CN111901818A - Method for judging abnormal behavior of core network element based on MAP signaling - Google Patents
Method for judging abnormal behavior of core network element based on MAP signaling Download PDFInfo
- Publication number
- CN111901818A CN111901818A CN202010541708.3A CN202010541708A CN111901818A CN 111901818 A CN111901818 A CN 111901818A CN 202010541708 A CN202010541708 A CN 202010541708A CN 111901818 A CN111901818 A CN 111901818A
- Authority
- CN
- China
- Prior art keywords
- map signaling
- initiator
- abnormal behavior
- network element
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 206010000117 Abnormal behaviour Diseases 0.000 title claims abstract description 52
- 230000011664 signaling Effects 0.000 title claims abstract description 52
- 238000000034 method Methods 0.000 title claims abstract description 29
- 239000003999 initiator Substances 0.000 claims abstract description 39
- 230000002159 abnormal effect Effects 0.000 claims abstract description 8
- 238000012544 monitoring process Methods 0.000 claims abstract description 6
- 230000008859 change Effects 0.000 claims description 3
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 238000010295 mobile communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/04—Arrangements for maintaining operational condition
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/08—Testing, supervising or monitoring using real traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention relates to a method, a device and a medium for judging abnormal behavior of a core network element based on MAP signaling, which comprises the following steps: s100, analyzing the MAP signaling of the initiator to obtain a source address and a target address corresponding to the MAP signaling of the initiator; s200, judging a first abnormal behavior of the initiator according to the source address and the target address, and continuously monitoring a subsequent MAP signaling of the initiator according to the first abnormal behavior; s300, one or more parameters of the continuously monitored MAP signaling are obtained, and second abnormal behaviors of the initiator are judged according to the parameters. The invention has the beneficial effects that: starting with the abnormal restoration method, analyzing and identifying abnormal behaviors of the network element in a compliant MAP signaling by a method of fitting the current network data with a known abnormal method.
Description
Technical Field
The invention relates to the field of computers, in particular to a method for judging abnormal behaviors of a core network element based on MAP signaling.
Background
As shown in fig. 3, a 2G/3G mobile communication core network is isolated from the internet and is considered to be a closed and secure network, MAP signaling for information interaction between network elements in the network has functions of storing, transmitting personal information of subscribers, call routing control messages and the like, mobile communication networks of different countries are interconnected and intercommunicated, the internal security of the mobile communication networks of different countries is based on mutual trust between operators, but since precautionary measures and technical capabilities of different countries are different, criminals use registered devices in the mobile communication network with weak precautionary to perform illegal activities such as user information acquisition, call hijacking, short message hijacking, user positioning and tracking and the like by constructing and analyzing related MAP messages. Aiming at the abnormal behaviors, operators deploy signaling precaution equipment at international gateways and provincial gateways, and identify and prevent the inbound provincial signaling from the signaling level.
The current signaling precaution device mechanism only intercepts messages which do not accord with the rules and the protocol standards of the roaming agreements of both parties, is protection at the signaling level, does not perform correlation analysis on the protocol contents and the transaction flow, however, most abnormal behaviors utilize MAP messages which accord with the relevant specifications, so the current precaution technical means can not comprehensively and effectively prevent the abnormal behaviors.
Disclosure of Invention
The invention aims to solve at least one of the technical problems in the prior art, and provides a core network element abnormal behavior judging method based on MAP signaling.
The technical scheme of the invention comprises a method for judging abnormal behavior of a core network element based on MAP signaling, which is characterized in that: s100, analyzing the MAP signaling of the initiator to obtain a source address and a target address corresponding to the MAP signaling of the initiator; s200, judging a first abnormal behavior of the initiator according to the source address and the target address, and continuously monitoring a subsequent MAP signaling of the initiator according to the first abnormal behavior; s300, one or more parameters of the continuously monitored MAP signaling are obtained, and second abnormal behaviors of the initiator are judged according to the parameters.
According to the method for judging the abnormal behavior of the core network element based on the MAP signaling, the MAP signaling is configured to be full MAP signaling.
According to the method for judging the abnormal behavior of the core network element based on the MAP signaling, S100 includes: and acquiring the full MAP signaling of the access position corresponding to the initiator, analyzing the SRIForsM message of the full MAP signaling, and acquiring the source GT and the target GT of the SCCP layer.
According to the method for judging the abnormal behavior of the core network element based on the MAP signaling, S200 includes: and if the source GT and the destination GT are respectively in the domestic and non-domestic, determining that the initiator has the first abnormal behavior.
According to the method for determining the abnormal behavior of the core network element based on the MAP signaling, S200 further includes: and if the initiator is judged to have the first abnormal behavior, acquiring the IMSI, the network position, the target number and the abnormal occurrence time corresponding to the initiator.
According to the method for determining the abnormal behavior of the core network element based on the MAP signaling, S300 includes: and monitoring subsequent MAP signaling of the initiator in real time according to the IMSI, acquiring an ATI message and an ISD message, acquiring the ATI message and the ISD message, extracting position information, a user state and a service change attribute field, and determining a second abnormal behavior of the initiator, wherein the second abnormal behavior comprises target positioning and call hijacking.
According to the method for judging the abnormal behavior of the core network element based on the MAP signaling, the method further comprises the following steps: and judging the network element corresponding to the initiator according to the first abnormal behavior and the second abnormal behavior to carry out abnormity theorem.
The invention has the beneficial effects that: starting with the abnormal restoration method, analyzing and identifying abnormal behaviors of the network element in a compliant MAP signaling by a method of fitting the current network data with a known abnormal method.
Drawings
The invention is further described below with reference to the accompanying drawings and examples;
FIG. 1 illustrates an overall flow diagram according to an embodiment of the invention;
FIG. 2 is a flow chart illustrating initiator abnormal behavior intent recognition according to an embodiment of the present invention;
fig. 3 is a diagram illustrating wireless network access.
Detailed Description
Reference will now be made in detail to the present preferred embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to like elements throughout.
In the description of the present invention, the meaning of a plurality of means is one or more, the meaning of a plurality of means is two or more, and larger, smaller, larger, etc. are understood as excluding the number, and larger, smaller, inner, etc. are understood as including the number.
In the description of the present invention, the consecutive reference numbers of the method steps are for convenience of examination and understanding, and the implementation order between the steps is adjusted without affecting the technical effect achieved by the technical solution of the present invention by combining the whole technical solution of the present invention and the logical relationship between the steps.
FIG. 1 illustrates an overall flow diagram according to an embodiment of the invention; s100, analyzing the MAP signaling of the initiator to obtain a source address and a target address corresponding to the MAP signaling of the initiator; s200, judging a first abnormal behavior of the initiator according to the source address and the target address, and continuously monitoring a subsequent MAP signaling of the initiator according to the first abnormal behavior; s300, one or more parameters of the continuously monitored MAP signaling are obtained, and second abnormal behaviors of the initiator are judged according to the parameters. The first abnormal behavior is mainly used for judging whether the initiator is in the state of the initiator, and the second abnormal behavior is used for judging the abnormality or the abnormal behavior of the initiator.
Fig. 2 is a flowchart illustrating an identification process of an initiator abnormal behavior intention according to an embodiment of the present invention, where the process specifically includes the following steps: and when the source GT is GT and the target GT is domestic GT, the abnormal first stage can be judged, the IMSI of the target user is required to be acquired, and the network position where the source network element is located, the target number and the abnormal occurrence time can be acquired. And analyzing ATI messages and ISD messages in subsequent MAP messages according to the IMSI, extracting position information, user states and service change attribute fields, and determining that the source target intention is target positioning, call hijacking and the like.
The embodiments of the present invention have been described in detail with reference to the accompanying drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.
Claims (7)
1. A method for judging abnormal behavior of core network element based on MAP signaling is characterized in that:
s100, analyzing the MAP signaling of the initiator to obtain a source address and a target address corresponding to the MAP signaling of the initiator;
s200, judging a first abnormal behavior of the initiator according to the source address and the target address, and continuously monitoring a subsequent MAP signaling of the initiator according to the first abnormal behavior;
s300, one or more parameters of the continuously monitored MAP signaling are obtained, and second abnormal behaviors of the initiator are judged according to the parameters.
2. The method of claim 1, wherein the MAP signaling is configured as a full MAP signaling.
3. The method for determining abnormal behavior of network element in core network based on MAP signaling as claimed in claim 2, wherein the S100 comprises:
and acquiring the full MAP signaling of the access position corresponding to the initiator, analyzing the SRIForsM message of the full MAP signaling, and acquiring the source GT and the target GT of the SCCP layer.
4. The method for determining abnormal behavior of network element in core network based on MAP signaling as claimed in claim 3, wherein the step S200 comprises:
and if the source GT and the destination GT are respectively in the domestic and non-domestic, determining that the initiator has the first abnormal behavior.
5. The method for determining abnormal behavior of network element in core network based on MAP signaling as claimed in claim 1, wherein S200 further comprises:
and if the initiator is judged to have the first abnormal behavior, acquiring the IMSI, the network position, the target number and the abnormal occurrence time corresponding to the initiator.
6. The method for determining abnormal behavior of network element in core network based on MAP signaling as claimed in claim 5, wherein the step S300 comprises:
and monitoring subsequent MAP signaling of the initiator in real time according to the IMSI, acquiring an ATI message and an ISD message, acquiring the ATI message and the ISD message, extracting position information, a user state and a service change attribute field, and determining a second abnormal behavior of the initiator, wherein the second abnormal behavior comprises target positioning and call hijacking.
7. The method for determining abnormal behavior of network element in core network based on MAP signaling according to claim 1, further comprising: and judging the network element corresponding to the initiator according to the first abnormal behavior and the second abnormal behavior to carry out abnormity theorem.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010541708.3A CN111901818A (en) | 2020-06-15 | 2020-06-15 | Method for judging abnormal behavior of core network element based on MAP signaling |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010541708.3A CN111901818A (en) | 2020-06-15 | 2020-06-15 | Method for judging abnormal behavior of core network element based on MAP signaling |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111901818A true CN111901818A (en) | 2020-11-06 |
Family
ID=73206278
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010541708.3A Pending CN111901818A (en) | 2020-06-15 | 2020-06-15 | Method for judging abnormal behavior of core network element based on MAP signaling |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111901818A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106257950A (en) * | 2015-06-17 | 2016-12-28 | 中国移动通信集团公司 | The treating method and apparatus of Denial of Service attack signaling in mobile communications network |
| CN107979821A (en) * | 2016-10-21 | 2018-05-01 | 中国电信股份有限公司 | The processing method and device of illegal No. 7 signalings |
| CN108123789A (en) * | 2016-11-28 | 2018-06-05 | 中国移动通信有限公司研究院 | Analyze the method and apparatus of security attack |
| CN109314863A (en) * | 2016-04-06 | 2019-02-05 | 诺基亚技术有限公司 | The detection of diameter edge proxy attack |
| CN110392023A (en) * | 2018-04-20 | 2019-10-29 | 中移(杭州)信息技术有限公司 | Network inbreak detection method and device based on signalling system No.7 network |
-
2020
- 2020-06-15 CN CN202010541708.3A patent/CN111901818A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106257950A (en) * | 2015-06-17 | 2016-12-28 | 中国移动通信集团公司 | The treating method and apparatus of Denial of Service attack signaling in mobile communications network |
| CN109314863A (en) * | 2016-04-06 | 2019-02-05 | 诺基亚技术有限公司 | The detection of diameter edge proxy attack |
| CN107979821A (en) * | 2016-10-21 | 2018-05-01 | 中国电信股份有限公司 | The processing method and device of illegal No. 7 signalings |
| CN108123789A (en) * | 2016-11-28 | 2018-06-05 | 中国移动通信有限公司研究院 | Analyze the method and apparatus of security attack |
| CN110392023A (en) * | 2018-04-20 | 2019-10-29 | 中移(杭州)信息技术有限公司 | Network inbreak detection method and device based on signalling system No.7 network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109314863B (en) | Diameter edge proxy attack detection | |
| US10873594B2 (en) | Test system and method for identifying security vulnerabilities of a device under test | |
| US20150271138A1 (en) | Mobile Telephone Firewall and Compliance Enforcement System and Methods | |
| US9781137B2 (en) | Fake base station detection with core network support | |
| KR102017810B1 (en) | Preventive Instrusion Device and Method for Mobile Devices | |
| US20230224232A1 (en) | System and method for extracting identifiers from traffic of an unknown protocol | |
| US10681556B2 (en) | Mitigation of spoof communications within a telecommunications network | |
| US9338657B2 (en) | System and method for correlating security events with subscriber information in a mobile network environment | |
| MX2007008998A (en) | Providing security in an unlicensed mobile access network. | |
| WO2014128256A1 (en) | Network security system and method | |
| Rao et al. | Threat modeling framework for mobile communication systems | |
| US8532616B2 (en) | Systems and methods for identification of mobile phones in a restricted environment | |
| CN114339767B (en) | Signaling detection method and device, electronic equipment and storage medium | |
| Mirsky et al. | DDoS attacks on 9-1-1 emergency services | |
| CN111901818A (en) | Method for judging abnormal behavior of core network element based on MAP signaling | |
| Oh et al. | Preventing SIM Box Fraud Using Device Model Fingerprinting. | |
| EP2566126A1 (en) | Secure storage of provisioning data on network for control of lawful intercept | |
| Bitsikas et al. | Freaky Leaky {SMS}: Extracting User Locations by Analyzing {SMS} Timings | |
| EP2862341B1 (en) | Methods, computer program products and apparatuses enabling to conceal lawful interception from network operators | |
| US20230056017A1 (en) | Method and apparatus for detecting abnormal roaming request | |
| KR20240041505A (en) | Method and apparatus for preventing sim box fraud in mobile communication network using device fingerprinting | |
| Barbatsalou et al. | Mobile forensics for PPDR communications: How and why | |
| Wang et al. | Dissecting Operational Cellular IoT Service Security: Attacks and Defenses | |
| CN117376919A (en) | Method and device for setting other pseudo base stations in 4G and 5G mobile communication | |
| CN116266792A (en) | Method and device for intercepting illegal data flow of card of Internet of things, network equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201106 |