of a certain APN Traffic usage, here is not limited to business usage information.

It should be further pointed out that the N1Message carries UE-counter and message authentication code (MAC, message authentication code). The message authentication code is generated by the UE, so it can be marked as MAC-UE. Among them, UE-counter can be the total traffic used by the UE or the number of sent and received packets, or the sum is the traffic or the number of sent and received packets of a certain or some slices, or the sum is the traffic or the number of sent and received packets of a certain or certain sessions, if For a slice or a counter of a certain session, the message sent by the UE to the vAMF will carry slice information or session information (such as a session identifier) at the same time.

In a possible implementation manner of the present invention, the UE can generate a UE-MAC according to a preset key and a UE-counter. Wherein, the preset key Key is derived according to Kausf (relevant explanation can refer to the embodiment corresponding to FIG. 2 ) and the service network name SNID, such as Key=KDF(Kausf, SNID). Obtain the preset key Key and UE-counter, such as MAC-UE=KDF(key, UE-counter); wherein, KDF is a derivation function.

2. After vAMF receives the N1message reported by UE, it will send a traffic query request to vSMF;

Specifically, vAMF can call the service interface of vSMF or use the interface message to query the service usage statistics on the network side. If there are multiple vSMFs serving the UE, call the service interface of each SMF respectively to obtain and query the service statistics on the network side Usage amount.

Optionally, when the vAMF invokes the service of the vSMF, it may also carry slice information and/or session information related to the SMF.

3. After vSMF receives the traffic query request, it will send a traffic query request to vUPF;

Specifically, the vSMF sends a traffic query request to the vUPF through the N4 interface (N4Message); if there is a scenario where one vSMF corresponds to multiple vUPFs, the vSMF sends query requests to the multiple vUPFs respectively;

4. vUPF returns the traffic query result on the network side to vSMF;

5. The vSMF returns the traffic query result on the network side to the vAMF;

Specifically, the vSMF may give feedback through the Nsmf message response message.

It should be pointed out that if vSMF sends query requests to multiple vUPFs separately, it will receive data fed back by multiple vUPFs, and vSMF will summarize the received data. For example, the value vUPF-counter of vUPF statistics is equal to multiple vUPF feedbacks The sum of the values of . Optionally, the vSMF may directly forward the received data to the vAMF, and the vAMF summarizes the received data to obtain a value vUPF-counter for vUPF statistics.

6. The vAMF compares the UE-counter reported by the UE with the vUPF-counter counted by the network side. If the difference between the two is greater than the preset threshold, the visited network believes that the UE may report malicious traffic information, and the vAMF can process it according to the configuration information.

Optionally, vAMF can choose to release the session, wherein the reason for session termination is carried in the message of releasing the session;

Optionally, the vAMF can continue to serve and record the specific service usage records of the UE, so as to provide evidence when disputes arise later;

Optionally, vAMF can report traffic information inconsistency information to the operation and maintenance system;

Optionally, the vAMF may report traffic information inconsistency information to the home network.

Wherein, it should be pointed out that, the vAMF may select one or more of the above processing methods.

In addition, it can be understood that the sixth step is an optional step, because the home network will compare the two data later, and feed back the comparison result to the vAMF, and the vAMF can perform subsequent processing according to the comparison result fed back by the home network.

7. The vAMF sends the UE-counter reported by the UE and the vUPF-counter counted by the network side to the home network;

It can be understood that, the purpose of the vAMF sending the above two values to the home network is for the home network to verify whether the two values match.

Optionally, vAMF can send messages through N32Nausf message.

Optionally, the message also includes a user identifier, a visited network ID, and UE-MAC.

8. After receiving the message, the network element of the home network performs UE-MAC verification;

Specifically, the network element of the home network (such as hAUSF or hSEPP or hAMF or hUDM) generates a NET-MAC according to the preset key Key (the same as the preset key on the UE side) and the UE-counter, and sends the NET-MAC Comparison of MAC and UE-MAC, if NET-MAC is inconsistent with UE-MAC or the difference between the two is greater than the preset threshold, it means that the message reported by the UE has been modified. At this time, the home network can terminate the session according to the preset policy, or report server;

If the NET-MAC is consistent with the UE-MAC or the difference between the two is less than or equal to the preset threshold, then compare the UE-counter reported by the UE with the vUPF-counter calculated by the network side. If the vUPF-counters do not match (not equal or the difference between the two is greater than the preset value), the home network can choose to release the session according to the configuration, wherein the reason for the session termination is carried in the message of releasing the session.

9. The home network returns the comparison result to the visited network vAMF;

Wherein, it should be pointed out that the comparison result can be returned through the N32Nausf Message.

Wherein, the comparison result can be a character string (for example, true means match, false means no match); it can also be a value, such as 1 means match, 0 means no match, there are many ways to represent the comparison result, and there is no limitation here.

Optionally, the comparison result can also be the vUPF-counter counted by the network side, and the message can also include the message authentication code MAC-result of the comparison result (generated according to the preset key and the comparison result);

It should be pointed out that in step 6, the vAMF compares the two values, and the vAMF can process based on the comparison result. Of course, the vAMF can wait for the result fed back by the home network to process. If the comparison result is inconsistent (after exceeding the threshold), the vAMF can choose to release the session according to the local policy.

10. The vAMF sends the comparison result to the UE.

It should be pointed out that the vAMF can feed back the comparison result to the UE through the N1message response.

Optionally, the feedback message may also include MAC-result.

In addition, it can be understood that if in the sixth step, the vAMF does not process according to the configuration information or the preset policy, then it can process according to the comparison result at this time. If the comparison result indicates that the two values do not match, the vAMF can handle it according to the configuration information.

Optionally, vAMF can choose to release the session, wherein the reason for session termination is carried in the message of releasing the session;

Optionally, the vAMF can continue to serve and record the specific service usage records of the UE, so as to provide evidence when disputes arise later;

Optionally, vAMF can report traffic information inconsistency information to the operation and maintenance system;

Optionally, the vAMF may report traffic information inconsistency information to the home network.

Wherein, it should be pointed out that, the vAMF may select one or more of the above processing methods.

11. Perform follow-up processing according to the result of result.

Optionally, if the feedback message includes the MAC-result, the UE will use the preset key KEY to verify the integrity of the MAC-result, and if the verification passes, it will continue to perform subsequent processing according to the result of the result. If the conclusion of matching failure is returned, the UE will terminate the session, or set to lower the access priority of the PLMN (Public Land Mobile Network, public land mobile network) or prohibit access.

In addition, it should be pointed out that if the result is the vUPF-counter counted by the network side, then the UE needs to compare the UE-counter with the vUPF-counter counted by the network side; vUPF-counter needs to verify the integrity of MAC-result. It can be understood that it is compared whether the MAC-UE and the MAC-result are consistent, and if they are consistent, the verification is passed.

In combination with the above embodiments, it can be seen that through the technical solution provided by this embodiment, the visited network can compare the data reported by the UE with the data acquired by the network side to determine whether the UE has tampered with the network traffic usage. If it is determined that the UE has tampered with the network traffic usage , can take countermeasures in time, thereby reducing the loss of the service network; further, the home network can verify the message authentication code of the UE-counter to determine whether the information reported by the UE has been tampered with, and if it has not been tampered, it can further compare UE If the reported UE-counter and the vUPF-counter counted by the network side are inconsistent, effective measures can be taken immediately to reduce or avoid subsequent billing disputes.

In combination with the embodiment shown in FIG. 3 , the present invention provides another possible implementation manner. Compared with the embodiment described in FIG. 3 , in this embodiment, UPF triggers traffic query. Specifically, the method includes:

1. The vUPF sends a traffic query request to the vAMF.

Optionally, the traffic query request may carry the identifier of the UE.

Optionally, the traffic query request may carry the ID of the UE and the ID of the session.

Optionally, the traffic query request may carry the ID of the UE and the APN.

Optionally, the vUPF-counter may also be carried in the traffic query request.

2. The vAMF sends a traffic query request to the UE.

Correspondingly, if the traffic query request includes the identifier of the UE, the UE will feed back the network usage of the UE, such as the traffic or the number of sent and received data packets within a preset time period. If the traffic query request includes the UE ID and the session ID, the UE will feed back the network traffic usage corresponding to the session, such as the traffic used or the data packets sent and received within a preset time period.

3. The UE feeds back the network usage information collected by the UE to the vAMF.

It should be pointed out that if there is no vUPF-counter in the traffic query request sent by vUPF to vAMF, then this embodiment will also perform steps 2-5 shown in FIG. 3 to obtain vUPF-counter through vSMF. If the traffic query request sent by the vUPF to the vAMF includes the vUPF-counter, steps 2-5 shown in FIG. 3 are skipped in this embodiment.

Subsequent steps can refer to steps 6-11 in the embodiment of FIG. 3 .

The method for preventing traffic fraud provided by the embodiment of the present application has been described in detail above with reference to FIGS. 2 to 3 . The device for preventing traffic fraud provided by the embodiment of the present application will be described below in conjunction with FIGS. The device can execute the method described in the above method embodiment. Wherein, Fig. 4 shows network elements in the home network (illustrated in the above embodiments), Fig. 5 shows network elements in the visited network (such as AMF), and Fig. 6 shows user terminals.

Specifically, as shown in 4, the device 400 includes:

The receiving unit 401 is configured to receive the first network usage information sent by the user equipment, wherein the device is a network element in the home network;

An obtaining unit 402, configured to obtain a second network usage condition sent by a second network element, where the second network element is a network element in a visited network that provides services for the user equipment;

The processing unit 403 is configured to perform processing according to a preset policy if the first network usage situation does not match the second network usage situation.

Optionally, the device 400 further includes a judging unit 404;

The receiving unit 401 is further configured to receive a first message authentication code sent by the user equipment; wherein, the message authentication code is generated according to a shared key and the usage of the first network;

The acquiring unit 402 is further configured to acquire a second message authentication code, where the second message authentication code is generated according to the shared key and the second network usage;

A judging unit 404, configured to judge whether the first network usage condition matches the second network usage condition if the first message authentication code is the same as the second message authentication code.

Optionally, the device 400 further includes a sending unit 405;

a sending unit 405, configured to send a service usage query request to the second network element;

The receiving unit 401 is configured to receive the second network usage condition sent by the second network element.

Specifically, as shown in FIG. 5, the apparatus 500 includes a receiving unit 501, an acquiring unit 502, and a processing unit 503;

The receiving unit 501 is configured to receive the first network usage situation sent by the user equipment, wherein the device is a network element in the visited network;

An obtaining unit 502, configured to obtain the second network usage statistics of the visited network;

The processing unit 503 is configured to perform processing according to a preset strategy if the first network usage situation does not match the second network usage situation.

Optionally, the apparatus 500 further includes a sending unit 504;

The sending unit 504 is configured to send the first network usage situation and the second network usage situation to a first network element; wherein the first network element is a network element in a home network.

Optionally, the sending unit 504 is further configured to periodically send a traffic query request to the user equipment according to the subscription information of the first network element; the receiving unit 501 is configured to receive the first network usage information sent by the user equipment. In this case, the device is a network element in the visited network.

As shown in FIG. 6, the user equipment 600 includes a generating unit 601 and a sending unit 602;

A generating unit 601, configured to generate a first message authentication code according to network usage and a shared key;

A sending unit 602, configured to send the network usage situation and the first message authentication code to the visited network.

Optionally, the generating unit 601 is further configured to generate the shared key according to the identifier of the visited network and an intermediate key; the intermediate key is a key generated during access authentication of the user equipment, and the identifier of the visited network includes the Reports the name of the visited network.

Optionally, the user equipment 600 further includes a receiving unit 603, a verification unit 604, and a processing unit 605;

A receiving unit 603, configured to receive the comparison result and the second message authentication code fed back by the visited network;

a verification unit 604, configured to verify the second message authentication code;

The processing unit 605 is configured to perform processing according to the comparison result and a preset policy if the second message authentication code is verified successfully.

It should be understood that the devices 400, 500 and 600 here are embodied in the form of functional units. The term "unit" herein may refer to an application specific integrated circuit (ASIC), an electronic circuit, a processor (such as a shared processor, a dedicated processor or a group of processors) for executing one or more software or firmware programs. processor, etc.) and memory, incorporated logic, and/or other suitable components to support the described functionality. In an optional example, those skilled in the art can understand that the device 400 may specifically be a network element in the home network shown in FIG. The processes and/or steps are not repeated here to avoid repetition. In an optional example, those skilled in the art can understand that the apparatus 500 may specifically be the AMF in the visited network shown in FIG. 3 above, and the apparatus 500 may be used to execute the process and/or The steps are not repeated here to avoid repetition. In an optional example, those skilled in the art can understand that the user equipment 600 may specifically be the UE shown in FIG. 3 above, and the user equipment 600 may be used to execute the process and/or steps performed by the UE as the main body in FIG. 3 above, To avoid repetition, details are not repeated here.

In addition, it should be pointed out that the logic units shown in FIGS. 4 to 6 can all be implemented according to the hardware architecture shown in FIG. 7 . The hardware device shown in FIG. 7 may include a processor 710, a transceiver 720, and a memory 730, and the processor 710, the transceiver 720, and the memory 730 communicate with each other through an internal connection path.

Specifically, related functions implemented by the processing unit, acquiring unit, and judging unit in FIG.

Specifically, the related functions implemented by the processing unit and the acquiring unit in FIG. 5 may be implemented by the processor 710 , and the related functions implemented by the receiving unit and the sending unit may be implemented by the processor 710 controlling the transceiver 720 .

Specifically, related functions implemented by the processing unit, generating unit, and verifying unit in FIG.

The processor 710 may include one or more processors, such as one or more central processing units (central processing unit, CPU). In the case where the processor is a CPU, the CPU may be a single-core CPU, or Can be a multi-core CPU.

The transceiver 720 is used to transmit and receive data and/or signals, and to receive data and/or signals. The transceiver may include a transmitter for transmitting data and/or signals and a receiver for receiving data and/or signals.

The memory 730 includes but is not limited to random access memory (random access memory, RAM), read-only memory (read-only memory, ROM), erasable programmable memory (erasable programmable readonly memory, EPROM), read-only optical disc (compact disc read-only memory, CD-ROM), the memory 730 is used to store related instructions and data.

The memory 730 is used to store program codes and data of the authorization module, and may be a separate device or integrated in the processor 710 .

It can be understood that Fig. 7 only shows a simplified design of the authorization module. In practical applications, the authorization module can also contain other necessary components, including but not limited to any number of transceivers, processors, controllers, memories, etc., and all authorization modules that can implement this application are protected by this application. within range.

In a possible design, the device 700 may be a chip, for example, a communication chip that may be used in the authorization module, and is used to implement related functions of the processor 710 in the authorization module. The chip can be a field programmable gate array for realizing relevant functions, an application-specific integrated chip, a system chip, a central processing unit, a network processor, a digital signal processing circuit, a microcontroller, or a programmable controller or other integrated chips. The chip may optionally include one or more memories for storing program codes, which enable the processor to implement corresponding functions when the codes are executed.

In addition, it should be pointed out that the structure of the network elements involved in Figure 4 to Figure 6 can be as shown in Figure 7, including processors, transceivers, memory and other components, and program codes are stored in the memory, when the program When the code is executed, each network element performs the functions shown in FIG. 2 or FIG. 3 .

It should be understood that the network elements in the home network and the network elements in the visited network in the embodiments of the present application both have specific functions and network interfaces, and may be different network elements on the same dedicated hardware, or may be the same dedicated hardware The different software instances running on the platform may also be different virtual function instances on the same related platform (such as on the cloud infrastructure), which is not limited in this embodiment of the present application.

In the above embodiments, all or part of them may be implemented by software, hardware, firmware or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present invention will be generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in or transmitted via a computer-readable storage medium. The computer instructions can be transmitted from one website site, computer, server, or data center to another via wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) A website site, computer, server or data center for transmission. The computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media. The available medium may be a magnetic medium (for example, a floppy disk, a hard disk, or a magnetic tape), an optical medium (for example, a digital versatile disc (digital versatile disc, DVD)), or a semiconductor medium (for example, SSD).

Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments are realized. The processes can be completed by computer programs to instruct related hardware. The programs can be stored in computer-readable storage media. When the programs are executed , may include the processes of the foregoing method embodiments. The aforementioned storage medium includes: ROM or RAM, a magnetic disk or an optical disk, and other various media that can store program codes.

Those skilled in the art can appreciate that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.

Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.

If the functions described above are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: various media capable of storing program codes such as U disk, mobile hard disk, ROM, RAM, magnetic disk or optical disk.

The above is only a specific implementation of the application, but the scope of protection of the application is not limited thereto. Anyone familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the application. Should be covered within the protection scope of this application. Therefore, the protection scope of the present application should be determined by the protection scope of the claims.

Claims (28)

1. A method of preventing traffic fraud, the method comprising:

a first network element receives a first network use condition sent by user equipment, wherein the first network element is a network element in a home network;

the first network element acquires a second network use condition sent by a second network element, wherein the second network element is a network element in a visited network for providing service for the user equipment;

and if the first network use condition is not matched with the second network use condition, processing according to a preset strategy.

2. The method of claim 1, further comprising:

the first network element receives a first message authentication code sent by the user equipment; wherein the message authentication code is generated based on a shared key and the first network usage;

the first network element acquires a second message authentication code, wherein the second message authentication code is generated according to the shared secret key and the use condition of the second network;

and if the first message authentication code is the same as the second message authentication code, judging whether the first network service condition is matched with the second network service condition.

3. The method according to claim 1 or 2, wherein before the first network element receives the first network usage sent by the user equipment, the method further comprises:

the first network element sends a service use inquiry request to the second network element; the service use query request is used for indicating the second network element to feed back the network use condition used by the user equipment.

4. The method according to any one of claims 1 to 3, wherein the processing according to the preset strategy comprises: terminating the session, or reporting to the server, or recording the detailed log of the user network usage.

5. The method according to any of claims 1 to 4, wherein the first network usage is the network usage of the user equipment or a first slice or a first session counted by the user equipment; the second network usage is the network usage of the user equipment, the first slice, or the first session counted by the second network element, where the network usage is traffic information, or a duration of network usage, or a number of transceiving packets; wherein the first slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.

6. A method of preventing traffic fraud, the method comprising:

a second network element receives a first network use condition sent by user equipment, wherein the second network element is a network element in a visited network;

the second network element acquires the service condition of the second network counted by the visiting network;

and if the first network use condition is not matched with the second network use condition, processing according to a preset strategy.

7. The method of claim 6, further comprising:

the second network element sends the first network use condition and the second network use condition to a first network element; wherein the first network element is a network element in a home network.

8. The method of claim 7, wherein before the second network element receives the first network usage sent by the user equipment, the method further comprises:

and the second network element periodically sends a flow query request to the user equipment according to the subscription information of the first network element.

9. The method according to any one of claims 6 to 8, wherein the processing according to the preset strategy comprises: terminating the session, or reporting to the server, or recording the detailed log of the user network usage.

10. The method according to any of claims 6 to 9, wherein the first network usage is the network usage of the user equipment or a first slice or a first session counted by the user equipment; the second network usage is the network usage of the user equipment, the first slice, or the first session counted by the second network element, where the network usage is traffic information, or a duration of network usage, or a number of transceiving packets; wherein the first slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.

11. A method of preventing traffic fraud, the method comprising:

the user equipment generates a first message authentication code according to the network use condition and the shared secret key;

and the user equipment sends the network use condition and the first message authentication code to a visited network.

12. The method of claim 11, wherein before the ue generates the message authentication code according to the network usage and the shared secret key, the method further comprises:

the user equipment generates the shared key according to the identifier of the visited network and the intermediate key; the intermediate key is a key generated when the user equipment accesses authentication, and the identifier of the visiting network comprises the name of the visiting network.

13. The method according to claim 11 or 12, characterized in that the method further comprises:

the user equipment receives a comparison result fed back by the visiting network and a second message authentication code;

the user equipment verifies the second message authentication code;

and if the second message authentication code is successfully verified, processing according to the comparison result and a preset strategy.

14. The method according to any one of claims 11 to 13, wherein the first message authentication code may be one or more; the network usage comprises at least one of the following parameters: the network use condition of the user equipment, the network use condition of the first slice and the network use condition corresponding to the first session; correspondingly, the first message authentication code corresponds to parameters in the network use condition one by one; the network use condition is flow information, or network use duration, or the number of the receiving and sending data packets; wherein the first slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.

15. An apparatus, characterized in that the apparatus comprises:

a receiving unit, configured to receive a first network usage sent by a user equipment, where the apparatus is a network element in a home network;

an obtaining unit, configured to obtain a second network usage sent by a second network element, where the second network element is a network element in a visited network that provides a service for the user equipment;

and the processing unit is used for processing according to a preset strategy if the first network use condition is not matched with the second network use condition.

16. The apparatus according to claim 15, further comprising a judging unit;

the receiving unit is further configured to receive a first message authentication code sent by the user equipment; wherein the message authentication code is generated based on a shared key and the first network usage;

the obtaining unit is further configured to obtain a second message authentication code, where the second message authentication code is generated according to the shared secret key and the second network usage;

the judging unit is configured to judge whether the first network usage is matched with the second network usage if the first message authentication code is the same as the second message authentication code.

17. The apparatus according to claim 15 or 16, characterized in that the apparatus further comprises a transmitting unit;

the sending unit is configured to send a service use query request to the second network element;

the receiving unit is configured to receive a second network usage sent by the second network element.

18. The apparatus according to any one of claims 15 to 17, wherein the processing unit is configured to terminate a session, or report to a server, or record a detailed log of user network usage if the first network usage does not match the second network usage.

19. The apparatus according to any of claims 15 to 18, wherein the first network usage is the network usage of the user equipment or a first slice or a first session counted by the user equipment; the second network usage is the network usage of the user equipment, the first slice, or the first session counted by the second network element, where the network usage is traffic information, or a duration of network usage, or a number of transceiving packets; wherein the first slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.

20. An apparatus, characterized in that the apparatus comprises a receiving unit, an obtaining unit and a processing unit;

the receiving unit is configured to receive a first network usage condition sent by user equipment, where the device is a network element in a visited network;

the obtaining unit is used for obtaining the second network use condition counted by the visiting network;

and the processing unit is used for processing according to a preset strategy if the first network use condition is not matched with the second network use condition.

21. The apparatus of claim 20, further comprising a transmitting unit;

the sending unit is configured to send the first network usage and the second network usage to a first network element; wherein the first network element is a network element in a home network.

22. The apparatus of claim 21,

the sending unit is further configured to periodically send a traffic query request to the user equipment according to the subscription information of the first network element;

the receiving unit is configured to receive a first network usage condition sent by the user equipment, where the device is a network element in a visited network.

23. The apparatus according to any one of claims 20 to 22, wherein said processing according to a predetermined policy comprises: terminating the session, or reporting to the server, or recording the detailed log of the user network usage.

24. The apparatus according to any of claims 20 to 23, wherein the first network usage is the network usage of the user equipment or a first slice or a first session counted by the user equipment; the second network usage is the network usage of the user equipment, the first slice, or the first session counted by the second network element, where the network usage is traffic information, or a duration of network usage, or a number of transceiving packets; wherein the first slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.

25. User equipment, characterized in that the user equipment comprises a generating unit and a transmitting unit;

the generating unit is used for generating a first message authentication code according to the network use condition and the shared key;

the sending unit is used for sending the network use condition and the first message authentication code to the visiting network.

26. The user equipment of claim 15,

the generating unit is further configured to generate the shared key according to the identifier of the visited network and the intermediate key; the intermediate key is a key generated when the user equipment accesses authentication, and the identifier of the visiting network comprises the name of the visiting network.

27. The user equipment according to claim 25 or 26, wherein the user equipment further comprises a receiving unit, an authentication unit and a processing unit;

the receiving unit is used for receiving the comparison result fed back by the visiting network and a second message authentication code;

the verification unit is used for verifying the second message authentication code;

and the processing unit is used for processing according to the comparison result and a preset strategy if the second message authentication code is successfully verified.

28. The UE of any one of claims 25 to 27, wherein the first message authentication code may be one or more; the network usage comprises at least one of the following parameters: the network use condition of the user equipment, the network use condition of the first slice and the network use condition corresponding to the first session; correspondingly, the first message authentication code corresponds to parameters in the network use condition one by one; the network use condition is flow information, or network use duration, or the number of the receiving and sending data packets; wherein the first slice is any slice initiated by the user equipment; the first session is any session initiated by the user equipment.