CN110753349A - Method and device for identifying pseudo base station - Google Patents

Method and device for identifying pseudo base station Download PDF

Info

Publication number
CN110753349A
CN110753349A CN201911040187.7A CN201911040187A CN110753349A CN 110753349 A CN110753349 A CN 110753349A CN 201911040187 A CN201911040187 A CN 201911040187A CN 110753349 A CN110753349 A CN 110753349A
Authority
CN
China
Prior art keywords
user
base station
cell
accessed
threshold
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911040187.7A
Other languages
Chinese (zh)
Other versions
CN110753349B (en
Inventor
王慧明
冯月华
鲁知朋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian Jiaotong University
Original Assignee
Xian Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian Jiaotong University filed Critical Xian Jiaotong University
Priority to CN201911040187.7A priority Critical patent/CN110753349B/en
Publication of CN110753349A publication Critical patent/CN110753349A/en
Application granted granted Critical
Publication of CN110753349B publication Critical patent/CN110753349B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种识别伪基站的方法及设备,由于伪基站主要用于获取用户IMSI或发送垃圾短信,并且无法为用户提供完整服务,因此伪基站的控制平面与用户平面的流量比例与合法基站相比存在明显差异,本发明首次提出通过控制平面与用户平面流量分析识别基站类型的基本思想,有效地提高识别伪基站的准确性,并且能够在用户终端接入伪基站前完成识别,增强用户终端预防被伪基站吸附的能力,保护用户身份信息安全,防止用户收到垃圾短信或诈骗信息。对打击伪基站违法犯罪行为,维护社会信息安全有重要意义。

Figure 201911040187

The invention discloses a method and device for identifying a pseudo base station. Since the pseudo base station is mainly used to obtain user IMSI or send spam short messages, and cannot provide complete services for users, the traffic ratio between the control plane and the user plane of the pseudo base station is legal and legal. Compared with base stations, there are obvious differences. The present invention proposes for the first time the basic idea of identifying base station types through traffic analysis on the control plane and the user plane, which effectively improves the accuracy of identifying pseudo base stations, and can complete the identification before the user terminal accesses the pseudo base stations. The ability of user terminals to prevent being adsorbed by fake base stations, protect the security of user identity information, and prevent users from receiving spam text messages or fraudulent information. It is of great significance to crack down on illegal and criminal acts of pseudo base stations and maintain social information security.

Figure 201911040187

Description

一种识别伪基站的方法及设备Method and device for identifying pseudo base station

技术领域technical field

本发明属于通信技术领域,具体涉及一种识别伪基站的方法及设备。The invention belongs to the technical field of communication, and in particular relates to a method and device for identifying a pseudo base station.

背景技术Background technique

伪基站是一种非法的无线电通信设备,冒充运营商合法基站欺骗用户终端接入,进行用户信息窃取与盗用、发送诈骗短信等违法行为,对公共安全造成极大隐患。因此,如何识别伪基站是无线通信的重要安全问题之一。伪基站如何实施,能力如何很大程度上取决于对应的网络,如GSM,4G等。由于GSM网络存在单向鉴权这一安全漏洞,造成终端无法验证基站身份,伪基站很容易吸附终端,窃取盗用用户身份信息、发送垃圾短信、甚至是进行中间人攻击,即伪基站充当终端与合法基站之间的中间人进行信息的窃听、篡改等。A fake base station is an illegal radio communication device that pretends to be a legitimate base station of an operator to deceive user terminals to access, steal and embezzle user information, send fraudulent short messages and other illegal activities, which pose great hidden dangers to public security. Therefore, how to identify the pseudo base station is one of the important security issues in wireless communication. How the pseudo base station is implemented and its capabilities largely depend on the corresponding network, such as GSM, 4G, etc. Due to the security vulnerability of one-way authentication in the GSM network, the terminal cannot verify the identity of the base station. The fake base station can easily attract the terminal, steal and steal user identity information, send spam text messages, and even conduct man-in-the-middle attacks, that is, the fake base station acts as a terminal and legitimate The middleman between the base stations conducts eavesdropping and tampering of information.

随着无线通信技术的发展,4G网络已经大规模商用。4G采用双向鉴权弥补了GSM暴露出的安全问题。然而,伪基站问题并未完全解决,针对4G网络的伪基站随之出现。4G伪基站的原理主要包括:为获取用户IMSI,伪基站触发终端进行TAU(Tracking Area Update)请求,并回复携带EMM原因#9,即“UE identity cannot be derived by the network”的拒绝信令迫使终端上报自身IMSI;或通过Attach流程中的Identity Request令终端回复自身身份信息;伪基站可以在拒绝终端Attach请求后,通过Connection Release将终端重定向于GSM网络,利用GSM网络的单向鉴权漏洞进行进一步攻击。With the development of wireless communication technology, 4G network has been commercialized on a large scale. 4G uses two-way authentication to make up for the security problems exposed by GSM. However, the problem of pseudo base stations has not been completely solved, and pseudo base stations for 4G networks have emerged. The principle of the 4G pseudo base station mainly includes: in order to obtain the user IMSI, the pseudo base station triggers the terminal to make a TAU (Tracking Area Update) request, and replies with the EMM reason #9, that is, "UE identity cannot be derived by the network" The rejection signaling forces the The terminal reports its own IMSI; or makes the terminal reply its own identity information through the Identity Request in the Attach process; the pseudo base station can redirect the terminal to the GSM network through Connection Release after rejecting the terminal's Attach request, using the one-way authentication vulnerability of the GSM network conduct further attacks.

针对伪基站问题,业界主要关注伪基站的识别,定位与追踪,取证方法三个方面。本发明主要关注伪基站的识别问题。目前,识别伪基站的技术可以分为以下三类:For the problem of fake base stations, the industry mainly focuses on three aspects: identification, positioning and tracking of fake base stations, and forensics methods. The present invention mainly focuses on the identification problem of pseudo base stations. At present, the technologies for identifying pseudo base stations can be divided into the following three categories:

1)根据接入参数特征识别伪基站:1) Identify the pseudo base station according to the access parameter characteristics:

伪基站为吸附大量终端,需要将关于小区选择、重选的相关参数设置较为极端,以频繁触发终端进行小区重选、TAU更新等过程。比如在GSM网络中,相关参数包括小区最小接入电平,小区重选偏置等。终端通过判断待接入小区的接入参数是否符合伪基站特征,选择是否进行接入,以降低接入伪基站风险。In order to attract a large number of terminals, the pseudo base station needs to set relatively extreme parameters related to cell selection and reselection, so as to frequently trigger the terminals to perform cell reselection, TAU update and other processes. For example, in a GSM network, relevant parameters include the minimum access level of a cell, a cell reselection bias, and the like. The terminal selects whether to perform access by judging whether the access parameters of the cell to be accessed conform to the characteristics of the pseudo base station, so as to reduce the risk of accessing the pseudo base station.

2)运营商根据信令异常识别伪基站:2) The operator identifies the pseudo base station according to the abnormal signaling:

伪基站在完成获取用户IMSI或发送垃圾短信等行为后需要将接入终端踢出,因此伪基站周边的合法小区会出现大量未知终端请求接入。运营商可以通过信令分析,找出信令异常区域,判断该区域是否出现伪基站。由于伪基站的存在,在伪基站覆盖区域的终端将接收到大量垃圾短信,并出现掉话、甚至拒绝服务的情况,降低用户体验,集中出现投诉案例。运营商可以通过汇总投诉案例分析投诉区域是否出现伪基站。The pseudo base station needs to kick out the access terminal after obtaining the user's IMSI or sending spam short messages. Therefore, there will be a large number of unknown terminals requesting access in the legal cells around the pseudo base station. The operator can find out the abnormal area of signaling through signaling analysis, and judge whether there is a pseudo base station in the area. Due to the existence of the pseudo base station, the terminals in the coverage area of the pseudo base station will receive a large number of spam text messages, and the call drop or even the denial of service will occur, which will reduce the user experience and cause complaints. Operators can analyze whether there are fake base stations in the complaint area by summarizing complaint cases.

3)根据接入后行为异常识别伪基站:3) Identify the pseudo base station according to the abnormal behavior after access:

如果终端完成接入过程后,收到大量垃圾短信或者部分网络功能无法实现,终端可以自行判断是否接入伪基站。If the terminal receives a large number of spam short messages after completing the access process or some network functions cannot be implemented, the terminal can determine whether to access the pseudo base station by itself.

综上所述,现有技术存在以下缺陷和不足:To sum up, the prior art has the following defects and deficiencies:

1)局限性:目前绝大多数识别伪基站技术仅能识别GSM伪基站。1) Limitations: At present, the vast majority of technologies for identifying pseudo base stations can only identify GSM pseudo base stations.

2)准确性:随着网络结构的异构化,网络参数的设置情况愈发复杂多样,根据接入参数特征识别伪基站的准确性难以保障。2) Accuracy: With the isomerization of the network structure, the setting of network parameters becomes more complex and diverse, and it is difficult to guarantee the accuracy of identifying the pseudo base station according to the characteristics of the access parameters.

3)预防能力:通过分析网络出现的信令异常识别伪基站与根据接入后行为异常识别伪基站这两种方法对终端而言,无法避免被伪基站吸附。终端只能在被伪基站踢出接入公网后才可以反馈信令异常情况,等待运营商进行判断与处理。3) Prevention capability: The two methods of identifying the pseudo base station by analyzing the signaling abnormalities in the network and identifying the pseudo base station according to the abnormal behavior after access are unavoidable for the terminal to be adsorbed by the pseudo base station. Only after being kicked out of access to the public network by the pseudo base station, the terminal can report abnormal signaling and wait for the operator to judge and deal with it.

发明内容SUMMARY OF THE INVENTION

针对现有技术中的技术问题,本发明提供了一种识别伪基站的方法及设备,其目的为提高伪基站识别的准确性,增强终端预防被伪基站吸附的能力。Aiming at the technical problems in the prior art, the present invention provides a method and device for identifying pseudo base stations, the purpose of which is to improve the accuracy of pseudo base station identification and enhance the ability of terminals to prevent being adsorbed by pseudo base stations.

为解决上述技术问题,本发明通过以下技术方案予以解决:In order to solve the above-mentioned technical problems, the present invention is solved by the following technical solutions:

一种识别伪基站的方法,包括以下步骤:A method for identifying a pseudo base station, comprising the following steps:

步骤1:检测待接入小区的PRACH,监听请求接入用户的随机接入过程,在N个成功接入的用户中,抽取每个用户对应的C-RNTI;Step 1: Detect the PRACH of the cell to be accessed, monitor the random access process of the user requesting access, and extract the C-RNTI corresponding to each user among the N successfully accessed users;

步骤2:在时间T内,分别根据所述每个用户对应的C-RNTI盲检PDCCH,获取每个用户的PDSCH的资源分配信息;Step 2: within the time T, blindly detect the PDCCH according to the C-RNTI corresponding to each user, and obtain the resource allocation information of the PDSCH of each user;

步骤3:根据步骤2获取的每个用户的PDSCH的资源分配信息,统计时间T内所述每个用户的PDSCH中控制平面与用户平面的流量比例;Step 3: According to the resource allocation information of the PDSCH of each user obtained in step 2, the traffic ratio of the control plane and the user plane in the PDSCH of each user in the statistical time T;

步骤4:根据N个用户中每个用户在时间T内的PDSCH中控制平面与用户平面的流量比例判断待接入小区是否为伪基站。Step 4: Determine whether the cell to be accessed is a pseudo base station according to the traffic ratio between the control plane and the user plane in the PDSCH for each of the N users.

进一步地,所述步骤1具体包括以下步骤:Further, the step 1 specifically includes the following steps:

步骤1.1:检测待接入小区的PRACH,获取请求接入用户相应的RA-RNTI;Step 1.1: Detect the PRACH of the cell to be accessed, and obtain the corresponding RA-RNTI of the user requesting access;

步骤1.2:使用所述RA-RNTI检测PDCCH,获取PDSCH上的MSG2;通过MSG2中包含的ULGrant获取TC-RNTI以及MSG3的PUSCH资源分配信息;Step 1.2: use the RA-RNTI to detect the PDCCH, and obtain the MSG2 on the PDSCH; obtain the TC-RNTI and the PUSCH resource allocation information of the MSG3 through the ULGrant included in the MSG2;

步骤1.3:根据MSG3的PUSCH资源分配信息,监听MSG3;从MSG3中获取用户的用于冲突解决的身份标识;Step 1.3: monitor MSG3 according to the PUSCH resource allocation information of MSG3; obtain the user's identity for conflict resolution from MSG3;

步骤1.4:监听到MSG3后,用TC-RNTI检测PDCCH,获取PDSCH上的MSG4;Step 1.4: After monitoring MSG3, use TC-RNTI to detect PDCCH, and obtain MSG4 on PDSCH;

步骤1.5:如果获取的MSG4中包含用户用于冲突解决的身份标识,则用户的随机接入过程成功,C-RNTI=TC-RNTI。Step 1.5: If the acquired MSG4 contains the user's identity for conflict resolution, the user's random access procedure is successful, and C-RNTI=TC-RNTI.

进一步地,所述步骤3具体为:根据MAC子报头的LCID区分控制平面与用户平面流量,并通过PDCP层报头获取PDCP包长度,统计所述每个用户T时间内PDSCH中控制平面与用户平面的流量大小,并计算每个用户T时间内PDSCH中控制平面与用户平面的流量比例。Further, the step 3 is specifically: distinguishing the control plane and user plane traffic according to the LCID of the MAC subheader, and obtaining the PDCP packet length through the PDCP layer header, and counting the control plane and the user plane in the PDSCH within the T time of each user. and calculate the traffic ratio between the control plane and the user plane in the PDSCH within each user T time.

进一步地,所述步骤4具体包括以下步骤:Further, the step 4 specifically includes the following steps:

步骤4.1:判断每个用户在时间T内PDSCH中控制平面与用户平面的流量比例是否高于预设的第一阈值;Step 4.1: determine whether the traffic ratio of the control plane and the user plane in the PDSCH of each user is higher than the preset first threshold value within the time T;

步骤4.2:根据步骤4.1的判断结果,统计N个用户中在时间T内PDSCH中控制平面与用户平面的流量比例高于所述第一阈值的用户数,记为M;Step 4.2: According to the judgment result of Step 4.1, count the number of users whose traffic ratio between the control plane and the user plane in the PDSCH in the time T is higher than the first threshold among the N users, denoted as M;

步骤4.3:若M/N的值大于预设的第二阈值,则判断待接入小区为伪基站;反之,则判断待接入小区为合法基站;Step 4.3: if the value of M/N is greater than the preset second threshold, determine that the cell to be accessed is a pseudo base station; otherwise, determine that the cell to be accessed is a legal base station;

其中,所述第一阈值为时间T所对应的控制平面与用户平面的流量比例阈值;所述第二阈值为控制平面与用户平面的流量比例高于第一阈值的用户数M占总检测用户数N的比例阈值。Wherein, the first threshold is the threshold of the traffic ratio between the control plane and the user plane corresponding to time T; the second threshold is the number M of users whose traffic ratio between the control plane and the user plane is higher than the first threshold, accounting for the total detected users Scale threshold for number N.

进一步地,所述第一阈值和所述第二阈值预先通过神经网络训练获得。Further, the first threshold and the second threshold are obtained through neural network training in advance.

进一步地,所述第一阈值和所述第二阈值预先通过支持向量机训练获得。Further, the first threshold and the second threshold are obtained through support vector machine training in advance.

进一步地,所述步骤4具体为:Further, the step 4 is specifically:

预先通过神经网络或支持向量机训练获得检测模型;将接入网络类型、用户数N、时间T以及相应用户的控制平面与用户平面的流量比例输入所述检测模型;若待接入小区为伪基站时,所述检测模型输出待接入小区为伪基站;若待接入小区为合法基站时,所述检测模型输出待接入小区为合法基站。The detection model is obtained through neural network or support vector machine training in advance; the access network type, the number of users N, the time T and the traffic ratio of the control plane and the user plane of the corresponding users are input into the detection model; if the cell to be accessed is pseudo When the cell is a base station, the detection model outputs the cell to be accessed as a pseudo base station; if the cell to be accessed is a legal base station, the detection model outputs the cell to be accessed as a legal base station.

进一步地,还包括以下步骤:Further, the following steps are also included:

步骤5:当判断待接入小区为伪基站后,用户终端将所述待接入小区列为黑名单,重新进行小区选择,并执行步骤1~步骤4,直到判断待接入小区为合法基站;Step 5: After judging that the cell to be accessed is a pseudo base station, the user terminal blacklists the cell to be accessed, performs cell selection again, and executes steps 1 to 4 until it is determined that the cell to be accessed is a legitimate base station ;

步骤6:当接入合法小区后,用户终端将异常信息上报至合法基站。Step 6: After accessing the legal cell, the user terminal reports the abnormal information to the legal base station.

一种识别伪基站的设备,包括:A device for identifying a pseudo base station, comprising:

监听模块,用于检测待接入小区的PRACH,监听请求接入用户的随机接入过程,在N个成功接入的用户中,抽取每个用户对应的C-RNTI;并用于在时间T内,分别根据所述每个用户对应的C-RNTI盲检PDCCH,获取每个用户的PDSCH的资源分配信息;The monitoring module is used to detect the PRACH of the cell to be accessed, monitor the random access process of the user requesting access, and extract the C-RNTI corresponding to each user among the N users who have successfully accessed; , respectively blindly detect the PDCCH according to the C-RNTI corresponding to each user, and obtain the resource allocation information of the PDSCH of each user;

统计模块,用于统计时间T内所述每个用户的PDSCH中控制平面与用户平面的流量比例;A statistics module, used for statistics of the traffic ratio between the control plane and the user plane in the PDSCH of each user described in the time T;

判决模块,用于根据N个用户中每个用户在时间T内的PDSCH中控制平面与用户平面的流量比例判断待接入小区是否为伪基站;具体的,判断每个用户在时间T内PDSCH中控制平面与用户平面的流量比例是否高于预设的第一阈值;根据判断结果,统计N个用户中在时间T内PDSCH中控制平面与用户平面的流量比例高于所述第一阈值的用户数,记为M;若M/N的值大于预设的第二阈值,则判断待接入小区为伪基站;反之,则判断待接入小区为合法基站;The judgment module is used for judging whether the cell to be accessed is a pseudo base station according to the traffic ratio of the control plane and the user plane in the PDSCH of each user in the time T; Whether the traffic ratio between the control plane and the user plane is higher than the preset first threshold; according to the judgment result, count the ratios of the traffic between the control plane and the user plane in the PDSCH within the time T of the N users that are higher than the first threshold. The number of users, denoted as M; if the value of M/N is greater than the preset second threshold, it is determined that the cell to be accessed is a pseudo base station; otherwise, the cell to be accessed is determined to be a legal base station;

其中,所述第一阈值为时间T所对应的控制平面与用户平面的流量比例阈值;所述第二阈值为控制平面与用户平面的流量比例高于第一阈值的用户数M占总检测用户数N的比例阈值。Wherein, the first threshold is the threshold of the traffic ratio between the control plane and the user plane corresponding to time T; the second threshold is the number M of users whose traffic ratio between the control plane and the user plane is higher than the first threshold, accounting for the total detected users Scale threshold for number N.

进一步地,还包括:上报模块,用于当待接入小区为伪基站时,将所述待接入小区列为黑名单,并将异常信息上报至合法基站。Further, it also includes: a reporting module, configured to blacklist the cell to be accessed when the cell to be accessed is a pseudo base station, and report abnormal information to the legal base station.

与现有技术相比,本发明至少具有以下有益效果:本发明一种识别伪基站的方法,通过检测待接入小区的PRACH,监听请求接入用户的随机接入过程,在N个成功接入的用户中,抽取每个用户对应的C-RNTI;在时间T内,分别根据每个用户对应的C-RNTI盲检PDCCH,获取每个用户的PDSCH的资源分配信息;统计时间T内每个用户的PDSCH中控制平面与用户平面的流量比例;根据N个用户中每个用户T时间内的PDSCH中控制平面与用户平面的流量比例判断待接入小区是否为伪基站;判断每个用户T时间内PDSCH中控制平面与用户平面的流量比例是否高于预设的第一阈值;根据判断结果,统计N个用户中T时间内PDSCH中控制平面与用户平面的流量比例高于所述第一阈值的用户数,记为M;若M/N的值大于预设的第二阈值,则判断待接入小区为伪基站;反之,则判断待接入小区为合法基站。由于伪基站主要用于获取用户IMSI或发送垃圾短信,并且无法为用户提供完整服务,因此伪基站的控制平面与用户平面的流量比例与合法基站相比存在明显差异,本发明首次提出通过控制平面与用户平面流量分析识别基站类型的基本思想,有效地提高识别伪基站的准确性,并且能够在用户终端接入伪基站前完成识别,增强用户终端预防被伪基站吸附的能力,保护用户身份信息安全,防止用户收到垃圾短信或诈骗信息。对打击伪基站违法犯罪行为,维护社会信息安全有重要意义。Compared with the prior art, the present invention has at least the following beneficial effects: a method for identifying a pseudo base station according to the present invention, by detecting the PRACH of the cell to be accessed, monitoring the random access process of the user requesting access, and after N successful accesses Among the entered users, the C-RNTI corresponding to each user is extracted; within the time T, the PDCCH is blindly detected according to the C-RNTI corresponding to each user, and the resource allocation information of each user's PDSCH is obtained; The traffic ratio of the control plane and the user plane in the PDSCH of each user; according to the traffic ratio of the control plane and the user plane in the PDSCH of each user among the N users, it is judged whether the cell to be accessed is a pseudo base station; Whether the traffic ratio between the control plane and the user plane in the PDSCH within the T period is higher than the preset first threshold; according to the judgment result, it is calculated that the traffic ratio of the control plane and the user plane in the PDSCH within the T period of the N users is higher than the first threshold. The number of users with a threshold is denoted as M; if the value of M/N is greater than the preset second threshold, the cell to be accessed is determined to be a pseudo base station; otherwise, the cell to be accessed is determined to be a legitimate base station. Since the pseudo base station is mainly used to obtain user IMSI or send spam short messages, and cannot provide complete services for users, the traffic ratio between the control plane and the user plane of the pseudo base station is obviously different from that of the legal base station. The basic idea of identifying base station types with user plane traffic analysis can effectively improve the accuracy of identifying pseudo base stations, and can complete the identification before user terminals access pseudo base stations, enhance the ability of user terminals to prevent being adsorbed by pseudo base stations, and protect user identity information Safe to prevent users from receiving spam or scam messages. It is of great significance to crack down on illegal and criminal acts of pseudo base stations and maintain social information security.

为使本发明的上述目的、特征和优点能更明显易懂,下文特举较佳实施例,并配合所附附图,作详细说明如下。In order to make the above-mentioned objects, features and advantages of the present invention more obvious and easy to understand, preferred embodiments are given below, and are described in detail as follows in conjunction with the accompanying drawings.

附图说明Description of drawings

为了更清楚地说明本发明具体实施方式中的技术方案,下面将对具体实施方式描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施方式,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions in the specific embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the description of the specific embodiments. Obviously, the accompanying drawings in the following description are some embodiments of the present invention. , for those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort.

图1为本发明实例一种应用场景示意图。FIG. 1 is a schematic diagram of an application scenario of an example of the present invention.

图2为本发明实例一种4G伪基站识别方法流程图。FIG. 2 is a flowchart of a method for identifying a 4G pseudo base station according to an example of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合附图对本发明的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are part of the embodiments of the present invention, but not all of them. example. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

首先,为了便于理解,在此先对各个实施例中所涉及的随机接入过程的原理做简单介绍。First, for ease of understanding, the principle of the random access process involved in each embodiment is briefly introduced here.

用户终端通过随机接入过程接入待接入小区,基于竞争的随机接入过程分为以下四步:The user terminal accesses the cell to be accessed through the random access process. The contention-based random access process is divided into the following four steps:

第一步,用户终端在PRACH上发送随机接入前导;In the first step, the user terminal sends a random access preamble on PRACH;

第二步,基站在接收到用户终端发送的随机接入前导后,向用户终端回复随机接入响应,所述随机接入响应称为MSG2;In the second step, after receiving the random access preamble sent by the user terminal, the base station returns a random access response to the user terminal, and the random access response is called MSG2;

MSG2中包含基站为所述用户终端分配的临时标识TC-RNTI以及MSG3的PUSCH资源分配;MSG2 includes the temporary identifier TC-RNTI allocated by the base station for the user terminal and the PUSCH resource allocation of MSG3;

基于竞争的随机接入过程需要通过第三步和第四步完成接入冲突解决。在第三步中,由用户终端向基站发送的消息统称为MSG3;在第四步中,由基站回复用户终端的消息统称为MSG4;The contention-based random access procedure needs to complete the access conflict resolution through the third and fourth steps. In the third step, the messages sent by the user terminal to the base station are collectively referred to as MSG3; in the fourth step, the messages sent by the base station to the user terminal are collectively referred to as MSG4;

第三步,用户终端在接收MSG2后,在MSG3的PUSCH资源分配上向基站发送MSG3;In the third step, after receiving MSG2, the user terminal sends MSG3 to the base station on the PUSCH resource allocation of MSG3;

MSG3中包含用于冲突解决的身份标识,当用户终端处于连接态时,所述用于冲突解决的身份标识为C-RNTI;当用户终端处于非连接态时,所述用于冲突解决的身份标识为S-TMSI或者一个由用户终端产生的随机数;The MSG3 contains an identity for conflict resolution. When the user terminal is in a connected state, the identity for conflict resolution is C-RNTI; when the user terminal is in a disconnected state, the identity for conflict resolution is C-RNTI. It is identified as S-TMSI or a random number generated by the user terminal;

第四步,基站在接收MSG3后完成冲突解决,向用户终端发送MSG4;所述用户终端接收MSG4,若用户终端检测到MSG4中包含自身的用于冲突解决的身份标识,则认为随机接入过程成功,临时标识TC-RNTI变为C-RNTI。In the fourth step, the base station completes conflict resolution after receiving MSG3, and sends MSG4 to the user terminal; the user terminal receives MSG4, and if the user terminal detects that MSG4 contains its own identity for conflict resolution, it is considered a random access process. Success, the temporary identifier TC-RNTI becomes C-RNTI.

在进行随机接入过程时,基站与用户终端之间未建立安全上下文,基站与用户终端之间的消息均以明文发送。因此,可以通过监听用户终端的随机接入过程,获得成功接入用户终端的C-RNTI。During the random access process, no security context is established between the base station and the user terminal, and messages between the base station and the user terminal are all sent in plaintext. Therefore, the C-RNTI of successfully accessing the user terminal can be obtained by monitoring the random access process of the user terminal.

本发明的一个应用场景如图1所示,其中包含一个4G伪基站,多个被伪基站吸附的用户设备,以及一个待接入用户设备。其中,多个被伪基站吸附的用户不具备识别伪基站的能力,向4G伪基站发起接入请求。待接入用户在发起接入请求之前,通过本发明提供的一种识别伪基站的方法判断待接入小区是否为伪基站。An application scenario of the present invention is shown in FIG. 1 , which includes a 4G pseudo base station, a plurality of user equipments adsorbed by the pseudo base station, and a user equipment to be accessed. Among them, many users who are attracted by the pseudo base station do not have the ability to identify the pseudo base station and initiate access requests to the 4G pseudo base station. Before initiating an access request, the user to be accessed judges whether the cell to be accessed is a pseudo base station by using the method for identifying a pseudo base station provided by the present invention.

本发明的应用场景不应局限于附图1,可以用于用户终端初始接入过程,以及小区重选过程等。The application scenario of the present invention should not be limited to FIG. 1, and can be used in the initial access process of the user terminal, the cell reselection process, and the like.

如图2所示,作为本发明的某一具体实施方式,一种识别伪基站的方法,包括以下步骤:As shown in FIG. 2, as a specific embodiment of the present invention, a method for identifying a pseudo base station includes the following steps:

步骤1:检测待接入小区的PRACH,监听请求接入用户的随机接入过程,在N个成功接入的用户中,抽取每个用户对应的C-RNTI。Step 1: Detect the PRACH of the cell to be accessed, monitor the random access process of the user requesting access, and extract the C-RNTI corresponding to each user among the N users who have successfully accessed.

具体包括以下步骤:Specifically include the following steps:

步骤1.1:检测待接入小区的PRACH,获取请求接入用户相应的RA-RNTI;Step 1.1: Detect the PRACH of the cell to be accessed, and obtain the corresponding RA-RNTI of the user requesting access;

步骤1.2:使用所述RA-RNTI检测PDCCH,获取PDSCH上的MSG2;通过MSG2中包含的ULGrant获取TC-RNTI以及MSG3的PUSCH资源分配信息;Step 1.2: use the RA-RNTI to detect the PDCCH, and obtain the MSG2 on the PDSCH; obtain the TC-RNTI and the PUSCH resource allocation information of the MSG3 through the ULGrant included in the MSG2;

步骤1.3:根据MSG3的PUSCH资源分配信息,监听MSG3;从MSG3中获取用户的用于冲突解决的身份标识;Step 1.3: monitor MSG3 according to the PUSCH resource allocation information of MSG3; obtain the user's identity for conflict resolution from MSG3;

步骤1.4:监听到MSG3后,用TC-RNTI检测PDCCH,获取PDSCH上的MSG4;Step 1.4: After monitoring MSG3, use TC-RNTI to detect PDCCH, and obtain MSG4 on PDSCH;

步骤1.5:如果获取的MSG4中包含用户用于冲突解决的身份标识,则用户的随机接入过程成功,C-RNTI=TC-RNTI。Step 1.5: If the acquired MSG4 contains the user's identity for conflict resolution, the user's random access procedure is successful, and C-RNTI=TC-RNTI.

通过上述步骤获得N个成功接入用户,以及每个用户对应的C-RNTI。Through the above steps, N successful access users and the C-RNTI corresponding to each user are obtained.

步骤2:在时间T内,分别根据每个用户对应的C-RNTI盲检PDCCH,获取每个用户的PDSCH的资源分配信息。Step 2: During the time T, blindly detect the PDCCH according to the C-RNTI corresponding to each user, and obtain the resource allocation information of the PDSCH of each user.

步骤3:统计时间T内每个用户的PDSCH中控制平面与用户平面的流量比例,具体为:根据MAC子报头的LCID区分控制平面与用户平面流量,并通过PDCP层报头获取PDCP包长度,统计每个用户T时间内PDSCH中控制平面与用户平面的流量大小,并计算每个用户T时间内PDSCH中控制平面与用户平面的流量比例。Step 3: Counting the traffic ratio of the control plane and the user plane in the PDSCH of each user within the time T, specifically: distinguishing the traffic of the control plane and the user plane according to the LCID of the MAC subheader, and obtaining the length of the PDCP packet through the PDCP layer header. The traffic size of the control plane and the user plane in the PDSCH in each user T time, and calculate the traffic ratio of the control plane and the user plane in the PDSCH in each user T time.

用户数据的加密以及控制信令的加密与完整性保护均由PDCP层提供,因此无论PDSCH中的数据是否进行加密或完整性保护,均可以获得PDCP层报头与MAC层报头。Encryption of user data and encryption and integrity protection of control signaling are provided by the PDCP layer. Therefore, regardless of whether the data in the PDSCH is encrypted or integrity protected, the PDCP layer header and the MAC layer header can be obtained.

每个MAC子报头包含逻辑信道ID(LCID)。LCID指示相应的MAC子报头的有效载荷部分是否为MAC控制元素,如果不是,则指示MAC SDU属于哪个逻辑信道。Each MAC subheader contains a Logical Channel ID (LCID). The LCID indicates whether the payload part of the corresponding MAC subheader is a MAC control element, and if not, indicates which logical channel the MAC SDU belongs to.

步骤4:根据N个用户中每个用户T时间内的PDSCH中控制平面与用户平面的流量比例判断待接入小区是否为伪基站。Step 4: Determine whether the cell to be accessed is a pseudo base station according to the traffic ratio between the control plane and the user plane in the PDSCH within the time T of each user among the N users.

由于伪基站主要用于获取用户IMSI或发送垃圾短信,并且无法为用户提供完整服务,因此伪基站的控制平面与用户平面的流量比例与合法基站相比存在明显差异。Since the pseudo base station is mainly used to obtain user IMSI or send spam short messages, and cannot provide users with complete services, the traffic ratio between the control plane and the user plane of the pseudo base station is significantly different from that of the legitimate base station.

具体的,作为某一优选实施例,包括以下步骤:Specifically, as a certain preferred embodiment, the following steps are included:

步骤4.1:判断每个用户T时间内PDSCH中控制平面与用户平面的流量比例是否高于预设的第一阈值;Step 4.1: Determine whether the traffic ratio of the control plane and the user plane in the PDSCH within each user T time is higher than the preset first threshold;

步骤4.2:根据步骤4.1的判断结果,统计N个用户中T时间内PDSCH中控制平面与用户平面的流量比例高于第一阈值的用户数,记为M;Step 4.2: According to the judgment result of Step 4.1, count the number of users whose traffic ratio between the control plane and the user plane in the PDSCH in the PDSCH is higher than the first threshold within T time among the N users, which is denoted as M;

步骤4.3:若M/N的值大于预设的第二阈值,则判断待接入小区为伪基站;反之,则判断待接入小区为合法基站;Step 4.3: if the value of M/N is greater than the preset second threshold, determine that the cell to be accessed is a pseudo base station; otherwise, determine that the cell to be accessed is a legal base station;

其中,第一阈值为时间T所对应的控制平面与用户平面的流量比例阈值;第二阈值为控制平面与用户平面的流量比例高于第一阈值的用户数M占总检测用户数N的比例阈值。第一阈值和第二阈值预先通过神经网络训练获得或预先通过支持向量机训练获得。Wherein, the first threshold is the threshold of the traffic ratio between the control plane and the user plane corresponding to time T; the second threshold is the ratio of the number of users M whose traffic ratio between the control plane and the user plane is higher than the first threshold to the total number of detected users N threshold. The first threshold and the second threshold are obtained in advance through neural network training or through support vector machine training in advance.

作为另一优选实施例,使用预先通过神经网络或支持向量机等方法训练获得的检测模型进行判断。所述检测模型的输入信息包括:接入网络类型、用户数N、时间T以及相应用户的控制平面与用户平面的流量比例;所述检测模型的输出信息包括:待接入小区是伪基站或合法基站。也就是说,预先通过神经网络或支持向量机训练获得检测模型;将接入网络类型、用户数N、时间T以及相应用户的控制平面与用户平面的流量比例输入检测模型;若待接入小区为伪基站时,检测模型输出待接入小区为伪基站;若待接入小区为合法基站时,检测模型输出待接入小区为合法基站。As another preferred embodiment, the judgment is performed by using a detection model trained in advance by methods such as a neural network or a support vector machine. The input information of the detection model includes: the access network type, the number of users N, the time T, and the traffic ratio between the control plane and the user plane of the corresponding user; the output information of the detection model includes: whether the cell to be accessed is a pseudo base station or legitimate base station. That is to say, the detection model is obtained through neural network or support vector machine training in advance; the access network type, the number of users N, the time T, and the traffic ratio between the control plane and the user plane of the corresponding users are input into the detection model; if the cell to be accessed is When it is a pseudo base station, the detection model outputs the cell to be accessed as a pseudo base station; if the cell to be accessed is a legal base station, the detection model outputs the cell to be accessed as a legal base station.

步骤5:当判断待接入小区为伪基站后,用户终端将待接入小区列为黑名单,并执行步骤1~步骤4,重新进行小区选择,直到判断待接入小区为合法基站。Step 5: After judging that the cell to be accessed is a pseudo base station, the user terminal blacklists the cell to be accessed, and performs steps 1 to 4 to re-select the cell until it is determined that the cell to be accessed is a legitimate base station.

步骤6:当接入合法小区后,用户终端将异常信息上报至合法基站;其中,所述异常信息可以包括以下之一:被判断为伪基站的待接入小区物理ID,接入网络类型,检测到伪基站的时间以及用户终端所处位置,检测用户数N,时间T,以及检测的每个用户的控制平面与用户平面的流量比例等。Step 6: After accessing the legal cell, the user terminal reports the abnormal information to the legal base station; wherein, the abnormal information may include one of the following: the physical ID of the cell to be accessed that is judged to be the pseudo base station, the access network type, The time when the pseudo base station is detected and the location of the user terminal, the number of detected users N, the time T, and the detected traffic ratio between the control plane and the user plane of each user, etc.

例如,采用本发明方法的用户终端在接入待接入小区之前,通过步骤1,检测到8个成功接入所述小区的用户终端,并获取每个成功接入所述小区的用户终端的C-RNTI。如表1所示:For example, before the user terminal using the method of the present invention accesses the cell to be accessed, through step 1, it detects 8 user terminals that successfully access the cell, and obtains the information of each user terminal that successfully accesses the cell. C-RNTI. As shown in Table 1:

表1成功接入用户终端以及相应C-RNTITable 1 Successfully accessed user terminal and corresponding C-RNTI

用户终端(N=8)User terminals (N=8) 11 22 33 44 55 66 77 88 C-RNTI(十进制)C-RNTI (decimal) 1984119841 1968119681 1238112381 1084810848 1268412684 1295212952 1355813558 1047210472

通过步骤2,在1分钟内,分别根据所述每个用户终端对应的C-RNTI盲检PDCCH,获取每个用户终端的PDSCH资源分配。通过步骤3,在所述1分钟内,根据步骤2所得每个用户终端的PDSCH资源分配,统计所述每个用户终端的PDSCH中控制平面与用户平面的流量比例。如表2所示:Through step 2, within 1 minute, the PDCCH is blindly detected according to the C-RNTI corresponding to each user terminal, and the PDSCH resource allocation of each user terminal is obtained. Through step 3, within the 1 minute, according to the PDSCH resource allocation of each user terminal obtained in step 2, the traffic ratio between the control plane and the user plane in the PDSCH of each user terminal is counted. As shown in table 2:

表2成功接入用户终端以及相应控制平面与用户平面的流量比例Table 2 Successfully accessed user terminals and the corresponding traffic ratio between the control plane and the user plane

用户终端(N=8)User terminals (N=8) 11 22 33 44 55 66 77 88 CP/UPCP/UP 73%73% 95%95% 80%80% 78%78% 93%93% 87%87% 67%67% 85%85%

其中,CP表示Control Plane,即控制平面;UP表示User Plane,即用户平面;CP/UP表示控制平面与用户平面的流量比例。Among them, CP represents the Control Plane, that is, the control plane; UP represents the User Plane, that is, the user plane; CP/UP represents the traffic ratio between the control plane and the user plane.

通过步骤4,判断待接入小区是否为伪基站。Through step 4, it is determined whether the cell to be accessed is a pseudo base station.

在本例中,第一阈值设置为70%,第二阈值设置为80%。具体地,根据第一阈值以及表2中用户终端1-8的控制平面与用户平面的流量比例,可以获得控制平面与用户平面的流量比例高于第一阈值的用户终端数M=7;根据N=8,可以获得M/N=87.5%。由于M/N=87.5%大于第二阈值,判断待接入小区为伪基站。In this example, the first threshold is set to 70% and the second threshold is set to 80%. Specifically, according to the first threshold and the traffic ratio between the control plane and the user plane of the user terminals 1-8 in Table 2, the number of user terminals M=7 whose traffic ratio between the control plane and the user plane is higher than the first threshold can be obtained; according to With N=8, M/N=87.5% can be obtained. Since M/N=87.5% is greater than the second threshold, it is determined that the cell to be accessed is a pseudo base station.

用户终端可将所述判断为伪基站的待接入小区列为黑名单,重新进行小区选择,并执行步骤1-步骤4,直到判断待接入小区为合法基站。The user terminal may blacklist the cell to be accessed that is determined to be a pseudo base station, perform cell selection again, and perform steps 1 to 4 until it is determined that the cell to be accessed is a legitimate base station.

当接入合法小区后,用户终端将异常信息上报至合法基站。After accessing the legal cell, the user terminal reports abnormal information to the legal base station.

这里需要说明的是,参数N,M,第一阈值以及第二阈值的取值不局限于本实例中的取值。It should be noted here that the values of the parameters N, M, the first threshold and the second threshold are not limited to the values in this example.

本发明一种识别伪基站的设备,包括:The present invention is a device for identifying a pseudo base station, comprising:

监听模块,用于检测待接入小区的PRACH,监听请求接入用户的随机接入过程,在N个成功接入的用户中,抽取每个用户对应的C-RNTI;并用于在T时间内,分别根据每个用户对应的C-RNTI盲检PDCCH,获取每个用户的PDSCH的资源分配信息;具体实现手段为:检测待接入小区的PRACH,获取请求接入用户相应的RA-RNTI;使用所述RA-RNTI检测PDCCH,获取PDSCH上的MSG2;通过MSG2中包含的UL Grant获取TC-RNTI以及MSG3的PUSCH资源分配信息;根据MSG3的PUSCH资源分配信息,监听MSG3;从MSG3中获取用户的用于冲突解决的身份标识;监听到MSG3后,用TC-RNTI检测PDCCH,获取PDSCH上的MSG4;如果获取的MSG4中包含用户用于冲突解决的身份标识,则用户的随机接入过程成功,C-RNTI=TC-RNTI。The monitoring module is used to detect the PRACH of the cell to be accessed, monitor the random access process of the user requesting access, and extract the C-RNTI corresponding to each user among the N users who have successfully accessed; and use it within T time , blindly detect the PDCCH according to the C-RNTI corresponding to each user, and obtain the resource allocation information of each user's PDSCH; the specific implementation means are: detecting the PRACH of the cell to be accessed, and obtaining the corresponding RA-RNTI of the user requesting access; Use the RA-RNTI to detect the PDCCH, and obtain the MSG2 on the PDSCH; obtain the TC-RNTI and the PUSCH resource allocation information of the MSG3 through the UL Grant included in the MSG2; monitor the MSG3 according to the PUSCH resource allocation information of the MSG3; obtain the user from the MSG3 After monitoring MSG3, use TC-RNTI to detect PDCCH and obtain MSG4 on PDSCH; if the obtained MSG4 contains the user's identity for conflict resolution, the random access process of the user is successful , C-RNTI=TC-RNTI.

统计模块,用于统计T时间内每个用户的PDSCH中控制平面与用户平面的流量比例。The statistics module is used to count the traffic ratio between the control plane and the user plane in the PDSCH of each user within T time.

判决模块,用于根据N个用户中每个用户T时间内的PDSCH中控制平面与用户平面的流量比例判断待接入小区是否为伪基站;具体的,判断每个用户T时间内PDSCH中控制平面与用户平面的流量比例是否高于预设的第一阈值;根据判断结果,统计N个用户中T时间内PDSCH中控制平面与用户平面的流量比例高于第一阈值的用户数,记为M;若M/N的值大于预设的第二阈值,则判断待接入小区为伪基站;反之,则判断待接入小区为合法基站;其中,第一阈值为时间T所对应的控制平面与用户平面的流量比例阈值;第二阈值为控制平面与用户平面的流量比例高于第一阈值的用户数M占总检测用户数N的比例阈值。The judgment module is used for judging whether the cell to be accessed is a pseudo base station according to the traffic ratio of the control plane and the user plane in the PDSCH within the time T of each user among the N users; Whether the traffic ratio between the plane and the user plane is higher than the preset first threshold; according to the judgment result, count the number of users whose traffic ratio between the control plane and the user plane in the PDSCH in the T time period of the N users is higher than the first threshold, denoted as M; if the value of M/N is greater than the preset second threshold, it is determined that the cell to be accessed is a pseudo base station; otherwise, it is determined that the cell to be accessed is a legal base station; wherein, the first threshold is the control corresponding to time T The threshold of the traffic ratio between the plane and the user plane; the second threshold is the ratio threshold of the number of users M whose traffic ratio of the control plane and the user plane is higher than the first threshold to the total number of detected users N.

上报模块,用于当待接入小区为伪基站时,将所述待接入小区列为黑名单,并将异常信息上报至合法基站。The reporting module is used for blacklisting the cell to be accessed when the cell to be accessed is a pseudo base station, and reporting abnormal information to the legal base station.

最后应说明的是:以上所述实施例,仅为本发明的具体实施方式,用以说明本发明的技术方案,而非对其限制,本发明的保护范围并不局限于此,尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,其依然可以对前述实施例所记载的技术方案进行修改或可轻易想到变化,或者对其中部分技术特征进行等同替换;而这些修改、变化或者替换,并不使相应技术方案的本质脱离本发明实施例技术方案的精神和范围,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应所述以权利要求的保护范围为准。Finally, it should be noted that the above-mentioned embodiments are only specific implementations of the present invention, and are used to illustrate the technical solutions of the present invention, but not to limit them. The protection scope of the present invention is not limited thereto, although referring to the foregoing The embodiment has been described in detail the present invention, those of ordinary skill in the art should understand: any person skilled in the art who is familiar with the technical field within the technical scope disclosed by the present invention can still modify the technical solutions described in the foregoing embodiments. Or can easily think of changes, or equivalently replace some of the technical features; and these modifications, changes or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the present invention, and should be covered in the present invention. within the scope of protection. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (10)

1.一种识别伪基站的方法,其特征在于,包括以下步骤:1. a method for identifying pseudo base station, is characterized in that, comprises the following steps: 步骤1:检测待接入小区的PRACH,监听请求接入用户的随机接入过程,在N个成功接入的用户中,抽取每个用户对应的C-RNTI;Step 1: Detect the PRACH of the cell to be accessed, monitor the random access process of the user requesting access, and extract the C-RNTI corresponding to each user among the N successfully accessed users; 步骤2:在时间T内,分别根据所述每个用户对应的C-RNTI盲检PDCCH,获取每个用户的PDSCH的资源分配信息;Step 2: within the time T, blindly detect the PDCCH according to the C-RNTI corresponding to each user, and obtain the resource allocation information of the PDSCH of each user; 步骤3:根据步骤2获取的每个用户的PDSCH的资源分配信息,统计时间T内所述每个用户的PDSCH中控制平面与用户平面的流量比例;Step 3: According to the resource allocation information of the PDSCH of each user obtained in step 2, the traffic ratio of the control plane and the user plane in the PDSCH of each user in the statistical time T; 步骤4:根据N个用户中每个用户在时间T内的PDSCH中控制平面与用户平面的流量比例判断待接入小区是否为伪基站。Step 4: Determine whether the cell to be accessed is a pseudo base station according to the traffic ratio between the control plane and the user plane in the PDSCH for each of the N users. 2.根据权利要求1所述的一种识别伪基站的方法,其特征在于,所述步骤1具体包括以下步骤:2. The method for identifying a pseudo base station according to claim 1, wherein the step 1 specifically comprises the following steps: 步骤1.1:检测待接入小区的PRACH,获取请求接入用户相应的RA-RNTI;Step 1.1: Detect the PRACH of the cell to be accessed, and obtain the corresponding RA-RNTI of the user requesting access; 步骤1.2:使用所述RA-RNTI检测PDCCH,获取PDSCH上的MSG2;通过MSG2中包含的ULGrant获取TC-RNTI以及MSG3的PUSCH资源分配信息;Step 1.2: use the RA-RNTI to detect the PDCCH, and obtain the MSG2 on the PDSCH; obtain the TC-RNTI and the PUSCH resource allocation information of the MSG3 through the ULGrant included in the MSG2; 步骤1.3:根据MSG3的PUSCH资源分配信息,监听MSG3;从MSG3中获取用户的用于冲突解决的身份标识;Step 1.3: monitor MSG3 according to the PUSCH resource allocation information of MSG3; obtain the user's identity for conflict resolution from MSG3; 步骤1.4:监听到MSG3后,用TC-RNTI检测PDCCH,获取PDSCH上的MSG4;Step 1.4: After monitoring MSG3, use TC-RNTI to detect PDCCH, and obtain MSG4 on PDSCH; 步骤1.5:如果获取的MSG4中包含用户用于冲突解决的身份标识,则用户的随机接入过程成功,C-RNTI=TC-RNTI。Step 1.5: If the acquired MSG4 contains the user's identity for conflict resolution, the user's random access procedure is successful, and C-RNTI=TC-RNTI. 3.根据权利要求1所述的一种识别伪基站的方法,其特征在于,所述步骤3具体为:根据MAC子报头的LCID区分控制平面与用户平面流量,并通过PDCP层报头获取PDCP包长度,统计所述每个用户T时间内PDSCH中控制平面与用户平面的流量大小,并计算每个用户T时间内PDSCH中控制平面与用户平面的流量比例。3. The method for identifying a pseudo base station according to claim 1, wherein the step 3 is specifically: distinguishing the control plane and user plane traffic according to the LCID of the MAC subheader, and obtaining the PDCP packet through the PDCP layer header Length, count the traffic size of the control plane and the user plane in the PDSCH for each user T time, and calculate the traffic ratio of the control plane and the user plane in the PDSCH for each user T time. 4.根据权利要求1所述的一种识别伪基站的方法,其特征在于,所述步骤4具体包括以下步骤:4. The method for identifying a pseudo base station according to claim 1, wherein the step 4 specifically comprises the following steps: 步骤4.1:判断每个用户在时间T内PDSCH中控制平面与用户平面的流量比例是否高于预设的第一阈值;Step 4.1: determine whether the traffic ratio of the control plane and the user plane in the PDSCH of each user is higher than the preset first threshold value within the time T; 步骤4.2:根据步骤4.1的判断结果,统计N个用户中在时间T内PDSCH中控制平面与用户平面的流量比例高于所述第一阈值的用户数,记为M;Step 4.2: According to the judgment result of Step 4.1, count the number of users whose traffic ratio between the control plane and the user plane in the PDSCH in the time T is higher than the first threshold among the N users, denoted as M; 步骤4.3:若M/N的值大于预设的第二阈值,则判断待接入小区为伪基站;反之,则判断待接入小区为合法基站;Step 4.3: if the value of M/N is greater than the preset second threshold, determine that the cell to be accessed is a pseudo base station; otherwise, determine that the cell to be accessed is a legal base station; 其中,所述第一阈值为时间T所对应的控制平面与用户平面的流量比例阈值;所述第二阈值为控制平面与用户平面的流量比例高于第一阈值的用户数M占总检测用户数N的比例阈值。Wherein, the first threshold is the threshold of the traffic ratio between the control plane and the user plane corresponding to time T; the second threshold is the number M of users whose traffic ratio between the control plane and the user plane is higher than the first threshold, accounting for the total detected users Scale threshold for number N. 5.根据权利要求4所述的一种识别伪基站的方法,其特征在于,所述第一阈值和所述第二阈值预先通过神经网络训练获得。5 . The method for identifying a pseudo base station according to claim 4 , wherein the first threshold and the second threshold are obtained through neural network training in advance. 6 . 6.根据权利要求4所述的一种识别伪基站的方法,其特征在于,所述第一阈值和所述第二阈值预先通过支持向量机训练获得。6 . The method for identifying a pseudo base station according to claim 4 , wherein the first threshold and the second threshold are obtained through support vector machine training in advance. 7 . 7.根据权利要求1所述的一种识别伪基站的方法,其特征在于,所述步骤4具体为:7. The method for identifying a pseudo base station according to claim 1, wherein the step 4 is specifically: 预先通过神经网络或支持向量机训练获得检测模型;将接入网络类型、用户数N、时间T以及相应用户的控制平面与用户平面的流量比例输入所述检测模型;若待接入小区为伪基站时,所述检测模型输出待接入小区为伪基站;若待接入小区为合法基站时,所述检测模型输出待接入小区为合法基站。The detection model is obtained through neural network or support vector machine training in advance; the access network type, the number of users N, the time T and the traffic ratio of the control plane and the user plane of the corresponding users are input into the detection model; if the cell to be accessed is pseudo When the cell is a base station, the detection model outputs the cell to be accessed as a pseudo base station; if the cell to be accessed is a legal base station, the detection model outputs the cell to be accessed as a legal base station. 8.根据权利要求1所述的一种识别伪基站的方法,其特征在于,还包括以下步骤:8. The method for identifying a pseudo base station according to claim 1, further comprising the steps of: 步骤5:当判断待接入小区为伪基站后,用户终端将所述待接入小区列为黑名单,重新进行小区选择,并执行步骤1~步骤4,直到判断待接入小区为合法基站;Step 5: After judging that the cell to be accessed is a pseudo base station, the user terminal blacklists the cell to be accessed, performs cell selection again, and executes steps 1 to 4 until it is determined that the cell to be accessed is a legitimate base station ; 步骤6:当接入合法小区后,用户终端将异常信息上报至合法基站。Step 6: After accessing the legal cell, the user terminal reports the abnormal information to the legal base station. 9.一种识别伪基站的设备,其特征在于,包括:9. A device for identifying a pseudo base station, comprising: 监听模块,用于检测待接入小区的PRACH,监听请求接入用户的随机接入过程,在N个成功接入的用户中,抽取每个用户对应的C-RNTI;并用于在时间T内,分别根据所述每个用户对应的C-RNTI盲检PDCCH,获取每个用户的PDSCH的资源分配信息;The monitoring module is used to detect the PRACH of the cell to be accessed, monitor the random access process of the user requesting access, and extract the C-RNTI corresponding to each user among the N users who have successfully accessed; , respectively blindly detect the PDCCH according to the C-RNTI corresponding to each user, and obtain the resource allocation information of the PDSCH of each user; 统计模块,用于统计时间T内所述每个用户的PDSCH中控制平面与用户平面的流量比例;A statistics module, used for statistics of the traffic ratio between the control plane and the user plane in the PDSCH of each user described in the time T; 判决模块,用于根据N个用户中每个用户在时间T内的PDSCH中控制平面与用户平面的流量比例判断待接入小区是否为伪基站;具体的,判断每个用户在时间T内PDSCH中控制平面与用户平面的流量比例是否高于预设的第一阈值;根据判断结果,统计N个用户中在时间T内PDSCH中控制平面与用户平面的流量比例高于所述第一阈值的用户数,记为M;若M/N的值大于预设的第二阈值,则判断待接入小区为伪基站;反之,则判断待接入小区为合法基站;The judgment module is used for judging whether the cell to be accessed is a pseudo base station according to the traffic ratio of the control plane and the user plane in the PDSCH of each user in the time T; Whether the traffic ratio between the control plane and the user plane is higher than the preset first threshold; according to the judgment result, count the ratios of the traffic between the control plane and the user plane in the PDSCH within the time T of the N users that are higher than the first threshold. The number of users, denoted as M; if the value of M/N is greater than the preset second threshold, it is determined that the cell to be accessed is a pseudo base station; otherwise, the cell to be accessed is determined to be a legal base station; 其中,所述第一阈值为时间T所对应的控制平面与用户平面的流量比例阈值;所述第二阈值为控制平面与用户平面的流量比例高于第一阈值的用户数M占总检测用户数N的比例阈值。Wherein, the first threshold is the threshold of the traffic ratio between the control plane and the user plane corresponding to time T; the second threshold is the number M of users whose traffic ratio between the control plane and the user plane is higher than the first threshold, accounting for the total detected users Scale threshold for number N. 10.根据权利要求9所述的一种识别伪基站的设备,其特征在于,还包括:上报模块,用于当待接入小区为伪基站时,将所述待接入小区列为黑名单,并将异常信息上报至合法基站。10 . The device for identifying a pseudo base station according to claim 9 , further comprising: a reporting module, configured to blacklist the cell to be accessed when the cell to be accessed is a pseudo base station. 11 . , and report the abnormal information to the legitimate base station.
CN201911040187.7A 2019-10-29 2019-10-29 Method and device for identifying pseudo base station Active CN110753349B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911040187.7A CN110753349B (en) 2019-10-29 2019-10-29 Method and device for identifying pseudo base station

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911040187.7A CN110753349B (en) 2019-10-29 2019-10-29 Method and device for identifying pseudo base station

Publications (2)

Publication Number Publication Date
CN110753349A true CN110753349A (en) 2020-02-04
CN110753349B CN110753349B (en) 2020-10-27

Family

ID=69280962

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911040187.7A Active CN110753349B (en) 2019-10-29 2019-10-29 Method and device for identifying pseudo base station

Country Status (1)

Country Link
CN (1) CN110753349B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111586592A (en) * 2020-05-27 2020-08-25 蚌埠珠领智能科技有限公司 Vehicle running state short information transmission method and system based on Internet of vehicles
CN113099456A (en) * 2021-05-13 2021-07-09 中国联合网络通信集团有限公司 Pseudo base station identification method, device, equipment and storage medium
RU2833368C1 (en) * 2023-09-08 2025-01-21 Общество С Ограниченной Ответственностью "Софтайм" Method of countering attacks made using virtual base stations with respect to subscriber devices located at secure facility

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102118766A (en) * 2009-12-31 2011-07-06 成都市华为赛门铁克科技有限公司 Method and device for identifying base station, and network system
US20170079059A1 (en) * 2015-09-11 2017-03-16 Intel IP Corporation Slicing architecture for wireless communication
CN106658512A (en) * 2016-12-23 2017-05-10 广西英伦信息技术股份有限公司 Method for rapidly locating malicious call number from bill statistics
CN108347789A (en) * 2017-01-24 2018-07-31 华为技术有限公司 A kind of accidental access method and device
CN109275145A (en) * 2018-09-21 2019-01-25 腾讯科技(深圳)有限公司 Device behavior detection and blocking processing method, medium and electronic device
WO2019028697A1 (en) * 2017-08-09 2019-02-14 Zte Corporation Quality of service implementations for separating user plane

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102118766A (en) * 2009-12-31 2011-07-06 成都市华为赛门铁克科技有限公司 Method and device for identifying base station, and network system
US20170079059A1 (en) * 2015-09-11 2017-03-16 Intel IP Corporation Slicing architecture for wireless communication
CN106658512A (en) * 2016-12-23 2017-05-10 广西英伦信息技术股份有限公司 Method for rapidly locating malicious call number from bill statistics
CN108347789A (en) * 2017-01-24 2018-07-31 华为技术有限公司 A kind of accidental access method and device
WO2019028697A1 (en) * 2017-08-09 2019-02-14 Zte Corporation Quality of service implementations for separating user plane
CN109275145A (en) * 2018-09-21 2019-01-25 腾讯科技(深圳)有限公司 Device behavior detection and blocking processing method, medium and electronic device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
SILVÈRE MAVOUNGOU等: "Survey on Threats and Attacks on Mobile Networks", 《IEEE》 *
孙军: "TETRA数字集群伪基站关键技术的研究", 《中国优秀硕士学位论文全文数据库 信息科技辑(月刊 )》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111586592A (en) * 2020-05-27 2020-08-25 蚌埠珠领智能科技有限公司 Vehicle running state short information transmission method and system based on Internet of vehicles
CN113099456A (en) * 2021-05-13 2021-07-09 中国联合网络通信集团有限公司 Pseudo base station identification method, device, equipment and storage medium
CN113099456B (en) * 2021-05-13 2022-05-03 中国联合网络通信集团有限公司 Pseudo base station identification method, device, device and storage medium
RU2833368C1 (en) * 2023-09-08 2025-01-21 Общество С Ограниченной Ответственностью "Софтайм" Method of countering attacks made using virtual base stations with respect to subscriber devices located at secure facility

Also Published As

Publication number Publication date
CN110753349B (en) 2020-10-27

Similar Documents

Publication Publication Date Title
US12200493B2 (en) Source base station, UE, method in wireless communication system
CN105451232B (en) Pseudo base station detection method, system, terminal and server
Jover LTE security, protocol exploits and location tracking experimentation with low-cost software radio
CN107683617B (en) System and method for pseudo base station detection
CN112448894B (en) Method, device, equipment and storage medium for blocking signaling storm
CN104683965B (en) The hold-up interception method and equipment of a kind of pair of pseudo-base station refuse messages
KR102157661B1 (en) Wireless intrusion prevention system, wireless network system, and operating method for wireless network system
CN104125571A (en) Method for detecting and suppressing pseudo-base station
CN110312259B (en) Pseudo base station identification method, pseudo base station identification device, terminal and storage medium
CN109698885B (en) A call request processing method, device, network side server and computer storage medium
Vanhoef et al. Protecting wi-fi beacons from outsider forgeries
US20130165077A1 (en) Method and apparatus for identifying fake networks
EP2874367A1 (en) Call authentication method, device, and system
CN113206814A (en) Network event processing method and device and readable storage medium
CN108353283B (en) Method and apparatus for preventing attacks from a pseudo base station
CN106572450A (en) Pseudo base station identification method and device
CN107197456A (en) A kind of client-based identification puppet AP detection method and detection means
CN104581731A (en) Method and system for judging process of mobile phone terminal being hijacked by fake base station
CN110753349B (en) Method and device for identifying pseudo base station
Yu et al. On effects of mobility management signalling based dos attacks against lte terminals
CN101895855A (en) Access method, base station and access system of mobile terminal
CN109275144A (en) Method, device and terminal for identifying pseudo base station
CN109474932A (en) A pseudo base station identification and defense method and terminal
Bitsikas et al. Freaky Leaky {SMS}: Extracting User Locations by Analyzing {SMS} Timings
Xenakis et al. An advanced persistent threat in 3G networks: Attacking the home network from roaming networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant