CN111182551A - Network security protection method and system - Google Patents
Network security protection method and system Download PDFInfo
- Publication number
- CN111182551A CN111182551A CN202010015228.3A CN202010015228A CN111182551A CN 111182551 A CN111182551 A CN 111182551A CN 202010015228 A CN202010015228 A CN 202010015228A CN 111182551 A CN111182551 A CN 111182551A
- Authority
- CN
- China
- Prior art keywords
- value
- target
- rand
- mec platform
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a network security protection method and a network security protection system, relates to the field of network security, and can effectively prevent external attacks on a core network. The method comprises the following steps: the MEPM is an integer which is greater than zero and is sent by the first MEC platform and the checking equipment; the MEPM sends the corresponding relation between the RAND value and the first MEC platform to the checking equipment so that the RAND value and the first MEC platform can determine the checking value corresponding to the first MEC platform in the same mode, then the first MEC platform inserts the checking value into a target data packet which is sent to the checking equipment and needs to be processed by the core network according to a first preset rule, and the checking equipment extracts the checking value according to a third preset rule corresponding to the first preset rule when receiving the target data packet; and if the extracted check value is determined to be different from the check value of the corresponding first MEC platform determined by the extracted check value, discarding the target data packet. The application is applied to MEC networks.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a network security protection method and system.
Background
In modern society, with the evolution of 5G architecture, control plane (C-plane) and user plane (U-plane) separation techniques are introduced in 5G. The 5G Architecture employs a service-based Architecture (SBA). The method comprises the steps that a multi-access edge computing (MEC) or a multi-access edge cloud (MEC) sinks a user plane UPF (user port function) to a network edge side closer to a user, an open platform of core capabilities of a network, a computing, a storage and an application is fused, edge intelligent services are provided nearby, and key requirements of industry digitalization in aspects of agile connection, real-time services, data optimization, application intelligence and the like are met. The method can realize local flow processing and reduce time delay, and has the characteristics of local service charging, management and control and operation, open pipeline capacity, third-party application integration and the like. The MEC network makes a core network element UPF sink to an untrusted area, and there are situations that an attacker simulates an MEC platform to send an abnormal message to the core network to generate a false ticket, and uses the MEC platform as a springboard to perform DOS (denial of service) attack on the core network, and the like, so that the security problem faced by the core network is greatly increased.
In the prior art, most of the physical protection systems are deployed for safety protection, but a specific safety protection method aiming at the MEC system is lacked. And the detection and protection means for the conditions that an attacker sends an abnormal message to the MEC platform and the MEC platform is used as a springboard to carry out DOS attack on the core network and the like are few. And when a safety problem occurs, the problem of which MEC platform occurs cannot be located in time.
Disclosure of Invention
Embodiments of the present invention provide a network security protection method and system, which can effectively prevent external attacks on a core network.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, a network security protection method is provided, which is applied to a calibration device disposed on a core network side, and includes: before processing a target data packet sent by an MEC platform, a checking device receives a target RAND value sent by an MEPM and a corresponding relation between the target RAND value and a first MEC platform; the first MEC platform is any one of the MEC platforms managed by the MEPM; the target RAND value is an integer greater than zero; then, the checking equipment determines a first checking value corresponding to the first MEC platform according to the RAND value; receiving a target data packet which is sent by the first MEC platform and needs to be processed by the core network; then, the check equipment extracts a second check value inserted into the target data packet from the target data packet according to a third preset rule corresponding to the first preset rule, wherein the first preset rule is a rule used by the first MEC platform to insert the second check value into the target data packet; and then the checking equipment determines whether the target data packet is abnormal or not by judging whether the second checking value is the same as the first checking value or not, and discards the target data packet when the target data packet is determined to be abnormal when the second checking value is determined to be different from the first checking value.
In the technical solution provided in the foregoing application, the checking device may generate a first check value corresponding to the first MEC platform after receiving the target RAND value and the corresponding relationship between the target RAND value and the first MEC platform sent by the MEPM, and then when receiving a target data packet sent by the first MEC platform and needing core network processing, may insert the second check value into a third preset rule of the first preset rule of the target data packet according to the first MEC platform, extract the second check value from the target data packet, and then compare whether the first check value and the second check value are the same, and when the checking device determines that the first check value and the second check value are different, discard the target data packet. In the technical scheme provided by the application, the check equipment is arranged between the MEC platform and the core network, when the MEC platform needs to perform information interaction with the core network, the check equipment can detect information that the MEC platform needs to interact with the core network, namely a second check value inserted in the target data packet according to a first check value determined in advance, once the first check value is different from the second check value, the target data packet can be considered to be abnormal, and the situation that data is modified possibly exists, so that the target data packet is directly discarded, the core network is prevented from receiving the abnormal data packet, and further illegal personnel can not attack the core network by using the MEC platform as a jump board.
In a second aspect, a network security protection method is provided, which is applied to the MEPM, and includes: the MEPM firstly acquires a first preset number of different RAND values; the first preset number is the number of MEC platforms managed by the MEPM; the RAND values correspond to the MEC platforms one to one; all RAND values are integers greater than zero; then the MEPM sends a target random RAND value to the first multi-access edge computing MEC platform and a checking device arranged on the core network side, and simultaneously sends a corresponding relation between the target RAND value and the first MEC platform to the checking device; wherein the first MEC platform is any one of the MEC platforms managed by the MEPM; the target RAND value is a RAND value corresponding to the first MEC platform among a first preset number of RAND values.
In a third aspect, a network security protection method is provided, which is applied to an MEC platform, and includes: before information interaction is carried out between the MEC platform and a core network, the MEC platform receives a target random RAND value sent by an MEPM for managing the MEC platform; the target RAND value is an integer greater than zero; then the MEC platform determines a check value according to the received target RAND value; then, inserting the determined check value into a target data packet to be processed by the core network according to a first preset rule in the subsequent interaction process with the core network; and finally, sending the target data packet inserted with the check value to the check equipment arranged on the core network side.
In a fourth aspect, a verification device is provided, including: a receiving module, configured to receive a target RAND value sent by the MEPM and a corresponding relationship between the target RAND value and the first MEC platform; the first MEC platform is any one of the MEC platforms managed by the MEPM; the target RAND value is an integer greater than zero; the processing module is used for determining a first check value corresponding to the first MEC platform according to the target RAND value received by the receiving module; the receiving module is further used for receiving a target data packet which is sent by the first MEC platform and needs to be processed by the core network; the processing module is further used for extracting a second check value inserted into the target data packet from the target data packet received by the receiving module according to a third preset rule; the third preset rule corresponds to a first preset rule, and the first preset rule is a rule used when the first MEC platform inserts the second check value into the target data packet; the judging module is used for judging whether the second check value extracted by the processing module is the same as the first check value determined by the processing module; and when the judging module determines that the second check value is different from the first check value, the processing module is used for discarding the target data packet received by the receiving module.
In a fifth aspect, an MEPM is provided, which includes an obtaining module and a sending module; the acquisition module is used for acquiring a first preset number of different random RAND values; the first preset number is the number of MEC platforms managed by the MEPM; the RAND values correspond to the MEC platforms one to one; all RAND values are integers greater than zero; a sending module, configured to send a target random RAND value to the first MEC platform and a verification device arranged on a core network side, and send a corresponding relationship between the target random RAND value and the first MEC platform to the verification device; the first MEC platform is any one of the MEC platforms managed by the MEPM; the target RAND value is a RAND value corresponding to the first MEC platform in the first preset number of RAND values acquired by the acquisition module.
In a sixth aspect, there is provided a MEC platform comprising: the device comprises a receiving module, a judging module and a judging module, wherein the receiving module is used for receiving a target random RAND value sent by an MEPM for managing an MEC platform; the target RAND value is an integer greater than zero; the processing module is used for determining a check value according to the target RAND value received by the receiving module; the processing module is also used for inserting the check value into a target data packet needing to be processed by the core network according to a first preset rule; and the sending module is used for sending the target data packet with the check value inserted into the processing module to the check equipment arranged on the core network side.
In a seventh aspect, a network security protection device is provided, which includes a memory, a processor, a bus, and a communication interface; the memory is used for storing computer execution instructions, and the processor is connected with the memory through a bus; when the network security protection device is running, the processor executes the computer-executable instructions stored in the memory to cause the network security protection device to perform the network security protection method as provided by the first aspect, or the network security protection method as provided by the second aspect, or the network security protection method as provided by the third aspect.
In an eighth aspect, a computer-readable storage medium is provided, which stores instructions comprising computer-executable instructions, which, when executed on a computer, cause the computer to perform the network security protection method as provided in the first aspect, or the network security protection method as provided in the second aspect, or the network security protection method as provided in the third aspect.
In a ninth aspect, a network security protection system is provided, which includes the verification apparatus as provided in the fourth aspect, the MEPM as provided in the fifth aspect, and the MEC platform as provided in the sixth aspect.
The network security protection method and system provided by the application comprise the following steps: before processing a target data packet sent by an MEC platform, a checking device receives a target RAND value sent by an MEPM and a corresponding relation between the target RAND value and a first MEC platform; the first MEC platform is any one of the MEC platforms managed by the MEPM; the target RAND value is an integer greater than zero; then, the checking equipment determines a first checking value corresponding to the first MEC platform according to the RAND value; receiving a target data packet which is sent by the first MEC platform and needs to be processed by the core network; then, the check equipment extracts a second check value inserted into the target data packet from the target data packet according to a third preset rule corresponding to the first preset rule, wherein the first preset rule is a rule used by the first MEC platform to insert the second check value into the target data packet; and then the checking equipment determines whether the target data packet is abnormal or not by judging whether the second checking value is the same as the first checking value or not, and discards the target data packet when the target data packet is determined to be abnormal when the second checking value is determined to be different from the first checking value. In the technical scheme provided by the application, because the check equipment is arranged between the MEC platform and the core network, when the MEC platform needs to perform information interaction with the core network, the check equipment can detect information needed by the MEC platform to interact with the core network, namely a second check value inserted in a target data packet according to a first check value determined in advance, and once the first check value is different from the second check value, the possibility that the MEC platform has problems is obviously indicated, so that the target data packet can be discarded by the check equipment at the moment and cannot be forwarded to the core network, so that the problems that an illegal user performs DOS (data over Internet service) attack and other illegal operations to the core network through the MEC platform, an attacker forges data, falsifies data and other abnormal messages to the core network by using the MEC platform, and false call tickets and the like are caused are avoided, and the authenticity of the MEC platform to the data sent to the core network is ensured; therefore, the technical scheme provided by the application can effectively prevent the external DOS attack on the core network.
Drawings
In order to more clearly illustrate the technical solutions in the present application or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.
FIG. 1 is a diagram of a network security protection system architecture provided in the present application;
FIG. 2 is a diagram of another network security protection system architecture provided herein;
fig. 3 is a schematic flow chart of a network security protection method provided in the present application;
fig. 4 is a schematic flow chart of another network security protection method provided in the present application;
FIG. 5 is a flowchart illustrating a method for inserting a checksum into a destination data packet according to the present application;
FIG. 6 is a flowchart illustrating a method for inserting a sub-checksum into a destination data packet according to the present application;
FIG. 7 is a schematic illustration of a corresponding embodiment of FIG. 6 provided herein;
fig. 8 is a schematic flowchart of a method for determining whether the second check value is the same as the first check value according to the present application;
FIG. 9 is a flowchart illustrating a method for an MEPM to perform exception handling operations according to an exception instruction according to the present application;
FIG. 10 is a schematic structural view of an MEPM provided herein;
fig. 11 is a schematic structural diagram of an MEC platform provided in the present application;
fig. 12 is a schematic structural diagram of a verification apparatus provided in the present application;
FIG. 13 is a networking architecture diagram of the present application;
fig. 14 is a schematic structural diagram of a network security protection device provided in the present application.
Detailed Description
The technical solutions in the present application will be described clearly and completely with reference to the accompanying drawings in the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It is noted that, in the present application, words such as "exemplary" or "for example" are used to mean exemplary, illustrative, or descriptive. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
It should be noted that, in the present application, "of", "corresponding" and "corresponding" may be sometimes used in combination, and it should be noted that the intended meaning is consistent when the difference is not emphasized.
For the convenience of clearly describing the technical solutions of the present application, in the embodiments of the present invention, the words "first", "second", and the like are used for distinguishing the same items or similar items with basically the same functions and actions, and those skilled in the art will understand that the words "first", "second", and the like are not limited in number or execution order.
Currently, because of the evolution of the 5G architecture, the emergence and use of MEC platforms is one of the key points of 5G technology. However, the MEC includes not only a capability open platform but also a self-service and third-party service platform, and the like, and is lack of effective supervision, so that the situations that an attacker simulates the MEC platform to perform DOS attack on the core network exist, and the security problem of the core network is greatly increased. Therefore, a security protection method for the core network is needed to prevent an illegal attacker from attacking the core network by using the MEC platform as a springboard.
Therefore, the application provides a network security protection method for realizing the protection of the core network and effectively preventing the illegal attack of the outside on the core network. The network security protection method provided by the present application is applied to a system architecture as shown in fig. 1, where the system architecture includes: an MEC platform manager (MEPM) 01, an MEP02(MEP02-1 and MEP02-2) and a verification device 03 arranged on the core network side.
The MEP02 is connected with the MEPM01 and the verification device 03, and the MEPM01 is connected with the verification device 03.
The MEPM01 is used for managing the MEP02, and includes the upper and lower lines of the MEP02, the flow rate of the MEP02 and the like; the MEPM01 is further configured to send the RAND value to the MEP02 and the verification device 03, and send the corresponding relationship between the RAND value and the MEP02 to the verification device 03, so as to ensure that the verification device 03 verifies a packet which is sent by the MEP02 and needs to be processed by the core network.
Optionally, as shown in fig. 2, the RAND value that the MEPM01 needs to send out may be generated by itself, or may be requested from the RAND generator 05; of course the RAND generator could be provided directly in the MEPM01, in which case all RAND values would be equivalent to being generated by the MEPM01 itself. The verifying device 03 is configured to verify a target data packet that the MEP02 needs to send to the core network for processing, so as to ensure that the target data packet received by the core network is legal and has no exception. For example, referring to fig. 1, the verification device 03 may be directly disposed on a certain network element in the core network 04, for example, an SMF (session management function) network element that interacts with an MEP for a control plane signaling message, or an UPF (user plane function) network element that interacts with an MEP for a user plane data message, and in this case, because the existing MEPMs and MEPs may directly interact with corresponding network elements of the core network, at this time, when a message needs to be sent to the verification device 03, the MEPM01 and the MEP02 do not need to change a destination address in a data packet, and directly transmit the message to a corresponding network element of the core network 35; in addition, at this time, if the verification device 03 determines that the target data packet sent by the MEP02 has no abnormality, it may directly perform processing according to the content of the target data packet by using the capability of the network element where the verification device is located.
Of course, as shown in fig. 2, the verification device 03 may also be a single device and be disposed on the core network 04 side, at this time, when the MEPM01 and the MEP02 need to send a message to the verification device 03, the destination address, which is specifically the network element address of the core network, in the original data packet needs to be changed to the address of the verification device; in addition, at this time, if the verification device 03 determines that the target data packet sent by the MEP02 does not have an exception, the target data packet needs to be forwarded to the network element corresponding to the core network 04 for processing.
Referring to fig. 2, in the prior art, an MEP directly exchanges information with a core network (shown by a dotted line), so that the core network is vulnerable to external attacks.
Based on the system architecture, the application provides a network security protection method for preventing external attacks on a core network. Referring to fig. 3, the method specifically includes 101-108(101 includes 1011, 1012 and 1013, and 102 includes 1021 and 1022):
1011. the MEPM obtains a first preset number of different random RAND values.
Wherein the first preset number is the number of MEC platforms managed by the MEPM; the RAND values correspond to the MEC platforms one to one; for ease of calculation, all RAND values are herein integers greater than zero, e.g., 1, 2, 3, etc.
1012. The MEPM sends the target RAND value to the first MEC platform.
Wherein the MEPM may be the MEPM01 in fig. 1 and 2, the first MEC platform is any one of the MEC platforms managed by the MEPM, such as MPEP02-1 in fig. 1; the target RAND value is a RAND value corresponding to the first MEC platform among a first preset number of RAND values.
Optionally, when an independent RAND generator shown in fig. 2 exists in a system architecture to which the network security protection method provided by the present application is applied, referring to fig. 4, the step 1011 specifically includes 1001 and 1002:
1001. the MEPM sends a target request to the RAND generator.
Wherein the target request is at least for requesting a first preset number of different RAND values from the RAND generator; the first preset number is the number of MEC platforms managed by the MEPM.
1002. The RAND generator sends the target response to the MEPM.
The target response carries a first preset number of RAND values. Illustratively, the RAND generator may generate the RAND value using a RAND () function.
1013. The MEPM sends the target RAND value and the corresponding relation between the target RAND value and the first MEC platform to the checking equipment.
1021. The first MEC platform determines a check value based on the target RAND value received from the MEPM.
Specifically, after the first MEC platform determines the check value, the check value is stored in its own storage unit.
Alternatively, the first MEC platform may use the target RAND value directly as a check value.
Further optionally, in order to prevent that the RAND value, if directly used as the check value, once intercepted, would cause the check value to be insecure, the first MEC platform may encrypt the target RAND value using a predetermined encryption algorithm, and then determine the encrypted target RAND value as the check value. For example, the preset encryption algorithm may be a message digest algorithm (MD1 or MD2 or MD3 or MD4 or MD5), a secure hash algorithm (SHA-1(secure hash algorithm 1) or SHA-2(secure hash algorithm 2)), or other feasible encryption algorithms, and the preset encryption algorithm is not particularly limited herein.
In one implementation, to facilitate subsequent segmentation and insertion, the target RAND value is a decimal number, such as 5, and the check value should be a binary number well defined by the number of bits, such as 00100101 with eight bits. Illustratively, taking the target RAND value as 5 as an example, if the target RAND value is directly determined as the check value and the number of bits of the check value is specified as 8, the check value is 00000101. Of course, the check value may be other binary numbers as long as the subsequent division is possible.
1022. The checking equipment determines a checking value corresponding to the first MEC platform according to the target RAND value received from the MEPM and the corresponding relation between the target RAND value and the first MEC platform.
Specifically, after the verification device determines the verification value corresponding to the first MEC platform, the verification value and the correspondence (for example, represented in a table) between the verification value and the first MEC platform are stored in the verification device.
The method for determining the check value corresponding to the first MEC platform by the check equipment is the same as the method for determining the check value by the first MEC platform; for example, the first MEC platform directly uses the target RAND value as the check value, and then the checking device determines the target RAND value corresponding to the first MEC platform as the check value corresponding to the first MEC platform.
103. And the first MEC platform inserts the check value into all target data packets needing to be processed by the core network according to a first preset rule.
Optionally, in order to make the subsequent verification by the verification module faster and improve the difficulty of tampering with the target data packet inserted with the verification value, referring to fig. 5, step 103 specifically includes 1031 and 1032:
1031. the first MEC platform divides the check value into a second preset number of sub-check values according to a preset division mode.
In an implementation manner, the preset dividing manner may be that a second preset number is determined, then the digit of the check value is divided by the second preset number to obtain the digit of a first preset number of sub-check values (rounding up or rounding down), and the digit of the last sub-check value is the sum of the digit of the check value minus the digit of the third preset number of sub-check values; wherein the third predetermined number is the second predetermined number minus 1. For example, taking the check value as an eight-bit binary number 10101001, the second predetermined number being 3, and the rounding manner being rounding down, the above predetermined division manner can be used to obtain three sub-check values: 10. 10 and 1001.
In another implementation manner, the preset dividing manner may be to determine a second preset number and then randomly divide. For example, with the check value being an eight-bit binary number 10101001 and the second predetermined number being 3, the above random division method can be used to obtain three sub-check values, which may be: 1. 01010 and 01.
Of course, the preset division manner may also be any other feasible manner, and is not limited herein.
For example, the second preset number may be preset, or may be determined according to the data length of the check value. For example, the second preset number is a positive integer less than or equal to 4.
1032. And the first MEC platform inserts the second preset number of sub-check values into different positions of the target data packet according to a second preset rule.
In one implementation, referring to fig. 6, step 1032 specifically includes steps 10321 and 10322:
10321. and the first MEC platform determines the insertion position of each sub-check value in the target data packet according to the RAND value and the data length of the target data packet.
The insertion position of the target sub-check value in the target data packet meets a preset formula; the target sub-verification value is any one of a second preset number of sub-verification values. Illustratively, the preset formula is:
wherein Pn is the distance between the insertion position of the nth sub-parity value in the target data packet and the data head of the target data packet, DlengTaking the data length of the target data packet, wherein R is a target RAND value, M is a preset offset, and N is a second preset number; n is an integer greater than 0, and N is less than or equal to N. For example, the nth sub-parity may be a sub-parity whose parity is divided nth in order from the head to the tail; for example, check value 10101001 is split into 101, 010, and 01, then the second sub-check value is 010. Of course, the nth sub-parity value may not be the nth sub-parity value divided from the head to the tail, as long as the subsequent steps can be ensured to be implemented smoothly, and this is not limited specifically here.
Of course, in practice, the insertion manner of the sub-verification value may be determined according to any other feasible formula, for example, according to an identifier of the first MEC platform feature, such as an IP address, or the insertion position of the sub-verification value may be randomly selected, as long as it is ensured that the two sub-verification values are not consecutive.
10322. And the first MEC platform inserts the target sub-verification value into the insertion position of the corresponding target sub-verification value in the target data packet.
Illustratively, taking the target RAND value as 169, the check value as binary eight bit number 10101001 and dividing into 101, 010 and 01, the data length of the target packet is 10 bits, and M is 3, for example, selecting the insertion position according to the above preset formula can result in that 101 needs to be inserted into the head of the packet, 01 is inserted into the tail of 01, and 010 is inserted between the first bit and the second bit of the target packet, as shown in fig. 7.
104. And the first MEC platform sends the target data packet inserted with the check value to the check equipment.
It should be noted that, in order to facilitate subsequent distinguishing between the check value inserted into the target data packet and the check value corresponding to the first MEC platform and determined by the check device itself, the check value inserted into the target data packet is the second check value, and the check value determined by the check device itself is the first check value; in addition, the sub-verification value obtained by dividing the second verification value according to the preset dividing mode is a second sub-verification value, and the sub-verification value obtained by dividing the first verification value according to the preset dividing mode is a first sub-verification value.
105. And the checking equipment extracts a second checking value inserted into the target data packet from the target data packet sent by the first MEC platform according to a third preset rule.
Wherein, the third preset rule corresponds to the first preset rule in the step 103; the third preset rule is mainly used for informing the checking device how to extract the second check value of the target data packet inserted into the first MEC platform according to the first preset rule from the target data packet. For example, the third predetermined rule may include an insertion position of the second parity value in the target packet and a data length of the parity value; of course, other contents are also possible as long as the verification device can correctly extract the second verification value.
Optionally, as shown in fig. 4, corresponding to the contents of steps 1031 and 1032, step 105 specifically includes:
105A, the checking equipment extracts a second preset plurality of second sub-checking values inserted into the target data packet from the target data packet according to a preset segmentation mode and a fourth preset rule.
The preset segmentation mode is a segmentation mode adopted when the first MEC platform segments the second check value into a second preset plurality of second sub-check values; the fourth preset rule corresponds to a second preset rule, and the second preset rule is a rule adopted when the first MEC platform inserts a second preset plurality of second sub-verification values into the target data packet. For example, the fourth preset rule may be the second preset rule, or may be the length and the insertion position of each second sub-verification value, as long as the verification device can obtain the specific content of each second sub-verification value according to the preset segmentation mode, and then according to the fourth preset rule, each second sub-verification value can be successfully extracted from the target data packet.
106. And the checking equipment judges whether the second check value is the same as the first check value which is determined by the checking equipment and corresponds to the first MEC platform.
Executing 107(1071 or 1072) when it is determined that the second check value and the first check value are the same; when it is determined that the second parity value and the first parity value are different, 108 is performed.
In one implementation, referring to fig. 8, 106 specifically includes 1061 and 1062:
1061. the checking equipment divides the first checking value into a second preset plurality of first sub-checking values according to a preset dividing mode.
1062. The checking equipment judges whether the target second sub-checking value is different from the target first sub-checking value.
When the verification equipment determines that the target second sub-verification value is not the same as the target first sub-verification value, determining that the second verification value is the same as the first verification value, and then executing 107; when the verification device determines that the target second sub-verification value is different from the target first sub-verification value, it determines that the second verification value is different from the first verification value, and then executes 108.
The target second sub-verification value is any one of the second sub-verification values, and the target first sub-verification value is any one of the first sub-verification values; the position of the target second sub-verification value in the second verification value is the same as the position of the target first sub-verification value in the first verification value. For example, taking the first parity value being 101001000 and being divided into three first sub-parity values 101, 001, and 000, and the second parity value being 101001000 and being divided into three second sub-parity values 101, 001, and 000 as an example, the first sub-parity value 001 occupies three positions of 3, 4, and 5 in the first parity value, and the second sub-parity value 001 occupies three positions of 3, 4, and 5 in the second parity value, and then the position of the first sub-parity value in the first parity value and the position of the second sub-parity value in the second parity value can be considered to be the same.
It should be noted that, when the 103 step includes 1031 to 1032, the 105 step is 105A, and the 106 step includes 1061 to 1062, on one hand, because each sub-check value is shorter than the complete check value, the check module can perform fast detection, and when the check module finds that a certain sub-check value is not matched with the corresponding check value previously determined by itself, it is considered that the data is abnormal, and the following sub-check values are no longer processed, so that the detection efficiency for abnormal data is improved. On the other hand, the sub-check values are inserted into different positions in the target data packet, and an attacker needs to know the content and the position of each sub-check value to forge and tamper the data, so that the difficulty of forging and tampering the target data packet by the attacker is increased. Meanwhile, the length of the whole check value is not changed, and the checking accuracy is not influenced.
When the checking device is disposed in the core network as shown in fig. 1, as shown in fig. 3, 107 is:
1071. and the checking equipment performs corresponding processing according to the content in the target data packet.
When the verification device is a device independent from the core network as shown in fig. 2, as shown in fig. 4, 107 is:
1072. and the checking equipment sends the target data packet to the core network so that the core network processes the target data packet.
108. The verification device discards the target data packet.
Optionally, in order to timely process the MEC platform that may have a fault or be illegally used, referring to fig. 4, the step 108 further includes steps 109 and 110:
109. the checking equipment sends an abnormal instruction to the MEPM; the exception instruction is at least used for indicating that the target data packet sent to the checking equipment by the first MEC platform is abnormal.
Since there are a plurality of first MEC platforms, the first MEC platform corresponding to the exception instruction is referred to as a second MEC platform in order to distinguish the first MEC platform to be processed by the MEPM.
110. And after receiving the abnormal instruction sent by the verification equipment, the MEPM executes the abnormal processing operation corresponding to the second MEC platform according to the abnormal instruction.
In an optional implementation manner, referring to fig. 9, in order to avoid that the exception instruction is an accidental phenomenon, an MEC platform corresponding to the exception instruction is actually in a normal state, so the step 110 specifically includes:
1101. the MEPM judges whether the number of the abnormal instructions sent by the checking equipment in the preset time period is larger than a first threshold value.
When the MEPM determines that the number of received abnormal instructions sent by the checking equipment is larger than a first threshold value, the MEPM executes 1102; when the MEPM determines that the number of the received abnormal instructions sent by the checking equipment is not larger than the first threshold value, the MEPM does not do any processing.
For example, the preset time period may be one hour, and the first threshold may be 50.
1102. The MEPM judges whether the number of the abnormal instructions sent by the checking equipment in the preset time period is larger than a second threshold value.
When the MEPM determines that the number of the received abnormal instructions sent by the checking equipment is larger than a second threshold value, executing 1104; when the MEPM determines that the number of received abnormal instructions sent by the checking device is not greater than the second threshold, 1103 is executed. Illustratively, the second threshold may be 500.
It should be noted that, when the number of exceptional instructions is equal to the first threshold, this situation may be placed in a category where the number of exceptional instructions is greater than the first threshold, that is, when the number of exceptional instructions is equal to the first threshold, the step 1102 may be executed, or this situation may be placed in a category where the number of exceptional instructions is less than the first threshold, that is, the example in the above embodiment; the same applies when the number of exceptional instructions equals the second threshold.
1103. The MEPM performs a first operation corresponding to a second MEC platform.
Wherein the first operation includes at least: and sending alarm information for indicating that the second MEC platform is abnormal to an operation and maintenance terminal corresponding to the second MEC platform.
1104. The MEPM performs a second operation corresponding to a second MEC platform.
Wherein the second operation comprises at least any one or more of: and sending a offline instruction for indicating the second MEC platform to be offline to the second MEC platform, and sending a current limiting instruction for indicating the second MEC platform to limit the data transmission rate of the second MEC platform to be below a preset rate to the second MEC platform.
In the foregoing embodiment, the network security protection method provided in the present application includes: after the MEPM acquires a first preset plurality of different RAND values corresponding to a first preset plurality of MEC platforms, wherein all the RAND values are integers larger than zero; then the MEPM sends a target RAND value corresponding to the first MEC platform for any MEC platform belonging to the MEC platform managed by the MEPM, namely the first MEC platform and the check equipment arranged on the core network side; because the MEPM may manage a plurality of MEC platforms, the MEPM also needs to send the corresponding relationship between the target RAND value and the first MEC platform to the verification device when sending the target RAND value to the verification device; the method comprises the steps that a first MEC platform and a checking device determine a checking value in the same mode after receiving a target RAND value sent by an MEPM, the first MEC platform inserts the determined checking value into a target data packet according to a first preset rule when sending the target data packet needing to be processed by a core network to the checking device, then the checking device extracts the checking value inserted into the target data packet according to a third preset rule corresponding to the first preset rule when receiving the target data packet sent by the first MEC platform, then the checking device judges whether the extracted checking value (a second checking value) is the same as a self-determined checking value (a first checking value) corresponding to the first MEC platform, and if the extracted checking value (the second checking value) is not the same as the self-determined checking value (the first checking value), the checking device discards the target data packet. In the technical solution provided in the present application, because the MEPM sends different RAND values to the MEC platform managed by the MEC platform to enable the MEC platform to determine different check values, and sends each RAND value and the corresponding relationship between the RAND value and the MEC platform to the check device arranged on the core network side to enable the check device to determine the check value corresponding to each MEC platform, then in the interaction process of the MEC platform and the check device, the check device receives all the MEC platforms sent out target data packets that need to be processed by the core network, and the check value determined by the MEC platform is inserted, so that the check device can extract the check value inserted in the target data packet and the check value determined by the MEC platform itself to perform comparison, if the two check values are determined, it is obvious that the MEC platform has a problem, and at this time, the check device discards the target data packet and does not forward to the core network, the problems that an illegal user conducts DOS attack and other illegal operations to the core network through the MEC platform, and an attacker forges data, falsifies the data and the like by using the MEC platform to send abnormal messages to the core network to cause false call tickets and the like are solved, and the authenticity of the MEC platform to the data sent to the core network is ensured; therefore, the technical scheme provided by the application can effectively prevent the external DOS attack on the core network.
In order to better implement the network security protection method provided by the above embodiment, the present application further provides a network security protection system, which includes an MEPM01, an MEC platform 02, and a verification device 03; when the verification device 03 is a certain network element on the core network, the system architecture thereof is shown in fig. 1, and when the verification device 03 is an independent device, the system architecture formed by the verification device and the core network is shown in fig. 2.
Referring to fig. 10, the present application further provides a schematic diagram of a possible structure of the MEPM01 in the system architecture shown in fig. 1 and 2, where the MEPM01 includes an acquiring module 011 and a transmitting module 012.
An obtaining module 011 configured to obtain a first preset number of different random RAND values; the first preset number is the number of MEC platforms managed by the MEPM; the RAND values correspond to the MEC platforms one to one; all RAND values are integers greater than zero.
A sending module 012, configured to send a target random RAND value to the first multi-access edge computing MEC platform 06 and the checking device 03 disposed on the core network side, and send a corresponding relationship between the target random RAND value and the first MEC platform 06 to the checking device 03; the first MEC platform 06 is any one of the MEC platforms managed by the MEPM 01; the target RAND value is a RAND value corresponding to the first MEC platform 06 of the first preset number of RAND values acquired by the acquisition module 011.
Optionally, referring to fig. 10, the module of the obtaining module 011 specifically includes: send target request to RAND generator 05; the target request is at least for requesting a first preset number of different RAND values from the RAND generator 05; the first preset number is the number of MEC platforms managed by the MEPM 01; the RAND value sent by the RAND generator 05 is received.
Of course, in practice, the sending function in the obtaining module 011 can be executed by the sending module 012, which is only an example of one implementation.
Optionally, as shown with reference to fig. 10, the MEPM01 further includes a processing module 013;
the obtaining module 011 is further configured to receive an abnormal instruction sent by the verification device 03; the abnormal instruction is at least used for indicating that a target data packet which is sent by the second MEC platform 07 to the verification device 03 and needs to be processed by the core network has an abnormality; the second MEC platform 07 is any one of the first MEC platforms 06;
the processing module 013 is further configured to execute an exception handling operation corresponding to the second MEC platform 07 according to the exception instruction received by the obtaining module 011.
Optionally, the processing module 013 is specifically configured to:
when the number of the abnormal instructions received by the acquisition module 011 is greater than a first threshold and smaller than a second threshold within a preset time period, executing a first operation corresponding to the second MEC platform 07; the first operation includes at least: the control sending module 012 sends alarm information for indicating that the second MEC platform 07 is abnormal to the operation and maintenance terminal 08 corresponding to the second MEC platform 07;
when the number of the abnormal instructions received by the acquisition module 011 is greater than a second threshold value within a preset time period, executing a second operation corresponding to the second MEC platform 07; the second operation includes at least any one or more of: the control sending module 012 sends an offline instruction for instructing the second MEC platform 07 to offline to the second MEC platform 07, and the control sending module 012 sends a current limiting instruction for instructing the second MEC platform 07 to limit the data transmission rate of the second MEC platform 07 to be below the preset rate.
Optionally, referring to fig. 10, the MEPM01 further includes a storing module 014 for storing the RAND value received by the acquiring module 011.
Referring to fig. 11, the present application further provides a schematic diagram of a possible structure of an MEC platform 02 in the system architecture shown in fig. 1 and 2, where the MEC platform 02 includes: a receiving module 021, a processing module 022, and a transmitting module 023.
Wherein, the receiving module 021 is configured to receive the target random RAND value sent by the MEPM01 that manages the MEC platform 02; the target RAND value is an integer greater than zero; a processing module 022, configured to determine a check value according to the target RAND value received by the receiving module 021; the processing module 022 is further configured to insert the check value into a target data packet that needs to be processed by the core network according to a first preset rule; a sending module 023, configured to send the target data packet into which the check value is inserted by the processing module 022 to the checking device 03 disposed on the core network side.
Optionally, the MEC platform 02 may further include a storage module 024 configured to store the target RAND value received by the receiving module 021 and the check value determined by the processing module 022.
Optionally, the processing module 022 is specifically configured to determine the target RAND value received by the receiving module 021 as a check value.
Optionally, the processing module 022 is specifically configured to: encrypting the target RAND value received by the receiving module 021 by using a preset encryption algorithm; the preset encryption algorithm is at least one of the following algorithms: a message digest algorithm, a secure hash algorithm; and determining the encrypted target RAND value as a check value.
Optionally, the processing module 022 is specifically configured to: dividing the check value into a second preset number of sub-check values according to a preset dividing mode; and inserting the second preset number of sub-check values into different positions of the target data packet according to a second preset rule.
Further optionally, the processing module 022 is specifically configured to: determining the insertion position of each sub-check value in the target data packet according to the data length of the target data packet and the RAND value received by the receiving module 021; the insertion position of the target sub-verification value in the target data packet meets a preset formula; the target sub-check value is any one of a second preset number of sub-check values; the preset formula is as follows:
wherein Pn is the distance between the insertion position of the nth sub-parity value in the target data packet and the data head of the target data packet, DlengTaking the data length of the target data packet, wherein R is an RAND value, M is a preset offset, and N is a second preset number; n is an integer greater than 0 and is not greater than N;
and inserting the target sub-verification value into the insertion position of the corresponding target sub-verification value in the target data packet.
Optionally, the receiving module 021 is further configured to receive a control instruction sent by the MEPM01, and the processing module 022 is further configured to execute a corresponding operation according to the control instruction received by the receiving module 021; the control instruction is at least any one or more of the following: the device comprises an offline instruction used for indicating the MEC platform 02 to be offline, and a current limiting instruction used for indicating the MEC platform 02 to limit the self data transmission rate below a preset rate.
Referring to fig. 12, the present application further provides a schematic diagram of a possible structure of a verification device 03 in the system architecture shown in fig. 1 and fig. 2, where the verification device 03 includes: a receiving module 031, a processing module 032, and a determining module 033.
Wherein, the receiving module 031 is configured to receive the target RAND value sent by the MEPM01 and a correspondence between the target RAND value and the first MEC platform 06; the first MEC platform 06 is an MEC platform managed by the MEPM 01; the target RAND value is an integer greater than zero; a processing module 032, configured to determine a first check value corresponding to the first MEC platform 06 according to the target RAND value received by the receiving module 031; the receiving module 031 is further configured to receive a target data packet that needs to be processed by the core network and is sent by the first MEC platform 06; the processing module 032 is further configured to extract a second parity inserted into the target packet from the target packet received by the receiving module 031 according to a first preset rule; the first preset rule is a rule used by the first MEC platform 06 to insert the second check value into the target data packet; a judging module 033, configured to judge whether the second check value extracted by the processing module 032 is the same as the first check value determined by the processing module 032; when the determining module 033 determines that the second parity value is different from the first parity value, the processing module 032 is configured to discard the target data packet received by the receiving module 031.
Optionally, the verifying device 03 may further include a storing module 034, configured to store the target RAND value received by the receiving module 031, and the first verification value corresponding to the first MEC platform 06 and determined by the processing module 032.
Optionally, the processing module 032 is specifically configured to determine the target RAND value received by the receiving module 031 as a first check value corresponding to the first MEC platform 06.
Optionally, the processing module 032 is specifically configured to: encrypting the target RAND value received by the receiving module 031 by using a preset encryption algorithm; the preset encryption algorithm is at least one of the following algorithms: a message digest algorithm, a secure hash algorithm; and determining the encrypted target RAND value as a first check value corresponding to the first MEC platform 06.
Optionally, the processing module 032 is specifically configured to: extracting a second preset plurality of second sub-verification values inserted into the target data packet from the target data packet received by the receiving module 031 according to a preset partition manner and a fourth preset rule; the preset segmentation mode is a segmentation mode adopted when the first MEC platform 06 segments the second check value into a second preset plurality of second sub-check values; the fourth preset rule corresponds to a second preset rule, and the second preset rule is a rule adopted when the first MEC platform 06 inserts a second preset plurality of second sub-verification values into the target data packet.
Optionally, the determining module 033 is specifically configured to: dividing the first check value determined by the processing module 032 into a second preset plurality of first sub-check values according to a preset dividing manner;
when it is determined that the target second sub-parity value is different from the target first sub-parity value, determining that the second parity value extracted by processing module 032 is different from the first parity value determined by processing module 032; the target second sub-verification value is any one of the second sub-verification values, and the target first sub-verification value is any one of the first sub-verification values; the position of the target second sub-verification value in the second verification value is the same as the position of the target first sub-verification value in the first verification value.
Optionally, the verification device 03 further includes a sending module 035;
when the judging module 033 determines that the second check value extracted by the processing module 032 is different from the first check value determined by the processing module 032 and determined by the processing module 032, the sending module 035 is configured to send an exception instruction to the MEPM 01; the exception instruction is at least used for indicating that the target data packet sent by the first MEC platform 06 to the verification device 03 has an exception.
The network security protection system provided by the application is characterized in that the network security protection system comprises the MEPM, the MEC platform (first MEC platform) and the verification equipment in the above embodiments; after the MEPM acquires a first preset plurality of different RAND values corresponding to a first preset plurality of MEC platforms, wherein all the RAND values are integers larger than zero; then the MEPM sends a target RAND value corresponding to the first MEC platform for any MEC platform belonging to the MEC platform managed by the MEPM, namely the first MEC platform and the check equipment arranged on the core network side; because the MEPM may manage a plurality of MEC platforms, the MEPM also needs to send the corresponding relationship between the target RAND value and the first MEC platform to the verification device when sending the target RAND value to the verification device; the method comprises the steps that a first MEC platform and a checking device determine a checking value in the same mode after receiving a target RAND value sent by an MEPM, the first MEC platform inserts the determined checking value into a target data packet according to a first preset rule when sending the target data packet needing to be processed by a core network to the checking device, then the checking device extracts the checking value inserted into the target data packet according to a third preset rule corresponding to the first preset rule when receiving the target data packet sent by the first MEC platform, then the checking device judges whether the extracted checking value (a second checking value) is the same as a self-determined checking value (a first checking value) corresponding to the first MEC platform, and if the extracted checking value (the second checking value) is not the same as the self-determined checking value (the first checking value), the checking device discards the target data packet. In the technical solution provided in the present application, because the MEPM sends different RAND values to the MEC platform managed by the MEC platform to enable the MEC platform to determine different check values, and sends each RAND value and the corresponding relationship between the RAND value and the MEC platform to the check device arranged on the core network side to enable the check device to determine the check value corresponding to each MEC platform, then in the interaction process of the MEC platform and the check device, the check device receives all the MEC platforms sent out target data packets that need to be processed by the core network, and the check value determined by the MEC platform is inserted, so that the check device can extract the check value inserted in the target data packet and the check value determined by the MEC platform itself to perform comparison, if the two check values are determined, it is obvious that the MEC platform has a problem, and at this time, the check device discards the target data packet and does not forward to the core network, the problems that an illegal user conducts DOS attack and other illegal operations to the core network through the MEC platform, and an attacker forges data, falsifies the data and the like by using the MEC platform to send abnormal messages to the core network to cause false call tickets and the like are solved, and the authenticity of the MEC platform to the data sent to the core network is ensured; therefore, the technical scheme provided by the application can effectively prevent the external DOS attack on the core network.
Illustratively, when the network security protection system provided by the foregoing embodiment is set in a 5G networking architecture of an operator, taking the verification device and the RAND generator as separate devices as an example, a specific networking architecture is shown in fig. 13. The system comprises a management domain and a service domain of an operator, wherein the management domain is mainly a unified portal Protal of the operator, and each system for supporting the service development of the operator; the service domain mainly comprises a 5G core (5G core, 5GC) and an edge network, wherein the edge network has a corresponding MEC platform MEP and a sunk User Plane Function (UPF) of the 5G core network; the RAND generator related to the network security protection system provided by the application is arranged in the 5G core network, the check device is also arranged at the side of the 5G core network as an independent functional module, in addition, the check module and the MEP are both provided with a check value generation module for determining/generating a check value according to the RAND value sent by the MEPM, and the check value generation module here can be a processing module in the foregoing embodiment.
The nouns referred to in particular in FIG. 13 are briefly explained as follows:
the operation support system comprises: operation support system, OSS; the method is used for providing the functions of operation support and preparation, service realization, service guarantee, service metering and the like for operators.
The service support system comprises: business support system, BSS; the system is used for providing functions of charging, settlement, accounting, customer service, business and the like for operators.
Multiple access edge application orchestrator: multi access edge application organizer, MEAO; for managing the uploading and downloading of mobile edge application packages, resource orchestration across edge Domain Controllers (DCs), selecting appropriate mobile edge hosts for application instantiation, and triggering application instantiation, termination, and relocation using corresponding reference points.
Network function virtualization orchestrator: network functions virtualisation organisator, NFVO; the Network Service management system is used for managing the life cycle of an NS (Network Service), coordinating the management of the life cycle of the NS, coordinating the management of the life cycle of a VNF (virtual Network function) Network element and coordinating the management of various resources of a Network Function Virtualization Infrastructure (NFVI), so as to ensure the optimal configuration of various required resources and connections.
The network element management system comprises: element management System, EMS; for managing one or more telecommunication NEs (network elements) of a specific type in a network of an operator.
Virtualized network function manager: virtualisation network functions manager, VNFM; for managing virtualized network function network elements.
Virtual infrastructure manager: virtual infrastructure management, VIM; the method is used for managing the Network Function Virtualization Infrastructure (NFVI), and mainly comprises the allocation and management of NFVI resources, the monitoring of the NFVI resources and the fault reporting.
Infrastructure as a service: infrastructure as a service, Iaas; the method refers to a service mode which provides IT infrastructure as a service through a network and charges according to the actual usage amount or occupation amount of resources by users.
Local application: local APP, generally the own application of the MEC platform.
A third party application: 3rdThe APP is a third-party application generally provided by a third party other than an operator and a user, such as a live video application.
NEF, Network expose Function, Network open Function; the method is mainly used for collecting, analyzing and recombining the network capacity of the 5G and opening the network capacity of the 5G.
UDM: unified data management, unifying data management entities; the main functions responsible are: 1) generating a 3gpp authentication certificate/authentication parameter; 2) storing and managing a permanent user ID (SUPI) of the 5G system; 3) managing subscription information; 4) MT-SMS delivery; 5) SMS management; 6) a service network element registration management of the user (such as an AMF (access and mobility management function entity), an SMF, etc. currently providing a service for the terminal).
PCF: a policy control function, a policy control function entity; the method supports a unified policy framework to manage network behaviors, provides policy rules to a network entity to implement execution, accesses subscription information of a Unified Data Repository (UDR), and the PCF can only access an NDR (network data repository) of the same PLMN (public land mobile network) as the PCF.
SMF is session management function, session management function entity; for control plane signaling interaction with MEPs.
UPF: user plane function; for user plane data interaction with MEPs.
Referring to fig. 14, the present application further provides a network security protection device, which includes a memory 41, a processor 42, a bus 43, and a communication interface 44; the memory 41 is used for storing computer execution instructions, and the processor 42 is connected with the memory 41 through a bus 43; when the network security apparatus is running, processor 42 executes computer-executable instructions stored in memory 41 to cause the network security apparatus to perform the network security method provided in the above-described embodiments. For example, the network security protection device may be an MEPM or MEC platform or a verification device in the above embodiments. Wherein the memory may implement the functionality of a memory module in an MEPM or MEC platform or a verification device; the processor 42 may implement the functions of a processing module in the MEPM or MEC platform or the verification device, and the functions of a determination module in the verification device; the communication interface 44 and the bus 43 in combination enable the functionality of a receiving module and a transmitting module in an MEPM or MEC platform or a verification device.
In particular implementations, processor 42(42-1 and 42-2) may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 14, for example, as one embodiment. And, as one example, the network safeguard may include a plurality of processors 42, such as processor 42-1 and processor 42-2 shown in fig. 14. Each of the processors 42 may be a Single-core processor (Single-CPU) or a Multi-core processor (Multi-CPU). Processor 42 may refer herein to one or more devices, circuits, and/or processing cores that process data (e.g., computer program instructions).
The Memory 41 may be a Read-Only Memory 41 (ROM) or other types of static storage devices that can store static information and instructions, a Random Access Memory (RAM) or other types of dynamic storage devices that can store information and instructions, an Electrically Erasable Programmable Read-Only Memory (EEPROM), a compact disc Read-Only Memory (CD-ROM) or other optical disc storage, optical disc storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), a magnetic disc storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 41 may be self-contained and coupled to the processor 42 via a bus 43. The memory 41 may also be integrated with the processor 42.
In a specific implementation, the memory 41 is used for storing data in the present application and computer-executable instructions corresponding to software programs for executing the present application. Processor 42 may perform various functions of the network security guard by running or executing software programs stored in memory 41 and invoking data stored in memory 41.
The communication interface 44 is any device such as a transceiver for communicating with other devices or communication networks, such as a control system, a Radio Access Network (RAN), a Wireless Local Area Network (WLAN), and the like. The communication interface 44 may include a receiving unit implementing a receiving function and a transmitting unit implementing a transmitting function.
The bus 43 may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended ISA (EISA) bus, or the like. The bus 43 may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 14, but this is not intended to represent only one bus or type of bus.
The present application also provides a computer-readable storage medium, which includes computer-executable instructions, when the computer-executable instructions are executed on a computer, the computer is enabled to execute the network security protection method provided in the above embodiment.
The present application also provides a computer program, which can be directly loaded into the memory and contains software codes, and after the computer program is loaded and executed by the computer, the network security protection method provided by the above embodiments can be implemented.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer-readable storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
Through the above description of the embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, a module or a unit may be divided into only one logic function, and another division may be implemented in practice. For example, various elements or components may be combined or may be integrated into another device, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form. Units described as separate parts may or may not be physically separate, and parts displayed as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed to a plurality of different places. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit. The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or partially contributed to by the prior art, or all or part of the technical solutions may be embodied in the form of a software product, where the software product is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (20)
1. A network security protection method is applied to a check device arranged at a core network side, and is characterized by comprising the following steps:
receiving a target random RAND value sent by a multi-access edge computing platform manager (MEPM) and a corresponding relation between the target RAND value and a first MEC platform; the first MEC platform is any one of the MEC platforms managed by the MEPM; the target RAND value is an integer greater than zero;
determining a first check value corresponding to the first MEC platform according to the target RAND value;
receiving a target data packet which is sent by the first MEC platform and needs to be processed by a core network;
extracting a second check value inserted into the target data packet from the target data packet according to a third preset rule; the third preset rule corresponds to a first preset rule, and the first preset rule is a rule used when the first MEC platform inserts the second check value into the target data packet;
judging whether the second check value is the same as the first check value or not;
discarding the target packet when it is determined that the second parity value is different from the first parity value.
2. The method of claim 1, wherein the determining a check value corresponding to the first MEC platform according to the target RAND value comprises:
determining the target RAND value as a first check value corresponding to the first MEC platform;
alternatively, the first and second electrodes may be,
encrypting the target RAND value by using a preset encryption algorithm, and determining the encrypted target RAND value as a first check value corresponding to the first MEC platform; the preset encryption algorithm is at least any one of the following algorithms: message digest algorithm, secure hash algorithm.
3. The network security protection method according to claim 2, wherein the extracting the second checksum inserted into the target packet according to the third preset rule comprises:
extracting a second preset plurality of second sub-check values inserted into the target data packet from the target data packet according to a preset segmentation mode and a fourth preset rule; the preset segmentation mode is a segmentation mode adopted when the first MEC platform segments the second check value into a second preset plurality of second sub-check values; the fourth preset rule corresponds to a second preset rule, and the second preset rule is a rule adopted when the first MEC platform inserts the second preset plurality of second sub-check values into the target data packet.
4. The network security protection method of claim 3, wherein the determining whether the second check value is the same as the first check value comprises:
dividing the first check value into a second preset plurality of first sub-check values according to the preset dividing mode;
when the target second sub-verification value is different from the target first sub-verification value, determining that the second verification value is different from the first verification value; the target second sub-verification value is any one of the second sub-verification values, and the target first sub-verification value is any one of the first sub-verification values; the position of the target second sub-verification value in the second verification value is the same as the position of the target first sub-verification value in the first verification value.
5. The network security protection method according to claim 1, further comprising:
sending an exception instruction to the MEPM when it is determined that the second check value is different from the first check value; the exception instruction is at least used for indicating that the target data packet sent by the first MEC platform to the checking equipment has an exception.
6. A network security protection method is applied to a multi-access edge computing platform manager (MEPM), and is characterized by comprising the following steps:
acquiring a first preset number of different random RAND values; the first preset number is the number of MEC platforms managed by the MEPM; the RAND values correspond to the MEC platforms one to one; all of the RAND values are integers greater than zero;
sending a target RAND value to a first multi-access edge computing MEC platform and a checking device arranged on a core network side, and sending a corresponding relation between the target RAND value and the first MEC platform to the checking device; the first MEC platform is any one of the MEC platforms managed by the MEPM; the target RAND value is a RAND value corresponding to the first MEC platform among the first preset number of RAND values.
7. The method of claim 6, wherein obtaining the first predetermined number of different RAND values comprises:
sending a target request to the RAND generator; the target request is at least for requesting a first preset number of different RAND values from the RAND generator;
receiving a first preset number of RAND values sent by the RAND generator.
8. The network security protection method of claim 6, further comprising: receiving an abnormal instruction sent by the checking equipment; the abnormal instruction is at least used for indicating that a target data packet which is sent by the second MEC platform to the checking equipment and needs to be processed by the core network has an abnormality; the second MEC platform is any one of the first MEC platforms;
and executing exception handling operation corresponding to the second MEC platform according to the exception instruction.
9. The network security protection method of claim 8, wherein the performing the exception handling operation corresponding to the second MEC platform according to the exception instruction comprises:
when the number of the received abnormal instructions in a preset time period is larger than a first threshold and smaller than a second threshold, executing a first operation corresponding to the second MEC platform; the first operation includes at least: sending alarm information for indicating that the second MEC platform is abnormal to an operation and maintenance terminal corresponding to the second MEC platform;
when the number of the received abnormal instructions in a preset time period is larger than a second threshold value, executing a second operation corresponding to the second MEC platform; the second operation includes at least any one or more of: and sending a offline instruction for indicating the second MEC platform to be offline to the second MEC platform, and sending a current limiting instruction for indicating the second MEC platform to limit the data transmission rate of the second MEC platform to be below a preset rate.
10. A network security protection method is applied to a multi-access edge computing MEC platform and is characterized by comprising the following steps:
receiving a target random RAND value sent by a multi-access edge computing platform manager (MEPM) for managing the MEC platform; the target RAND value is an integer greater than zero;
determining a check value according to the target RAND value;
inserting the check value into a target data packet needing to be processed by a core network according to a first preset rule;
and sending the target data packet inserted with the check value to check equipment arranged at a core network side.
11. The network security protection method of claim 10, wherein the determining a check value according to the target RAND value comprises:
determining the target RAND value as a check value;
alternatively, the first and second electrodes may be,
encrypting the target RAND value by using a preset encryption algorithm, and determining the encrypted RAND value as a check value; the preset encryption algorithm is at least any one of the following algorithms: message digest algorithm, secure hash algorithm.
12. The network security protection method according to claim 11, wherein the inserting the check value into the target data packet that needs to be processed by the core network according to the first preset rule comprises:
dividing the check value into a second preset number of sub-check values according to a preset dividing mode;
and inserting the second preset number of sub-check values into different positions of the target data packet according to a second preset rule.
13. The network security protection method according to claim 12, wherein the inserting the second predetermined number of sub-parity values into different positions of the target packet according to a second predetermined rule comprises:
determining the insertion position of each sub-parity value in the target data packet according to the target RAND value and the data length of the target data packet; the insertion position of the target sub-verification value in the target data packet meets a preset formula; the target sub-verification value is any one of the second preset number of sub-verification values; the preset formula is as follows:
wherein Pn is a distance between an insertion position of the nth sub-parity value in the target data packet and a data head of the target data packet, and DlengThe data length of the target data packet is, R is the target RAND value, M is a preset offset, and N is the second preset number; n is an integer greater than 0 and is not greater than N;
and inserting the target sub-verification value into an insertion position corresponding to the target sub-verification value in the target data packet.
14. The network security protection method of claim 10, further comprising:
receiving a control instruction sent by the MEPM, and executing corresponding operation according to the control instruction; the control instruction is at least any one or more of the following: the device comprises a offline instruction used for indicating the MEC platform to be offline and a current limiting instruction used for indicating the MEC platform to limit the self data transmission rate below a preset rate.
15. A check-up device, the check-up device sets up in the core network side, its characterized in that includes: the device comprises a receiving module, a processing module and a judging module;
the receiving module is used for receiving a target random RAND value sent by a multi-access edge computing platform manager MEPM and a corresponding relation between the target RAND value and a first MEC platform; the first MEC platform is any one of the MEC platforms managed by the MEPM; the target RAND value is an integer greater than zero;
the processing module is configured to determine a first check value corresponding to the first MEC platform according to the target RAND value received by the receiving module;
the receiving module is further configured to receive a target data packet that needs to be processed by the core network and is sent by the first MEC platform;
the processing module is further configured to extract a second check value inserted into the target data packet from the target data packet received by the receiving module according to a third preset rule; the third preset rule corresponds to a first preset rule, and the first preset rule is a rule used when the first MEC platform inserts the second check value into the target data packet;
the judging module is configured to judge whether the second check value extracted by the processing module is the same as the first check value determined by the processing module;
when the determining module determines that the second parity value is different from the first parity value, the processing module is configured to discard the target data packet received by the receiving module.
16. An MEPM, comprising: the device comprises an acquisition module and a sending module;
the acquisition module is used for acquiring a first preset number of different random RAND values; the first preset number is the number of MEC platforms managed by the MEPM; the RAND values correspond to the MEC platforms one to one; all of the RAND values are integers greater than zero;
the sending module is configured to send a target random RAND value to a first multi-access edge computing MEC platform and a checking device arranged on a core network side, and send a correspondence between the target RAND value and the first MEC platform to the checking device; the first MEC platform is any one of the MEC platforms managed by the MEPM; the target RAND value is a RAND value corresponding to the first MEC platform in the first preset number of RAND values acquired by the acquisition module.
17. An MEC platform, comprising: the device comprises a receiving module, a processing module and a sending module;
the receiving module is configured to receive a target random RAND value sent by the MEPM that manages the MEC platform; the target RAND value is an integer greater than zero;
the processing module is configured to determine a check value according to the target RAND value received by the receiving module;
the processing module is further configured to insert the check value into a target data packet that needs to be processed by the core network according to a first preset rule;
and the sending module is used for sending the target data packet with the check value inserted into the processing module to the check equipment arranged at the core network side.
18. A network safety protection device is characterized by comprising a memory, a processor, a bus and a communication interface; the memory is used for storing computer execution instructions, and the processor is connected with the memory through the bus; when the network security appliance is running, the processor executes the computer-executable instructions stored in the memory to cause the network security appliance to perform the network security method of any one of claims 1-5, or the network security method of any one of claims 6-9, or the network security method of any one of claims 10-14.
19. A computer-readable storage medium, comprising computer-executable instructions, which, when executed on a computer, cause the computer to perform the network security protection method of any one of claims 1 to 5, or the network security protection method of any one of claims 6 to 9, or the network security protection method of any one of claims 10 to 14.
20. A network security protection system comprising a verification device as claimed in claim 15, an MEPM as claimed in claim 16 and an MEC platform as claimed in claim 17.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010015228.3A CN111182551B (en) | 2020-01-07 | 2020-01-07 | Network security protection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010015228.3A CN111182551B (en) | 2020-01-07 | 2020-01-07 | Network security protection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111182551A true CN111182551A (en) | 2020-05-19 |
| CN111182551B CN111182551B (en) | 2022-09-02 |
Family
ID=70623702
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010015228.3A Active CN111182551B (en) | 2020-01-07 | 2020-01-07 | Network security protection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111182551B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023061366A1 (en) * | 2021-10-14 | 2023-04-20 | 华为技术有限公司 | Resource access method and apparatus |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104980488A (en) * | 2015-03-20 | 2015-10-14 | 深圳市腾讯计算机系统有限公司 | Message transfer method, related devices and communication system |
| CN108173882A (en) * | 2018-03-01 | 2018-06-15 | 北京科技大学 | Edge calculations node identities authentication method based on aes algorithm |
| US20190109848A1 (en) * | 2017-10-06 | 2019-04-11 | Stealthpath, Inc. | Methods for Internet Communication Security |
-
2020
- 2020-01-07 CN CN202010015228.3A patent/CN111182551B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104980488A (en) * | 2015-03-20 | 2015-10-14 | 深圳市腾讯计算机系统有限公司 | Message transfer method, related devices and communication system |
| US20190109848A1 (en) * | 2017-10-06 | 2019-04-11 | Stealthpath, Inc. | Methods for Internet Communication Security |
| CN108173882A (en) * | 2018-03-01 | 2018-06-15 | 北京科技大学 | Edge calculations node identities authentication method based on aes algorithm |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023061366A1 (en) * | 2021-10-14 | 2023-04-20 | 华为技术有限公司 | Resource access method and apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111182551B (en) | 2022-09-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11671402B2 (en) | Service resource scheduling method and apparatus | |
| CN111901327B (en) | Cloud network vulnerability mining method and device, electronic equipment and medium | |
| CN110417717B (en) | Login behavior identification method and device | |
| CN106790299B (en) | Wireless attack defense method and device applied to wireless Access Point (AP) | |
| CN110113351A (en) | The means of defence and device, storage medium, computer equipment of CC attack | |
| CN111464525A (en) | Session identification method, session identification device, session identification control equipment and storage medium | |
| CN108183884B (en) | Network attack determination method and device | |
| CN111182551B (en) | Network security protection method and system | |
| CN115484047A (en) | Method, device, equipment and storage medium for identifying flooding attack in cloud platform | |
| CN113098852A (en) | Log processing method and device | |
| CN111176567B (en) | Storage supply verification method and device for distributed cloud storage | |
| CN112968910A (en) | Replay attack prevention method and device | |
| CN117134979A (en) | Data communication method, device, equipment and medium | |
| CN115633359A (en) | PFCP session security detection method, device, electronic equipment and storage medium | |
| Benzidane et al. | Application-based authentication on an inter-VM traffic in a cloud environment | |
| CN113098685B (en) | Security verification method and device based on cloud computing and electronic equipment | |
| CN112039882B (en) | Message transmission processing method, system, device and storage medium | |
| CN108650249A (en) | POC attack detection methods, device, computer equipment and storage medium | |
| CN114697088A (en) | Method and device for determining network attack and electronic equipment | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| CN111294311A (en) | Flow charging method and system for preventing flow fraud | |
| CN113489726B (en) | Flow limiting method and device | |
| CN113726799B (en) | Processing method, device, system and equipment for application layer attack | |
| CN117040929B (en) | Access processing method, device, equipment, medium and program product | |
| EP4037361A1 (en) | System and method for securing a communication network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |