CN111698684A - Service security control method, device and storage medium - Google Patents

Service security control method, device and storage medium Download PDF

Info

Publication number
CN111698684A
CN111698684A CN202010382922.9A CN202010382922A CN111698684A CN 111698684 A CN111698684 A CN 111698684A CN 202010382922 A CN202010382922 A CN 202010382922A CN 111698684 A CN111698684 A CN 111698684A
Authority
CN
China
Prior art keywords
access
service
signaling
terminal
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010382922.9A
Other languages
Chinese (zh)
Other versions
CN111698684B (en
Inventor
王保华
李斌
饶小毛
柯栋
莫建荣
胡清
汪龙
谢义东
陈弄玉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gree Electric Appliances Inc of Zhuhai
Zhuhai Lianyun Technology Co Ltd
Original Assignee
Gree Electric Appliances Inc of Zhuhai
Zhuhai Lianyun Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gree Electric Appliances Inc of Zhuhai, Zhuhai Lianyun Technology Co Ltd filed Critical Gree Electric Appliances Inc of Zhuhai
Priority to CN202010382922.9A priority Critical patent/CN111698684B/en
Publication of CN111698684A publication Critical patent/CN111698684A/en
Application granted granted Critical
Publication of CN111698684B publication Critical patent/CN111698684B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Abstract

The application relates to a service security control method, a device and a storage medium, which are applied to mobile edge computing equipment, wherein the method comprises the following steps: acquiring a service access signaling record of a terminal access service; and controlling the terminal access service according to the service access signaling record. According to the method and the device, the illegal terminal frequently trying to access the service is forbidden through the detection of the terminal access service in the edge computing MEC-based network system, the safety of various data is ensured, and the normal network use environment is maintained.

Description

Service security control method, device and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, and a storage medium for controlling service security.
Background
With the development of 5G, mobile edge computing MEC becomes a key technology for 5G service development, and core network devices based on the MEC technology are used as data processing devices directly facing mobile terminals on one hand, and are open to third parties except operators on the other hand, so that the core network devices are easy to attack or are utilized as a tool for attacking networks.
The security of the core network device relates to many aspects, such as the device's own hardware, operating system, platform software, networking architecture, defense against network attacks, and the like. How to improve the security of core network equipment is an important issue at present. The prior art only relates to the safety problem of core network equipment and APP installed in the core network equipment, but does not relate to the safety problem of a mobile terminal to the core network equipment and a network.
The general terminals are provided with operating systems and loaded with various APPs, after one terminal is successfully accessed to the network, the APPs loaded by the terminal, and possibly some APPs do not perform strict industry security tests, so that people can utilize the loophole to attack the network through the terminal APP; meanwhile, because the software cannot be strictly tested, various defects may exist in the software, and the abnormal work of the application program APP under a specific condition may also cause serious influence on the network performance. Especially for MEC equipment, the service objects are large clients such as enterprises and governments, and user sensitive data is stored, so that early detection of potential threats is necessary.
Disclosure of Invention
In order to solve the problem that the terminal may illegally access the service, and may bring a potential threat to the network data and may seriously affect the network performance, embodiments of the present application provide a service security control method, apparatus, and storage medium.
In a first aspect, an embodiment of the present application provides a service security control method, which is applied to a mobile edge computing device, and the method includes:
acquiring a service access signaling record of a terminal access service;
and controlling the terminal access service according to the service access signaling record.
Optionally, the obtaining of the service access signaling record of the terminal access service includes:
acquiring a plurality of target data messages through a base station, wherein the target data messages are data messages generated by communication between a terminal and the base station and processed by local mobile edge computing equipment;
and carrying out deep data analysis on the plurality of target data messages to obtain service access signaling records.
Optionally, the service access signaling record includes at least one piece of service access signaling information;
controlling the terminal access service according to the service access signaling record, comprising:
judging whether the service access signaling information is in compliance;
and if the number of the service access signaling information which is not in compliance in the preset time is larger than or equal to the time threshold, the terminal is forbidden to access the service.
Optionally, the determining whether the service access signaling information is compliant includes:
comparing the pre-stored service access signaling flow with the service access signaling information;
if the service access signaling information conforms to the service access signaling flow, judging that the service access signaling information conforms to the standard;
and if the service access signaling information does not conform to the service access signaling flow, judging that the service access signaling information does not conform to the standard.
Optionally, the service access signaling information includes: base station information, terminal information, service signaling key field information and a timestamp;
the service access signaling flow comprises the following steps: the sequence of the signaling in the service access signaling process corresponding to the concerned service and the data specification of the key field.
Optionally, before obtaining the service access signaling record of the terminal access service, the method further includes:
acquiring an access network signaling record of a terminal access network;
comparing the pre-stored network access signaling flow with the access network signaling information in the access network signaling record to judge whether the access network signaling information is in compliance;
and controlling the terminal to access the network according to the quantity of the non-compliant access network signaling information.
In a second aspect, an embodiment of the present application provides a service security control apparatus, where the apparatus is applied to a mobile edge computing device, and the apparatus includes: a memory for storing computer executable program code; a transceiver, and a processor coupled with the memory and the transceiver;
the transceiver is used for acquiring a service access signaling record of a terminal access service;
and the processor is used for controlling the terminal access service according to the service access signaling record.
Optionally, the transceiver is further configured to obtain an access network signaling record of the terminal accessing the network;
the processor is also used for comparing the prestored network access signaling flow with the access network signaling information in the access network signaling record so as to judge whether the access network signaling information is in compliance;
and the processor is also used for controlling the terminal to access the network according to the quantity of the non-compliant access network signaling information.
In a third aspect, embodiments of the present application provide a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, causes the processor to perform the steps of the method according to any one of the preceding claims.
In a fourth aspect, embodiments of the present application provide a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor executing the program to perform the steps of the method according to any of the preceding claims.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the following advantages:
through the application, a service access signaling record of the terminal access service is obtained; and controlling the terminal access service according to the service access signaling record. The method and the device realize that illegal terminals frequently trying to access the service are forbidden by detecting the service accessed by the terminals in a network system based on the edge computing MEC, ensure the safety of various data and maintain the normal network use environment. In addition, according to the application, an access network signaling record of the terminal access network is obtained; and controlling the terminal to access the network according to the access network signaling record. The method and the device realize that in a network system based on edge computing MEC, illegal terminals which frequently try to access the network are forbidden by detecting the access of the terminals to the network, and maintain a normal network use environment.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is an application scenario diagram of a service security control method according to an embodiment;
fig. 2 is a schematic flow chart of a service security control method according to an embodiment;
fig. 3 is a schematic structural diagram of a service security control apparatus according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Fig. 1 is an application scenario diagram of a service security control method according to an embodiment; referring to fig. 1, the service security control method is applied to a service security control system. The service security control system comprises mobile edge computing equipment, a base station and a terminal. User terminals, such as mobile terminals, in which the terminals communicate via a wireless network: cell phones, tablets, etc. The terminal can be divided into a standard mobile terminal used by the general public to obtain network access permission and an industrial application customized terminal. The standard mobile terminal used by the general public usually performs terminal compliance test through related departments of the country, and the terminal network access license is issued only after the terminal compliance test. The industry application customization terminal is a wireless terminal which is built by using a module in 5G industry application and is in small batch. For example, some logistics enterprises or large-scale enterprises may customize a terminal according to requirements for management convenience, and the terminal may perform corresponding business operations, such as accessing a database, performing business operations, and the like, through an access network. The industrial application customized terminals are produced by a plurality of manufacturers, the software or hardware levels of the manufacturers are different, and in addition, most industrial application customized terminals hardly go through the terminal network access test procedures specified by the state and do not have network access license certificates. A non-compliant terminal may cause a terminal to fail to access a service due to a software defect, and if frequent service access fails, it may have an adverse effect on an edge computing device and an entire network environment.
The mobile edge computing device (hereinafter referred to as MEC device) is a core network device based on edge computing MEC (mobile edge computing). The mobile edge computing device obtains an access network signaling record of a terminal access network sent by a base station. The access network signaling record may include multiple access network signaling messages for multiple accesses of the same terminal to the same network. Of course, the network security control method of the present application is applicable to analysis of all different terminals accessing to a network, and the present application only describes the principle of the network security control method of the present application by accessing one terminal to the same network.
A base station is an interface device for a mobile device to access the internet, and is a form of radio station, which refers to a radio transceiver station for information transfer between a mobile telephone terminal and a mobile communication switching center in a certain radio coverage area.
The terminal accesses the base station through the network, the base station sends the service access signaling record of the terminal access service to the mobile edge computing device, and the mobile edge computing device controls the terminal to access the service according to the service access signaling record. The service access signaling record is a set, and may include multiple pieces of service access signaling information for the terminal to access the service multiple times through the base station.
Fig. 2 is a schematic flow chart of a service security control method according to an embodiment; referring to fig. 2, the method includes the steps of:
s100: and acquiring a service access signaling record of the terminal access service.
The mobile Edge computing device is a core network device based on Edge computing mec (mobile Edge computing). And the mobile edge computing equipment acquires a service access signaling record of the terminal access service sent by the base station. The service access signaling record comprises service access signaling information of a plurality of terminals accessing the same service in different time periods. Of course, the service security control method of the present application is suitable for analyzing all different terminal access services, and the present application only describes the principle of the service security control method of the present application with one terminal accessing the same service.
In one embodiment, step S100 specifically includes: the mobile edge computing equipment acquires a plurality of target data messages through the base station, wherein the target data messages are data messages which are generated by communication between the terminal and the base station and are processed by the local mobile edge computing equipment; the mobile edge computing equipment performs deep data analysis on each target data message to obtain corresponding service access signaling information; and a plurality of service access signaling information corresponding to the plurality of target data messages form a service access signaling record.
The service comprises the following steps: application data, IP data including HTTP, ICMP, FTP, etc.
The depth data analysis may specifically be a DPI technology, that is, a DPI (deep Packet inspection) deep Packet inspection technology.
The DPI can be arranged in the mobile edge computing device, the deep analysis is carried out on the target data message from the wireless access side, and the target data message is stored according to the dimensions of a user name, an APP name, a service/service type, a service signaling, a timestamp and the like. According to the requirements of service signaling series in the service process, the service process signaling initiated by the terminal is checked, and the abnormity of the non-compliant terminal is recorded so as to be processed.
Obtaining a plurality of target data messages includes: receiving a plurality of data messages generated by communication between a terminal and a base station and transmitted by the base station; and distributing each data message according to the distribution rule to obtain a plurality of target data messages.
S200: and controlling the terminal access service according to the service access signaling record.
Specifically, the service access signaling record represents the number of times and the frequency of the same terminal accessing the same service. Whether the terminal is in compliance with the service access can be judged through the service access signaling record, so that whether the terminal is allowed to continuously try to access the service or the terminal is forbidden to try to access the service can be determined.
In one embodiment, the service access signaling record includes at least one piece of service access signaling information, and step S200 specifically includes: and controlling the terminal to access the service by judging whether the service access signaling information is in compliance.
In one embodiment, the determining whether the service access signaling information is compliant specifically includes: comparing the pre-stored service access signaling flow with the service access signaling information; if the service access signaling information conforms to the service access signaling flow, judging that the service access signaling information conforms to the standard; and if the service access signaling information does not conform to the service access signaling flow, judging that the service access signaling information does not conform to the standard.
The pre-stored service access signaling flow comprises a plurality of service access signaling flows corresponding to the access-permitted services; if the service access signaling information is matched with at least one of the service access signaling flows corresponding to a plurality of pre-stored services which are permitted to be accessed, judging that the service access signaling information is in compliance; and if the service access signaling information is not matched with the service access signaling flows corresponding to a plurality of pre-stored services which are permitted to access, judging that the service access signaling information is not in compliance.
In one embodiment, controlling the terminal to access the service specifically includes: and when the times of accessing the signaling information by the non-compliant service within the preset time are greater than or equal to the time threshold, judging that the access of the terminal to the service is abnormal, thereby forbidding the access of the terminal to the service.
Specifically, the number of times of non-compliant service access signaling information continuously appearing within the preset time may be counted, and if the number of times is greater than or equal to the number threshold, it is determined that the terminal accesses the service abnormally, and the number of times of continuous access abnormality within the preset time exceeds the number threshold, which is determined as illegal access. The terminal may be prohibited from accessing the service. Prohibiting the terminal from accessing the service may be prohibiting the terminal from attempting to access the service, i.e. not only not allowing the terminal to successfully access the service, but also denying the terminal to apply for access to the service.
When finding that the access service initiated by the mobile terminal under the mobile edge computing device is not an expected terminal access service rule, the terminal access service can be considered to be abnormal. If the terminal accesses the service abnormally and accesses the service frequently, the leakage of sensitive data can be caused, and network resources are occupied, so that other normal users are difficult to use.
Due to the fact that the process of accessing the service by the terminal is complex, the abnormal condition of the service accessed by the terminal is counted within the preset time, the terminal is forbidden when the frequency threshold is reached, and misjudgment can be avoided.
In one embodiment, it may be a mobile edge computing device to prohibit illegal terminals from accessing the service. Or the mobile edge computing device sends the result whether the times are greater than or equal to the time threshold to the function control system, and the function control system prohibits the illegal terminal from accessing the corresponding service.
The function control system may be, but is not limited to, an operator billing system.
When the fact that the terminal access service abnormity threatens sensitive data is found, the result that whether the times are larger than or equal to the time threshold value can be sent to the operator accounting system by using a northbound interface of the mobile edge computing device, and the service access authority of the terminal is forbidden by the operator accounting system.
Therefore, threat detection and processing of access service from the terminal are completed, data security is well guaranteed, and a normal network use environment is maintained.
In one embodiment, the service access signaling information comprises: base station information, terminal information, service signaling key field information and a timestamp;
the service access signaling flow comprises the following steps: the sequence of the signaling in the service access signaling process corresponding to the concerned service and the data specification of the key field.
Specifically, when the terminal accesses the service, a signaling is generated in the information interaction process, and the signaling interaction has a strict sequence, for example: and sending out the signaling, waiting for the response of the other party, and performing the next operation according to the response information. Obviously, if the operation is not in accordance with the predetermined flow, the rule is illegal and the rule is not compliant.
The service access signaling information carries a service signaling key field, the service signaling key field includes a key parameter or a key parameter and a reference parameter in each service signaling, for example, the instruction get has 5 parameters (a1, a2, a3, a4, a5) which respectively have specific meanings, wherein a1-a3 is necessary, and a4-a5 is optional; we can consider a1-a3 as the key parameter and a4-a5 as the reference parameter.
The signaling sequence may be a timestamp or a signaling number carried by the signaling itself. The method mainly sequences the collected signaling and judges whether the signaling interacts according to an expected sequence.
In the service access signaling flow, the sequence of signaling execution in the service access signaling flow is specified. Whether the signaling is executed according to a preset sequence can be judged through the signaling number or the timestamp of each signaling, if the signaling is not executed according to the sequence, the non-compliance is judged, and if the signaling is not executed according to the sequence, the compliance is judged.
The key field data specification specifically includes whether the value of the parameter is within a desired range, for example, whether the value of each of the parameters a1-a5 is within a desired range. The expected value of a1 may be any one of 1, 2, and 3, and if not, the traffic signaling may be considered non-compliant.
Specifically, firstly, a signaling keyword is obtained, such as get, then a parameter a1-a5 of the get is obtained, the parameter is compared with a requirement specification of a get signaling pair a1-a5 in pre-stored keyword field data, if the requirement meets the requirement of a pre-stored keyword field database, the access signaling is considered to be in compliance, otherwise, the access signaling is not in compliance.
The key field of the application not only comprises the parameter of get, but also comprises key fields generated in the process that other terminals access the network.
In one embodiment, the service security control system further comprises: a network signaling analysis system.
The network signaling analysis system is established for network maintenance work, and adopts special technology to collect various control plane signaling in the network. For example: the base station can transmit various control plane signaling back to the network signaling analysis system, or the network signaling analysis system can acquire data on the network communication link and analyze the data to obtain the control plane signaling. The control plane signaling includes access network signaling for the terminal to access the network.
The network signaling analysis system is used for receiving and storing access network signaling information analyzed after passing through each base station when the terminal accesses the network, and sending the requested target access network signaling information to the mobile edge computing equipment when receiving an acquisition request of the mobile edge computing equipment. Wherein the mobile edge computing device communicates with the network signaling analysis system through a northbound interface.
In one embodiment, before step S100, the method further comprises:
acquiring an access network signaling record of a terminal access network; comparing the pre-stored network access signaling flow with the access network signaling information in the access network signaling record to judge whether the access network signaling information is in compliance; and controlling the terminal to access the network according to the quantity of the non-compliant access network signaling information.
The method for acquiring the access network signaling record of the terminal access network comprises the following steps: and acquiring an access network signaling record of the terminal access network, which is analyzed after the terminal passes through different base stations governed by the mobile edge computing equipment when the terminal accesses the network.
The access network signaling record includes at least one piece of access network signaling information.
Specifically, each mobile edge computing device (MEC device) corresponds to one or more base stations, the network signaling analysis system may communicate with the base stations managed by each mobile edge computing device, the terminal may access different base stations through the same network (access network), each base station may send access network signaling information of the terminal access network to the network signaling analysis system, or the network signaling analysis system analyzes data passing through the base stations to obtain the access network signaling information. The network signaling analysis system acquires access network signaling information after passing through a plurality of base stations, so as to obtain an access network signaling information set; each access network signaling information includes, but is not limited to: corresponding terminal information, network information of an access network, base station information, and time information.
The mobile edge computing equipment obtains an access network signaling record by requesting a network signaling analysis system to acquire access network signaling information of a terminal access network analyzed after the base station under the jurisdiction of the mobile edge computing equipment is acquired; the access network signaling is control plane signaling, and the access network signaling record is a history record, and may include access network signaling information of the same network accessed by the terminal analyzed by different base stations, or access network signaling information of different networks accessed by the terminal analyzed by different base stations. Wherein the mobile edge computing device communicates with the network signaling analysis system through a northbound interface.
The pre-stored network admission signaling flow comprises a plurality of network admission signaling flows corresponding to the admission network; if the access network signaling information is matched with at least one of the prestored network admission signaling flows of a plurality of admission networks, judging that the access network signaling information is in compliance; if the access network signaling information does not match a pre-stored network admission signaling flow of the plurality of admissions networks. The access network signaling information is determined to be non-compliant.
Controlling the terminal to access the network according to the number of the non-compliant access network signaling information, specifically comprising: the times of the unqualified access network signaling information continuously appearing in the preset time can be counted, if the times is larger than or equal to the time threshold, the terminal is judged to be abnormally accessed to the network, and the times of the abnormal continuous access in the preset time exceeds the time threshold, and the terminal is judged to be illegally accessed. The terminal may be prohibited from accessing the network. Prohibiting the terminal from accessing the network may be prohibiting the terminal from attempting to access the network, i.e. not only not allowing the terminal to successfully access the network, but also denying the terminal to apply for access to the network.
A terminal access network may be considered abnormal when an access network initiated by a mobile terminal under a mobile edge computing device is found to be undesirable for a terminal access procedure. If the terminal is abnormally accessed into the network and is frequently accessed into the network, network resources are occupied, and therefore other normal users are difficult to use.
Due to the complex wireless environment and the mobile characteristic of the terminal, if the access is abnormal for 1-2 times, the access of the terminal is considered to be unreasonable to form the network threat, and a threshold value is set, for example, the access of the terminal is abnormal for N times (for example, N is greater than 10) in unit time, the access abnormality of the terminal is judged to form the network threat, and the misjudgment is avoided.
In one embodiment, it may be a mobile edge computing device to prohibit illegal terminals from accessing the network. Or the mobile edge computing device sends the result of whether the times is greater than or equal to the time threshold to the function control system, and the function control system prohibits the illegal terminal from accessing the corresponding network.
The function control system may be, but is not limited to, an operator billing system.
When the network is threatened by the abnormal access network of the terminal, the result of whether the times are more than or equal to the time threshold value can be sent to the operator accounting system by utilizing the northbound interface of the mobile edge computing equipment, and the network use right of the terminal is forbidden by the operator accounting system.
Therefore, the network threat detection and processing from the terminal access mode are completed, and the normal network use environment is well maintained.
Of course, when the access abnormality is found to threaten the network, the abnormal condition can also be submitted to an APP developer or a hardware developer to improve software or hardware.
In one embodiment, the access network signaling information includes: base station information, terminal information, access signaling key field information and a timestamp;
the network admission signaling flow comprises the following steps: the sequence of the signaling and the data specification of the key field in the network access signaling flow.
Specifically, when the terminal accesses the network, it needs to perform signaling interaction with the network, for example: the terminal informs the network terminal of the capability, such as which network in 2G/3G/4G/5G can be used, the rate, the code and other information; after receiving the information, the network selects the information according to the condition of the network and informs the terminal of the selected result. These signalling interactions between the terminal and the network have strict specifications, such as: the method comprises the steps of firstly sending what signaling, sending what signaling in the middle after receiving the response of the opposite side, and finally sending what signaling. These signaling are specifications established by the relevant international organization and if not followed, are deemed non-compliant.
The access signaling key field contains key parameters in each access signaling, such as an instruction attch (a1, a2, A3), and 3 parameters a1, a2, and A3, which must be filled in, and then a1, a2, and A3 can be considered as signaling key field information.
The signaling sequence may be a timestamp or a signaling number carried by the signaling itself. The method mainly sequences the collected signaling and judges whether the signaling interacts according to an expected sequence.
In the network admission signaling flow, the sequence of signaling execution in the network admission signaling flow is specified. Whether the signaling is executed according to a preset sequence can be judged through the signaling number or the timestamp of each signaling, if the signaling is not executed according to the sequence, the non-compliance is judged, and if the signaling is not executed according to the sequence, the compliance is judged.
The key field data specification specifically includes whether the value of the key parameter is within a desired range, for example, whether the value of each of the parameters a1-A3 is within a desired range. The expected value of a1 may be any of 1, 2, and 3, and if not, it may be considered non-compliant and not be signaled properly.
Specifically, firstly, an access signaling key field, such as attch, is obtained, then, parameters a1, a2 and A3 of the attch are obtained, and are respectively compared with specification values a1, a2 and A3 of the attch in a pre-stored key field data specification, if the requirements of the pre-stored key field data specification are met, the access signaling is considered to be in compliance, otherwise, the access signaling is not in compliance.
The key fields of the application not only comprise attch parameters, but also comprise key fields generated in the process of accessing other terminals to the network.
Fig. 3 is a schematic structural diagram of a service security control apparatus according to an embodiment, and referring to fig. 3, the apparatus is applied to a mobile edge computing device, and the apparatus includes: a memory 120 for storing computer executable program code; a transceiver 130, and a processor 110 coupled to the memory 120 and the transceiver 130; a bus 150, at least one communication interface 140; the memory 120, the processor 110, the transceiver 130, and the at least one communication interface 140 are interconnected via a bus 150.
The transceiver 130 is configured to obtain a service access signaling record of a terminal access service;
and the processor 110 is configured to control the terminal to access the service according to the service access signaling record.
In one embodiment, transceiver 130 is specifically configured to: acquiring a plurality of target data messages through a base station, wherein the target data messages are data messages generated by communication between a terminal and the base station and processed by local mobile edge computing equipment;
the processor 110 is specifically configured to: and carrying out deep data analysis on the plurality of target data messages to obtain service access signaling records.
In one embodiment, the service access signaling record comprises at least one piece of service access signaling information;
the processor 110 is specifically configured to: and controlling the terminal to access the service by judging whether the service access signaling information is in compliance.
In one embodiment, processor 110 is specifically configured to: comparing the pre-stored service access signaling flow with the service access signaling information;
if the service access signaling information conforms to the service access signaling flow, judging that the service access signaling information conforms to the standard;
and if the service access signaling information does not conform to the service access signaling flow, judging that the service access signaling information does not conform to the standard.
In one embodiment, the processor 110 is further specifically configured to: and if the number of the service access signaling information which is not in compliance in the preset time is larger than or equal to the time threshold, the terminal is forbidden to access the service.
In one embodiment, the service access signaling information comprises: base station information, terminal information, service signaling key field information and a timestamp;
the service access signaling flow comprises the following steps: the sequence of the signaling in the service access signaling process corresponding to the concerned service and the data specification of the key field.
In one embodiment, the transceiver 130 is further configured to obtain an access network signaling record of the terminal accessing the network;
the processor 110 is further configured to compare the pre-stored network admission signaling flow with the access network signaling information in the access network signaling record to determine whether the access network signaling information is compliant;
the processor 110 is further configured to control the terminal to access the network according to the amount of the non-compliant access network signaling information.
The Memory 120 may be, but is not limited to, a Read-Only Memory (ROM) or other types of static storage devices that can store static information and instructions, a Random Access Memory (RAM) or other types of dynamic storage devices that can store information and instructions, an Electrically Erasable Programmable Read-Only Memory (EEPROM), a compact disc Read-Only Memory (CD-ROM) or other optical disk storage, magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 120 may be self-contained and coupled to the processor 110 via a bus 150. Memory 120 may also be integrated with processor 110.
The transceiver 130 may be a transmitter, a receiver, or a combination thereof, which receives or transmits data packets from or to other network nodes.
Processor 110 may be a general purpose Central Processing Unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits configured to control the execution of programs in accordance with the teachings of the present application.
Bus 150 may include a path that transfers information between the above components.
Communication interface 140 may use any transceiver or the like for communicating with other devices or communication Networks, such as ethernet, Radio Access Network (RAN), Wireless Local Area Network (WLAN), etc.
The memory 120 is used for storing application program codes for executing the scheme of the application, and is controlled by the processor 110 to execute. The memory 120 is also used for storing pre-stored network admission signaling flows and pre-stored service access signaling flows.
Processor 110 may include one or more CPUs.
The service safety control device is applied to the mobile edge computing equipment, and the mobile edge computing equipment can acquire the service access signaling record of the terminal access service; and controlling the terminal access service according to the service access signaling record. The method and the system realize monitoring of terminal access service, guarantee data security and maintain network use environment. In addition, the mobile edge computing device can also acquire an access network signaling record of the terminal access network; and controlling the terminal to access the network according to the access network signaling record. The method and the device realize that in a network system based on edge computing MEC, illegal terminals which frequently try to access the network are forbidden by detecting the access of the terminals to the network, and maintain a normal network use environment.
In one embodiment, the present application further provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, causes the processor to: acquiring a service access signaling record of a terminal access service; and controlling the terminal access service according to the service access signaling record.
In one embodiment, the processor further performs the following: acquiring an access network signaling record of a terminal access network; comparing the pre-stored network access signaling flow with the access network signaling information in the access network signaling record to judge whether the access network signaling information is in compliance; and controlling the terminal to access the network according to the quantity of the non-compliant access network signaling information.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present invention, which enable those skilled in the art to understand or practice the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A business security control method applied to a mobile edge computing device is characterized by comprising the following steps:
acquiring a service access signaling record of a terminal access service;
and controlling the terminal to access the service according to the service access signaling record.
2. The method of claim 1, wherein the obtaining the service access signaling record of the terminal access service comprises:
acquiring a plurality of target data messages through a base station, wherein the target data messages are data messages generated by communication between a terminal and the base station and processed by local mobile edge computing equipment;
and carrying out deep data analysis on the plurality of target data messages to obtain service access signaling records.
3. The method of claim 2, wherein the service access signaling record comprises at least one piece of service access signaling information;
controlling the terminal to access the service according to the service access signaling record, including:
judging whether the service access signaling information is in compliance;
and if the number of the service access signaling information which is not in compliance within the preset time is larger than or equal to the time threshold, prohibiting the terminal from accessing the service.
4. The method of claim 3, wherein the determining whether the service access signaling information is compliant comprises:
comparing the pre-stored service access signaling flow with the service access signaling information;
if the service access signaling information conforms to the service access signaling flow, judging that the service access signaling information conforms to the standard;
and if the service access signaling information does not conform to the service access signaling flow, judging that the service access signaling information is not in compliance.
5. The method of claim 4,
the service access signaling information includes: base station information, terminal information, service signaling key field information and a timestamp;
the service access signaling flow comprises the following steps: the sequence of the signaling in the service access signaling process corresponding to the concerned service and the data specification of the key field.
6. The method of claim 1, wherein before obtaining the service access signaling record of the terminal accessing the service, the method further comprises:
acquiring an access network signaling record of a terminal access network;
comparing the pre-stored network access signaling flow with the access network signaling information in the access network signaling record to judge whether the access network signaling information is in compliance;
and controlling the terminal to access the network according to the quantity of the non-compliant access network signaling information.
7. An apparatus for controlling traffic security, the apparatus being applied to a mobile edge computing device, the apparatus comprising: a memory for storing computer executable program code; a transceiver, and a processor coupled with the memory and the transceiver;
the transceiver is used for acquiring a service access signaling record of a terminal access service;
and the processor is used for controlling the terminal to access the service according to the service access signaling record.
8. The apparatus of claim 7,
the transceiver is also used for acquiring an access network signaling record of the terminal access network;
the processor is further configured to compare a pre-stored network admission signaling flow with access network signaling information in the access network signaling record to determine whether the access network signaling information is compliant;
the processor is further configured to control the terminal to access the network according to the amount of the non-compliant access network signaling information.
9. A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, causes the processor to carry out the steps of the method according to any one of claims 1 to 6.
10. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor executes the program to perform the steps of the method according to any of claims 1-6.
CN202010382922.9A 2020-05-08 2020-05-08 Service security control method, device and storage medium Active CN111698684B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010382922.9A CN111698684B (en) 2020-05-08 2020-05-08 Service security control method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010382922.9A CN111698684B (en) 2020-05-08 2020-05-08 Service security control method, device and storage medium

Publications (2)

Publication Number Publication Date
CN111698684A true CN111698684A (en) 2020-09-22
CN111698684B CN111698684B (en) 2021-06-18

Family

ID=72477352

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010382922.9A Active CN111698684B (en) 2020-05-08 2020-05-08 Service security control method, device and storage medium

Country Status (1)

Country Link
CN (1) CN111698684B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101877709A (en) * 2010-06-30 2010-11-03 北京世纪互联宽带数据中心有限公司 Multi-media safety signaling system
CN107302762A (en) * 2016-04-14 2017-10-27 大唐移动通信设备有限公司 A kind of Operational Visit and its control method, device
US20180035360A1 (en) * 2015-02-12 2018-02-01 Nokia Solutions And Networks Oy Access control to services in a network
CN109640348A (en) * 2019-01-08 2019-04-16 中国联合网络通信集团有限公司 The multi-service MEC network architecture, the processing method and processing device of multi-service data flow
CN110392023A (en) * 2018-04-20 2019-10-29 中移(杭州)信息技术有限公司 Network inbreak detection method and device based on signalling system No.7 network
CN110913394A (en) * 2019-11-27 2020-03-24 成都西加云杉科技有限公司 Service access method, device, equipment and readable storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101877709A (en) * 2010-06-30 2010-11-03 北京世纪互联宽带数据中心有限公司 Multi-media safety signaling system
US20180035360A1 (en) * 2015-02-12 2018-02-01 Nokia Solutions And Networks Oy Access control to services in a network
CN107302762A (en) * 2016-04-14 2017-10-27 大唐移动通信设备有限公司 A kind of Operational Visit and its control method, device
CN110392023A (en) * 2018-04-20 2019-10-29 中移(杭州)信息技术有限公司 Network inbreak detection method and device based on signalling system No.7 network
CN109640348A (en) * 2019-01-08 2019-04-16 中国联合网络通信集团有限公司 The multi-service MEC network architecture, the processing method and processing device of multi-service data flow
CN110913394A (en) * 2019-11-27 2020-03-24 成都西加云杉科技有限公司 Service access method, device, equipment and readable storage medium

Also Published As

Publication number Publication date
CN111698684B (en) 2021-06-18

Similar Documents

Publication Publication Date Title
KR101837923B1 (en) Profiling rogue access points
US9326173B2 (en) Methods and apparatus for machine-to-machine based communication service classes
EP3267709B1 (en) Security, fraud detection, and fraud mitigation in device-assisted services systems
CN100571157C (en) A kind of method and system thereof that realizes the travelling carriage security control
US20140181972A1 (en) Preventive intrusion device and method for mobile devices
KR20080017047A (en) Apparatus and methods for protecting data on a wireless device
Sou et al. Random packet inspection scheme for network intrusion prevention in LTE core networks
CN111698683B (en) Network security control method and device, storage medium and computer equipment
CN111698684B (en) Service security control method, device and storage medium
CN105516093B (en) A kind of method and router of anti-loiter network
US7367055B2 (en) Communication systems automated security detection based on protocol cause codes
CN110378120A (en) Application programming interfaces attack detection method, device and readable storage medium storing program for executing
Michelson et al. Interference detection and reporting in IEEE 802.11 p connected vehicle networks
CN115633359A (en) PFCP session security detection method, device, electronic equipment and storage medium
CN112085590B (en) Method and device for determining safety of rule model and server
CN107086978B (en) Method and device for identifying Trojan horse virus
WO2022027572A1 (en) Security management service in management plane
CN111294311B (en) Traffic charging method and system for preventing traffic fraud
US20180114021A1 (en) Optimizing data detection in communications
Saputhanthri et al. Policy framework and recommendations to minimize the usage of stolen and counterfeit or substandard mobile communication devices
EP1722531B1 (en) Method and system for detecting malicious wireless applications
CN114884692B (en) Network access control method and device
KR102366051B1 (en) BASE STATION AND Data UPLINK TRANSMISSION ABNORMAL DETECTION METHOD
CN111294856A (en) Shared flow terminal identification method, device, equipment and readable storage medium
CN115021951B (en) Business application management method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant