CN111314347A - Illegal traffic processing method, device, system and storage medium - Google Patents
Illegal traffic processing method, device, system and storage medium Download PDFInfo
- Publication number
- CN111314347A CN111314347A CN202010102294.4A CN202010102294A CN111314347A CN 111314347 A CN111314347 A CN 111314347A CN 202010102294 A CN202010102294 A CN 202010102294A CN 111314347 A CN111314347 A CN 111314347A
- Authority
- CN
- China
- Prior art keywords
- illegal
- rule
- processing
- illegal traffic
- packet detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Abstract
The invention discloses a method, a device and a system for processing illegal traffic and a storage medium. The method adds a feedback mechanism on network security equipment such as a firewall and the like at a user plane function outlet, so that after detecting illegal access information, the feedback mechanism sends the illegal access information to a session management function; then, the session management function finds out the corresponding protocol data unit session according to the illegal access information, automatically generates a packet detection rule aiming at the illegal flow information, adds the packet detection rule in the protocol data unit session, and then modifies the protocol data unit session to enable the packet detection rule to take effect. When the data unit session receives the illegal information again, the packet detection rules can be used for identifying the illegal flow and realizing speed limitation, blocking and charging stop of the illegal flow. The user plane function will not forward the illegal information and charge the illegal information.
Description
Technical Field
The present invention relates to the field of data communications, and in particular, to a method, an apparatus, a system, and a storage medium for processing an illegal traffic.
Background
Network security equipment such as a firewall is deployed at the exit of a User Plane Function (UPF) of the 5G system and used for interrupting illegal access intrusion or virus attack from the internal and external internets of the 5G system. However, the problem arises that traffic is still forwarded by the user plane function and charged for the charging traffic before it is blocked by the firewall, which wastes forwarding resources on the one hand and also brings unnecessary overhead to the client on the other hand.
Disclosure of Invention
In a 5G system, filtering, directing, charging, current limiting, etc. of illegal traffic can be realized by configuring a Packet Detection Rule in a Protocol Data Unit (PDU), and if a Packet Detection Rule (PDR) can be automatically generated according to illegal access information provided by network security equipment such as a firewall and the like deployed at a user plane function outlet, it is possible to prevent similar illegal access information from generating extra traffic, and also to block the Packet Detection Rule from occupying forwarding resources, thereby solving the above problems.
Based on the above inventive concept, the present inventors have creatively provided a method, an apparatus, a system and a storage medium for processing illegal traffic.
According to a first aspect of the embodiments of the present invention, there is provided a method for processing an illegal traffic, which is applied to a session management function, and implements early filtering of the illegal traffic by linking with a network security device, the method including: receiving illegal flow information fed back by the network security equipment; finding out the corresponding protocol data unit session according to the illegal flow information; automatically generating a packet detection rule aiming at illegal traffic information; adding a packet detection rule in a protocol data unit session; the pdu session is modified to validate the packet detection rules.
According to an embodiment of the present invention, the method further includes: the priority of the packet probing rule is set to the highest priority.
According to an embodiment of the present invention, after adding the packet detection rule for the illegal traffic information, the method further includes: generating a processing rule aiming at illegal traffic information, wherein the processing rule comprises at least one rule of a forwarding behavior rule, a usage reporting rule and a service quality execution rule; adding a processing rule; and establishing the association relationship between the package detection rule and the processing rule.
According to an embodiment of the present invention, generating a processing rule for illegal traffic information includes: receiving the suggested operation of the network security equipment on the illegal traffic information; and generating a processing rule aiming at the illegal traffic information according to the suggested operation.
According to a second aspect of the embodiments of the present invention, there is provided a method for processing an illegal traffic, which is applied to a network security device, the method including: and sending illegal flow information to a session management function.
According to an embodiment of the present invention, the method further includes: and sending the suggested operation of the illegal traffic information to a session management function.
According to a third aspect of the embodiments of the present invention, there is provided an apparatus for processing illegal traffic, which is applied to a session management function, the apparatus including: the receiving module is used for receiving illegal flow information fed back by the network security equipment; the session determining module is used for finding the corresponding protocol data unit session according to the illegal flow information; the packet detection rule generating module is used for automatically generating a packet detection rule aiming at illegal flow information; a packet detection rule adding module for adding a packet detection rule aiming at illegal flow information in a protocol data unit session; and the session modifying module is used for modifying the protocol data unit session so as to enable the packet detection rule to take effect.
According to an embodiment of the present invention, the apparatus further includes a priority setting module, configured to set a priority of the packet probing rule as a highest priority.
According to an embodiment of the present invention, the apparatus further includes: the processing rule generating module is used for generating a processing rule aiming at the illegal flow information, wherein the processing rule comprises at least one rule of a forwarding behavior rule, a usage reporting rule and a service quality execution rule; the processing rule adding module is used for adding processing rules; and the association relationship establishing module is used for establishing the association relationship between the package detection rule and the processing rule.
According to an embodiment of the present invention, the processing rule generating module includes: the receiving unit is used for receiving the proposed operation of the network security equipment on the illegal flow information; and a processing rule adding unit for adding a processing rule for the illegal traffic information according to the suggested operation.
According to a fourth aspect of the embodiments of the present invention, there is provided an apparatus for processing an illegal traffic, which is applied to a network security device, the apparatus including: and the sending module is used for sending illegal flow information to the session management function.
According to an embodiment of the present invention, the sending module is further configured to send a recommendation operation for sending the illegal traffic information to the session management function.
According to a fifth aspect of the embodiments of the present invention, there is provided an illegal traffic processing system, including: a session management function for executing any one of the above processing methods applied to the illegal traffic of the session management function; the network security equipment is used for executing any illegal traffic processing method applied to the network security equipment.
According to a sixth aspect of embodiments of the present invention, there is provided a computer storage medium comprising a set of computer executable instructions which, when executed, perform any one of the above methods of illegal traffic handling.
The invention discloses a method, a device and a system for processing illegal traffic and a storage medium. The method adds a feedback mechanism on network security equipment such as a firewall and the like at a user plane function outlet, so that after detecting illegal access information, the feedback mechanism sends the illegal access information to a session management function; then, the session management function finds out the corresponding protocol data unit session according to the illegal access information, automatically generates a packet detection rule aiming at the illegal flow information, adds the packet detection rule in the protocol data unit session, and then modifies the protocol data unit session to enable the packet detection rule to take effect. When the data unit session receives the illegal information again, the packet detection rules can be used for identifying the illegal flow and realizing speed limitation, blocking and charging stop of the illegal flow. The user plane function will not forward the illegal information and charge the illegal information. Meanwhile, the forwarding resources can be used for forwarding more legal traffic, and unnecessary overhead is saved for the client.
It is to be understood that the teachings of the present invention need not achieve all of the above-described benefits, but rather that specific embodiments may achieve specific technical results, and that other embodiments of the present invention may achieve benefits not mentioned above.
Drawings
The above and other objects, features and advantages of exemplary embodiments of the present invention will become readily apparent from the following detailed description read in conjunction with the accompanying drawings. Several embodiments of the invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which:
in the drawings, the same or corresponding reference numerals indicate the same or corresponding parts.
Fig. 1 is a schematic view of an application scenario of a method for processing illegal traffic according to an embodiment of the present invention;
fig. 2 is a schematic flow chart illustrating an implementation of an illegal traffic processing method of a session management function side according to an embodiment of the present invention;
fig. 3 is a detailed flowchart of an illegal traffic processing method of an application session management function side according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an illegal traffic processing device at a session management function side according to an embodiment of the present invention.
Detailed Description
In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means two or more unless specifically defined otherwise.
First, an application scenario of the illegal traffic processing method according to the embodiment of the present invention is described with reference to fig. 1. As shown in fig. 1, after the session management function 10 establishes a pdu session with a User Equipment (UE), the user plane function 20 can receive and forward various data traffic of the user. Assuming that the user plane function 20 receives the illegal traffic 11 for the first time, at this time, there is no packet detection rule for the illegal traffic 11 in the pdu session, the initially received illegal traffic 11 is sent to the charging and forwarding module 202 for normal processing, and then the network security device 30, such as a firewall, installed at the exit of the user plane function 20 detects the illegal traffic 11, and then the network security device 30 finds that the traffic is illegal, intercepts the illegal traffic 11, discards the traffic request, or performs other corresponding operations. In the existing solution, the processing is completed, but in the embodiment of the present invention, the network security device 30 feeds back the illegal traffic information 12 to the session management function 10 according to the detection result, and after receiving the illegal traffic information 12, the session management function 10 finds a corresponding pdu session according to the illegal traffic information 12, then generates a packet detection rule for the illegal traffic information 12, adds the packet detection rule to the pdu session, and sends an instruction 13 for updating the pdu session to the user plane function 20, so that the packet detection rule becomes effective. Thus, when the user plane function 20 receives the illegal traffic 21 again, the illegal traffic is intercepted according to the packet detection rule, and the illegal traffic 21 received again is sent to the discarding or limiting module 201 for corresponding processing before charging and forwarding. Thus, the illegal traffic 21 received again will not enter the charging and forwarding module 202, and the functions of early filtering and early prevention are achieved. However, in the prior art, because there is no feedback mechanism, such a packet detection rule cannot be automatically added in the user plane function, when receiving the illegal traffic 21 again, the user plane function 20 also sends the illegal traffic to the charging and forwarding module 202, thereby causing resource waste and causing unnecessary traffic overhead.
According to a first aspect of the embodiments of the present invention, a method for processing an illegal traffic is provided, which is applied to a session management function, and early filtering of the illegal traffic is implemented by linking a network security device, and fig. 2 shows an implementation flow of the method for processing the illegal traffic at a session management function end in the embodiments of the present invention. Referring to fig. 2, the method includes: operation 210, receiving illegal traffic information fed back by the network security device; operation 220, finding a corresponding pdu session according to the illegal traffic information; operation 230, automatically generating a packet detection rule for the illegal traffic information; operation 240, adding a packet detection rule in the pdu session; at operation 250, the PDU session is modified to validate the packet detection rule.
In operation 210, the session management function in the embodiment of the present invention receives illegal traffic information fed back by the network security device through providing an OAM interface and at a specific service port. The network security device may send the illegal traffic information by sending an HTTP request through a command line tool or a REST API. The network security device herein generally refers to a firewall disposed at the exit of a User Plane Function (UPF), and may also be other network security devices that can perform illegal traffic detection. The illegal traffic information here generally includes some flow characteristics of the illegal traffic, such as source IP address, destination port, protocol type, etc. In addition, in addition to these illegal traffic information, the network security appliance may also return suggested operations for these illegal traffic to the session management function.
In operation 220, the protocol data unit session corresponding to it is found here mainly by the source IP address. The protocol data unit session corresponding to the session is a protocol data unit session of which the meta IP address is matched with the source IP address of the illegal traffic information.
In operation 230, a packet detection rule for the illegal traffic information is automatically generated, mainly according to the stream characteristics in the illegal traffic information combined with the syntax of the packet detection rule. The generation method can be that a preset template is used, the function is automatically generated by replacing placeholders in the template with specific stream characteristics, and the function can also be automatically generated by a character string splicing method.
In operation 240, a packet probing rule list is typically maintained in each pdu session, and the list ranks all packet probing rules associated with the pdu session from high to low according to the priority of the rules. The packet probing rule is added here by inserting the packet probing rule generated in operation 230 into the packet probing rule list.
In operation 250, the session management function communicates with the user plane function via the N4 interface to issue a pdu session change command, where the command specifies an pdu session id associated with illegal traffic management and carries the packet detection rule automatically generated in operation 230. When the session modification command is completed, the packet snooping rule in the pdu session is validated and used in subsequent traffic forwarding and charging.
According to an embodiment of the present invention, the method further includes: the priority of the packet probing rule is set to the highest priority.
As mentioned above, each pdu session typically maintains a list of packet probing rules, which ranks all the packet probing rules associated with the pdu session from high to low according to the priority of the rules. At this time, the packet probe rule generated in operation 230 is inserted into the top of the list as the first rule, and the priority of the packet probe rule may be set to be the highest. Therefore, when the user plane function receives the illegal flow again, the illegal flow can be firstly identified by using the packet detection rule and corresponding interception operation is carried out. Moreover, under normal conditions, illegal traffic is continuously sent, and the technical scheme can more quickly and efficiently filter the illegal traffic.
According to an embodiment of the present invention, after adding the packet detection rule for the illegal traffic information, the method further includes: generating a processing rule aiming at illegal traffic information, wherein the processing rule comprises at least one rule of a forwarding behavior rule, a usage reporting rule and a service quality execution rule; adding a processing rule; and establishing the association relationship between the package detection rule and the processing rule.
Four different rules, a packet detection rule and three different processing rules, can be managed on the N4 interface between the session management function and the user plane function: the Forwarding Action Rule (FAR), the Usage Reporting Rule (URR), and the Quality of Service (QoS) Enforcement Rule (QER) are the Forwarding Action Rule (FAR), the Usage Reporting Rule (URR), and the QoS Enforcement Rule (QER), respectively. The forwarding behavior rule may include forwarding policy information indicating whether to apply forwarding, discarding, or buffering operations to the packet. These processing rules may be associated with a packet probing rule such that when certain traffic is filtered out by the packet probing rule, the traffic may be processed using the processing rules associated with the packet probing rule.
For example, when a packet reaches the user plane function through the N3 interface, the user plane function first identifies the packet according to the packet detection rule, identifies the service type of the packet, and selects the forwarding behavior rule, the usage reporting rule, and the qos execution rule corresponding to the service according to the service type of the packet to perform forwarding control. Correspondingly, when the session management function needs to modify the packet detection rule and the processing rule in the user plane function, the session management function may send a session modification request to the user plane function, carrying the packet detection rule and the processing rule to be modified, and after receiving the service-level packet detection rule and the processing rule to be modified, the user plane forwards a subsequent received message according to the modified packet detection rule and the modified processing rule.
According to an embodiment of the present invention, generating a processing rule for illegal traffic information includes: receiving the suggested operation of the network security equipment on the illegal traffic information; and generating a processing rule aiming at the illegal traffic information according to the suggested operation.
As mentioned earlier, in addition to sending the illegal traffic information, the network security device may also send a suggested action for the illegal traffic information to the session management function. Therefore, when the processing rule aiming at the illegal traffic information is generated, the corresponding processing rule can be generated according to the suggested operation. For example, if the proposed action is drop (drop), a forwarding behavior rule may be generated that drops the traffic without any processing.
The following describes a specific flow of an illegal traffic processing method of an application session management function end according to an embodiment of the present invention with reference to fig. 3.
In step 310, receiving the illegal traffic information sent by the network security device, and analyzing the information to further obtain some flow characteristics of the illegal traffic, such as a source IP, and a proposed operation for the traffic;
in step 320, searching the matched protocol data unit according to the source IP to obtain a search result;
in step 330, the determination is made according to the search result, if the search is successful, step 340 is continued, and if the search is unsuccessful, the process is ended;
in step 340, generating a packet detection rule according to the stream characteristics of the illegal traffic;
in step 350, generating a processing rule based on the received proposed action, if the proposed action is drop (drop), continuing with step 360, and if the proposed action is not drop, continuing with step 370;
in step 360, a new forwarding behavior rule is generated to discard the traffic request;
in step 370, a new qos enforcement rule is generated to perform measures such as throttling the traffic request;
in step 380, the packet detection rule and the processing rule are bound, that is, an association relationship is established, and a protocol data unit session modification instruction is initiated to the user plane.
According to a second aspect of the embodiments of the present invention, there is provided a method for processing an illegal traffic, which is applied to a network security device, the method including: and sending illegal flow information to a session management function.
According to an embodiment of the present invention, the method further includes: and sending the suggested operation of the illegal traffic information to a session management function.
When sending illegal traffic information to the session management function, it is usually sent using an OAM interface provided by the session management function. The transmission mode may be a command line mode, for example, executing the following command line commands:
(smf)#firewall add rule 172.1.1.1 100.2.2.1 80http drop
it may also be by way of sending REST API requests, for example:
10.1.1.3/smf/firewall/add?sip=172.1.1.1&dip=100.2.2.1&dport=80&protocol=http&action=drop
wherein, the source IP is appointed by using the parameter sip; designated by the parameter dip is the destination IP; specifying that it is a destination port with the parameter dport; a protocol type specified by a parameter protocol; what is specified with the parameter action is a proposed action for the illegal traffic.
According to a third aspect of the embodiments of the present invention, there is provided an apparatus for processing illegal traffic, which is applied to a session management function, and as shown in fig. 4, the apparatus 40 includes: a receiving module 401, configured to receive illegal traffic information fed back by a network security device; a session determining module 402, configured to find a protocol data unit session corresponding to the illegal traffic information according to the illegal traffic information; a packet detection rule generating module 403, configured to automatically generate a packet detection rule for illegal traffic information; a packet detection rule adding module 404, configured to add a packet detection rule for illegal traffic information in a protocol data unit session; a session modification module 405 for modifying the pdu session to validate the packet detection rules.
According to an embodiment of the present invention, the apparatus 40 further includes a priority setting module, configured to set the priority of the packet probing rule as the highest priority.
According to an embodiment of the present invention, the apparatus 40 further includes: the processing rule generating module is used for generating a processing rule aiming at the illegal flow information, wherein the processing rule comprises at least one rule of a forwarding behavior rule, a usage reporting rule and a service quality execution rule; the processing rule adding module is used for adding processing rules; and the association relationship establishing module is used for establishing the association relationship between the package detection rule and the processing rule.
According to an embodiment of the present invention, the processing rule generating module includes: the receiving unit is used for receiving the proposed operation of the network security equipment on the illegal flow information; and a processing rule adding unit for adding a processing rule for the illegal traffic information according to the suggested operation.
According to a fourth aspect of the embodiments of the present invention, there is provided an apparatus for processing an illegal traffic, which is applied to a network security device, the apparatus including: and the sending module is used for sending illegal flow information to the session management function.
According to an embodiment of the present invention, the sending module is further configured to send a recommendation operation for sending the illegal traffic information to the session management function.
According to a fifth aspect of the embodiments of the present invention, there is provided an illegal traffic processing system, including: a session management function for executing any one of the above processing methods applied to the illegal traffic of the session management function; the network security equipment is used for executing any illegal traffic processing method applied to the network security equipment.
According to a sixth aspect of embodiments of the present invention, there is provided a computer storage medium comprising a set of computer executable instructions which, when executed, perform any one of the above methods of illegal traffic handling.
Here, it should be noted that: the above description of the embodiment of the processing apparatus for illegal traffic, the above description of the embodiment of the processing system for illegal traffic, and the above description of the embodiment of the computer storage medium are similar to the description of the foregoing method embodiments, and have similar beneficial effects to the foregoing method embodiments, and therefore, no further description is given. For the technical details that have not been disclosed yet in the description of the embodiment of the illegal traffic processing device, the description of the embodiment of the illegal traffic processing system, and the description of the embodiment of the computer storage medium of the present invention, please refer to the description of the foregoing method embodiment of the present invention for understanding, and therefore, for brevity, will not be described again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of a unit is only one logical function division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another device, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units; can be located in one place or distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media capable of storing program codes, such as a removable storage medium, a Read Only Memory (ROM), a magnetic disk, and an optical disk.
Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods of the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage medium, a ROM, a magnetic disk, an optical disk, or the like, which can store the program code.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A processing method of illegal traffic is applied to a session management function, and the method realizes early filtering of illegal traffic by linking network security equipment, and comprises the following steps:
receiving illegal flow information fed back by the network security equipment;
finding out a protocol data unit session corresponding to the illegal flow information according to the illegal flow information;
automatically generating a packet detection rule for the illegal traffic information;
adding the packet detection rule in the PDU session;
modifying the PDU session to validate the packet detection rule.
2. The method of claim 1, further comprising:
setting the priority of the packet probing rule to the highest priority.
3. The method of claim 1 or 2, further comprising, after said adding a packet detection rule for said illegal traffic information:
generating a processing rule aiming at the illegal traffic information, wherein the processing rule comprises at least one rule of a forwarding behavior rule, a usage reporting rule and a service quality execution rule;
adding the processing rule;
and establishing the association relationship between the packet detection rule and the processing rule.
4. The method of claim 3, the generating a processing rule for the illegal traffic information comprising:
receiving the suggested operation of the network security equipment on the illegal traffic information;
and generating a processing rule aiming at the illegal traffic information according to the suggested operation.
5. A processing method of illegal traffic is applied to network security equipment, and the method comprises the following steps: and sending illegal flow information to the session management function.
6. The method of claim 5, further comprising:
and sending a suggested operation for the illegal traffic information to the session management function.
7. An illegal traffic processing device applied to a session management function, the device comprising:
the receiving module is used for receiving illegal flow information fed back by the network security equipment;
the session determining module is used for finding the corresponding protocol data unit session according to the illegal flow information;
the packet detection rule generating module is used for automatically generating a packet detection rule aiming at the illegal flow information;
a packet detection rule adding module, configured to add a packet detection rule for the illegal traffic information in the protocol data unit session;
a session modification module for modifying the PDU session to validate the packet detection rule.
8. An illegal traffic processing device applied to network security equipment, the device comprising:
and the sending module is used for sending illegal flow information to the session management function.
9. A system for processing illegal traffic, said system comprising:
a session management function for executing the illegal traffic processing method applied to the session management function according to any one of claims 1 to 4;
network security device for performing the method of processing illegal traffic applied to it of any of claims 5 to 6.
10. A storage medium having stored thereon program instructions for performing, when executed, the method of processing illegal traffic according to any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010102294.4A CN111314347A (en) | 2020-02-19 | 2020-02-19 | Illegal traffic processing method, device, system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010102294.4A CN111314347A (en) | 2020-02-19 | 2020-02-19 | Illegal traffic processing method, device, system and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111314347A true CN111314347A (en) | 2020-06-19 |
Family
ID=71161848
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010102294.4A Pending CN111314347A (en) | 2020-02-19 | 2020-02-19 | Illegal traffic processing method, device, system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111314347A (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018137232A1 (en) * | 2017-01-26 | 2018-08-02 | 华为技术有限公司 | Data processing method, control plane node, and user plane node |
| CN109600339A (en) * | 2017-09-30 | 2019-04-09 | 华为技术有限公司 | Communication means, device and system |
| CN109698760A (en) * | 2017-10-23 | 2019-04-30 | 华为技术有限公司 | A kind of flow processing method and user face device and terminal device |
| CN109842906A (en) * | 2017-11-28 | 2019-06-04 | 华为技术有限公司 | A kind of method, apparatus and system of communication |
| CN110048873A (en) * | 2018-01-16 | 2019-07-23 | 华为技术有限公司 | The method and communication device of the policy control of more anchor point protocol Data Unit sessions |
| CN110247779A (en) * | 2019-06-17 | 2019-09-17 | 腾讯科技(深圳)有限公司 | Method of multicasting, device, equipment and the system of the multicast group of virtual network group |
| CN110351229A (en) * | 2018-04-04 | 2019-10-18 | 电信科学技术研究院有限公司 | A kind of terminal UE management-control method and device |
| WO2020001795A1 (en) * | 2018-06-25 | 2020-01-02 | Telefonaktiebolaget Lm Ericsson (Publ) | A method of reporting traffic metrics by a user plane function, upf, to a session management function, smf, in a telecommunication network, as well as a corresponding upf |
-
2020
- 2020-02-19 CN CN202010102294.4A patent/CN111314347A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018137232A1 (en) * | 2017-01-26 | 2018-08-02 | 华为技术有限公司 | Data processing method, control plane node, and user plane node |
| CN109600339A (en) * | 2017-09-30 | 2019-04-09 | 华为技术有限公司 | Communication means, device and system |
| CN109698760A (en) * | 2017-10-23 | 2019-04-30 | 华为技术有限公司 | A kind of flow processing method and user face device and terminal device |
| CN109842906A (en) * | 2017-11-28 | 2019-06-04 | 华为技术有限公司 | A kind of method, apparatus and system of communication |
| CN110048873A (en) * | 2018-01-16 | 2019-07-23 | 华为技术有限公司 | The method and communication device of the policy control of more anchor point protocol Data Unit sessions |
| CN110351229A (en) * | 2018-04-04 | 2019-10-18 | 电信科学技术研究院有限公司 | A kind of terminal UE management-control method and device |
| WO2020001795A1 (en) * | 2018-06-25 | 2020-01-02 | Telefonaktiebolaget Lm Ericsson (Publ) | A method of reporting traffic metrics by a user plane function, upf, to a session management function, smf, in a telecommunication network, as well as a corresponding upf |
| CN110247779A (en) * | 2019-06-17 | 2019-09-17 | 腾讯科技(深圳)有限公司 | Method of multicasting, device, equipment and the system of the multicast group of virtual network group |
Non-Patent Citations (3)
| Title |
|---|
| 3GPP 3RD GENERATION PARTNERSHIP PROJECT: "ystem architecture for the 5G System (5GS)", 《3GPP TS 23.501.V16.3.0》 * |
| SHUNLIANG ZHANG;YONGMING WANG;WEIHUA ZHOU: "Towards secure 5G networks:A Survey", 《COMPUTER NETWORKS》 * |
| 方琰崴;周俊超: "5G语音解决方案和关键技术", 《5G网络创新研讨会(2019)论文集》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3494682B1 (en) | Security-on-demand architecture | |
| EP3125505A1 (en) | Method, apparatus and system for load balancing of service chain | |
| EP2482497B1 (en) | Data forwarding method, data processing method, system and device thereof | |
| US9356844B2 (en) | Efficient application recognition in network traffic | |
| US20090238071A1 (en) | System, method and apparatus for prioritizing network traffic using deep packet inspection (DPI) and centralized network controller | |
| JP2004364306A (en) | System for controlling client-server connection request | |
| JP2017517170A (en) | Method and communication unit for service implementation in an NFV system | |
| EP3110081B1 (en) | Methods for controlling service chain of service flow | |
| WO2014094432A1 (en) | Deep packet inspection result dissemination method and device | |
| US9246798B2 (en) | Message handling extension using context artifacts | |
| US10117140B2 (en) | Network storage method, switch device, and controller | |
| US20170310493A1 (en) | Network entity and service policy management method | |
| CN109729011B (en) | Flow forwarding method, device and computer readable storage medium | |
| WO2012034414A1 (en) | Method and system for processing peer to peer (p2p) services | |
| JP2005295457A (en) | P2p traffic dealing router and p2p traffic information sharing system using same | |
| US20240089178A1 (en) | Network service processing method, system, and gateway device | |
| WO2021098425A1 (en) | Qos policy method, device, and computing device for service configuration | |
| EP2768197B1 (en) | Deep packet inspection result dissemination method and device | |
| CN111314347A (en) | Illegal traffic processing method, device, system and storage medium | |
| US10574526B2 (en) | Control method for application feature rules and application feature server | |
| CN114650233A (en) | Message processing method and related equipment | |
| CN114520766B (en) | Networking control method of router and related equipment | |
| US20240114323A1 (en) | Apparatus and method for providing service function chaining service exposure in wireless communication system | |
| KR20180041976A (en) | SDN for preventing malicious application and Determination apparatus comprising the same | |
| WO2014020902A1 (en) | Communication system, control apparatus, communication method, and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200619 |