CN111901818A - Method for judging abnormal behavior of core network element based on MAP signaling - Google Patents

Method for judging abnormal behavior of core network element based on MAP signaling Download PDF

Info

Publication number
CN111901818A
CN111901818A CN202010541708.3A CN202010541708A CN111901818A CN 111901818 A CN111901818 A CN 111901818A CN 202010541708 A CN202010541708 A CN 202010541708A CN 111901818 A CN111901818 A CN 111901818A
Authority
CN
China
Prior art keywords
map signaling
initiator
abnormal behavior
network element
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010541708.3A
Other languages
Chinese (zh)
Inventor
高圣翔
黄远
李鹏
李娅强
刘发强
宁珊
段科峰
王文重
张建军
鲍尚策
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Zhuhai Comleader Information Technology Co Ltd
Original Assignee
National Computer Network and Information Security Management Center
Zhuhai Comleader Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center, Zhuhai Comleader Information Technology Co Ltd filed Critical National Computer Network and Information Security Management Center
Priority to CN202010541708.3A priority Critical patent/CN111901818A/en
Publication of CN111901818A publication Critical patent/CN111901818A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/04Arrangements for maintaining operational condition
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/08Testing, supervising or monitoring using real traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention relates to a method, a device and a medium for judging abnormal behavior of a core network element based on MAP signaling, which comprises the following steps: s100, analyzing the MAP signaling of the initiator to obtain a source address and a target address corresponding to the MAP signaling of the initiator; s200, judging a first abnormal behavior of the initiator according to the source address and the target address, and continuously monitoring a subsequent MAP signaling of the initiator according to the first abnormal behavior; s300, one or more parameters of the continuously monitored MAP signaling are obtained, and second abnormal behaviors of the initiator are judged according to the parameters. The invention has the beneficial effects that: starting with the abnormal restoration method, analyzing and identifying abnormal behaviors of the network element in a compliant MAP signaling by a method of fitting the current network data with a known abnormal method.

Description

Method for judging abnormal behavior of core network element based on MAP signaling
Technical Field
The invention relates to the field of computers, in particular to a method for judging abnormal behaviors of a core network element based on MAP signaling.
Background
As shown in fig. 3, a 2G/3G mobile communication core network is isolated from the internet and is considered to be a closed and secure network, MAP signaling for information interaction between network elements in the network has functions of storing, transmitting personal information of subscribers, call routing control messages and the like, mobile communication networks of different countries are interconnected and intercommunicated, the internal security of the mobile communication networks of different countries is based on mutual trust between operators, but since precautionary measures and technical capabilities of different countries are different, criminals use registered devices in the mobile communication network with weak precautionary to perform illegal activities such as user information acquisition, call hijacking, short message hijacking, user positioning and tracking and the like by constructing and analyzing related MAP messages. Aiming at the abnormal behaviors, operators deploy signaling precaution equipment at international gateways and provincial gateways, and identify and prevent the inbound provincial signaling from the signaling level.
The current signaling precaution device mechanism only intercepts messages which do not accord with the rules and the protocol standards of the roaming agreements of both parties, is protection at the signaling level, does not perform correlation analysis on the protocol contents and the transaction flow, however, most abnormal behaviors utilize MAP messages which accord with the relevant specifications, so the current precaution technical means can not comprehensively and effectively prevent the abnormal behaviors.
Disclosure of Invention
The invention aims to solve at least one of the technical problems in the prior art, and provides a core network element abnormal behavior judging method based on MAP signaling.
The technical scheme of the invention comprises a method for judging abnormal behavior of a core network element based on MAP signaling, which is characterized in that: s100, analyzing the MAP signaling of the initiator to obtain a source address and a target address corresponding to the MAP signaling of the initiator; s200, judging a first abnormal behavior of the initiator according to the source address and the target address, and continuously monitoring a subsequent MAP signaling of the initiator according to the first abnormal behavior; s300, one or more parameters of the continuously monitored MAP signaling are obtained, and second abnormal behaviors of the initiator are judged according to the parameters.
According to the method for judging the abnormal behavior of the core network element based on the MAP signaling, the MAP signaling is configured to be full MAP signaling.
According to the method for judging the abnormal behavior of the core network element based on the MAP signaling, S100 includes: and acquiring the full MAP signaling of the access position corresponding to the initiator, analyzing the SRIForsM message of the full MAP signaling, and acquiring the source GT and the target GT of the SCCP layer.
According to the method for judging the abnormal behavior of the core network element based on the MAP signaling, S200 includes: and if the source GT and the destination GT are respectively in the domestic and non-domestic, determining that the initiator has the first abnormal behavior.
According to the method for determining the abnormal behavior of the core network element based on the MAP signaling, S200 further includes: and if the initiator is judged to have the first abnormal behavior, acquiring the IMSI, the network position, the target number and the abnormal occurrence time corresponding to the initiator.
According to the method for determining the abnormal behavior of the core network element based on the MAP signaling, S300 includes: and monitoring subsequent MAP signaling of the initiator in real time according to the IMSI, acquiring an ATI message and an ISD message, acquiring the ATI message and the ISD message, extracting position information, a user state and a service change attribute field, and determining a second abnormal behavior of the initiator, wherein the second abnormal behavior comprises target positioning and call hijacking.
According to the method for judging the abnormal behavior of the core network element based on the MAP signaling, the method further comprises the following steps: and judging the network element corresponding to the initiator according to the first abnormal behavior and the second abnormal behavior to carry out abnormity theorem.
The invention has the beneficial effects that: starting with the abnormal restoration method, analyzing and identifying abnormal behaviors of the network element in a compliant MAP signaling by a method of fitting the current network data with a known abnormal method.
Drawings
The invention is further described below with reference to the accompanying drawings and examples;
FIG. 1 illustrates an overall flow diagram according to an embodiment of the invention;
FIG. 2 is a flow chart illustrating initiator abnormal behavior intent recognition according to an embodiment of the present invention;
fig. 3 is a diagram illustrating wireless network access.
Detailed Description
Reference will now be made in detail to the present preferred embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to like elements throughout.
In the description of the present invention, the meaning of a plurality of means is one or more, the meaning of a plurality of means is two or more, and larger, smaller, larger, etc. are understood as excluding the number, and larger, smaller, inner, etc. are understood as including the number.
In the description of the present invention, the consecutive reference numbers of the method steps are for convenience of examination and understanding, and the implementation order between the steps is adjusted without affecting the technical effect achieved by the technical solution of the present invention by combining the whole technical solution of the present invention and the logical relationship between the steps.
FIG. 1 illustrates an overall flow diagram according to an embodiment of the invention; s100, analyzing the MAP signaling of the initiator to obtain a source address and a target address corresponding to the MAP signaling of the initiator; s200, judging a first abnormal behavior of the initiator according to the source address and the target address, and continuously monitoring a subsequent MAP signaling of the initiator according to the first abnormal behavior; s300, one or more parameters of the continuously monitored MAP signaling are obtained, and second abnormal behaviors of the initiator are judged according to the parameters. The first abnormal behavior is mainly used for judging whether the initiator is in the state of the initiator, and the second abnormal behavior is used for judging the abnormality or the abnormal behavior of the initiator.
Fig. 2 is a flowchart illustrating an identification process of an initiator abnormal behavior intention according to an embodiment of the present invention, where the process specifically includes the following steps: and when the source GT is GT and the target GT is domestic GT, the abnormal first stage can be judged, the IMSI of the target user is required to be acquired, and the network position where the source network element is located, the target number and the abnormal occurrence time can be acquired. And analyzing ATI messages and ISD messages in subsequent MAP messages according to the IMSI, extracting position information, user states and service change attribute fields, and determining that the source target intention is target positioning, call hijacking and the like.
The embodiments of the present invention have been described in detail with reference to the accompanying drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.

Claims (7)

1. A method for judging abnormal behavior of core network element based on MAP signaling is characterized in that:
s100, analyzing the MAP signaling of the initiator to obtain a source address and a target address corresponding to the MAP signaling of the initiator;
s200, judging a first abnormal behavior of the initiator according to the source address and the target address, and continuously monitoring a subsequent MAP signaling of the initiator according to the first abnormal behavior;
s300, one or more parameters of the continuously monitored MAP signaling are obtained, and second abnormal behaviors of the initiator are judged according to the parameters.
2. The method of claim 1, wherein the MAP signaling is configured as a full MAP signaling.
3. The method for determining abnormal behavior of network element in core network based on MAP signaling as claimed in claim 2, wherein the S100 comprises:
and acquiring the full MAP signaling of the access position corresponding to the initiator, analyzing the SRIForsM message of the full MAP signaling, and acquiring the source GT and the target GT of the SCCP layer.
4. The method for determining abnormal behavior of network element in core network based on MAP signaling as claimed in claim 3, wherein the step S200 comprises:
and if the source GT and the destination GT are respectively in the domestic and non-domestic, determining that the initiator has the first abnormal behavior.
5. The method for determining abnormal behavior of network element in core network based on MAP signaling as claimed in claim 1, wherein S200 further comprises:
and if the initiator is judged to have the first abnormal behavior, acquiring the IMSI, the network position, the target number and the abnormal occurrence time corresponding to the initiator.
6. The method for determining abnormal behavior of network element in core network based on MAP signaling as claimed in claim 5, wherein the step S300 comprises:
and monitoring subsequent MAP signaling of the initiator in real time according to the IMSI, acquiring an ATI message and an ISD message, acquiring the ATI message and the ISD message, extracting position information, a user state and a service change attribute field, and determining a second abnormal behavior of the initiator, wherein the second abnormal behavior comprises target positioning and call hijacking.
7. The method for determining abnormal behavior of network element in core network based on MAP signaling according to claim 1, further comprising: and judging the network element corresponding to the initiator according to the first abnormal behavior and the second abnormal behavior to carry out abnormity theorem.
CN202010541708.3A 2020-06-15 2020-06-15 Method for judging abnormal behavior of core network element based on MAP signaling Pending CN111901818A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010541708.3A CN111901818A (en) 2020-06-15 2020-06-15 Method for judging abnormal behavior of core network element based on MAP signaling

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010541708.3A CN111901818A (en) 2020-06-15 2020-06-15 Method for judging abnormal behavior of core network element based on MAP signaling

Publications (1)

Publication Number Publication Date
CN111901818A true CN111901818A (en) 2020-11-06

Family

ID=73206278

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010541708.3A Pending CN111901818A (en) 2020-06-15 2020-06-15 Method for judging abnormal behavior of core network element based on MAP signaling

Country Status (1)

Country Link
CN (1) CN111901818A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106257950A (en) * 2015-06-17 2016-12-28 中国移动通信集团公司 The treating method and apparatus of Denial of Service attack signaling in mobile communications network
CN107979821A (en) * 2016-10-21 2018-05-01 中国电信股份有限公司 The processing method and device of illegal No. 7 signalings
CN108123789A (en) * 2016-11-28 2018-06-05 中国移动通信有限公司研究院 Analyze the method and apparatus of security attack
CN109314863A (en) * 2016-04-06 2019-02-05 诺基亚技术有限公司 The detection of diameter edge proxy attack
CN110392023A (en) * 2018-04-20 2019-10-29 中移(杭州)信息技术有限公司 Network inbreak detection method and device based on signalling system No.7 network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106257950A (en) * 2015-06-17 2016-12-28 中国移动通信集团公司 The treating method and apparatus of Denial of Service attack signaling in mobile communications network
CN109314863A (en) * 2016-04-06 2019-02-05 诺基亚技术有限公司 The detection of diameter edge proxy attack
CN107979821A (en) * 2016-10-21 2018-05-01 中国电信股份有限公司 The processing method and device of illegal No. 7 signalings
CN108123789A (en) * 2016-11-28 2018-06-05 中国移动通信有限公司研究院 Analyze the method and apparatus of security attack
CN110392023A (en) * 2018-04-20 2019-10-29 中移(杭州)信息技术有限公司 Network inbreak detection method and device based on signalling system No.7 network

Similar Documents

Publication Publication Date Title
CN109314863B (en) Diameter edge proxy attack detection
US10873594B2 (en) Test system and method for identifying security vulnerabilities of a device under test
US20150271138A1 (en) Mobile Telephone Firewall and Compliance Enforcement System and Methods
US9781137B2 (en) Fake base station detection with core network support
KR102017810B1 (en) Preventive Instrusion Device and Method for Mobile Devices
US20230224232A1 (en) System and method for extracting identifiers from traffic of an unknown protocol
US10681556B2 (en) Mitigation of spoof communications within a telecommunications network
US9338657B2 (en) System and method for correlating security events with subscriber information in a mobile network environment
MX2007008998A (en) Providing security in an unlicensed mobile access network.
WO2014128256A1 (en) Network security system and method
Rao et al. Threat modeling framework for mobile communication systems
US8532616B2 (en) Systems and methods for identification of mobile phones in a restricted environment
CN114339767B (en) Signaling detection method and device, electronic equipment and storage medium
Mirsky et al. DDoS attacks on 9-1-1 emergency services
CN111901818A (en) Method for judging abnormal behavior of core network element based on MAP signaling
Oh et al. Preventing SIM Box Fraud Using Device Model Fingerprinting.
EP2566126A1 (en) Secure storage of provisioning data on network for control of lawful intercept
Bitsikas et al. Freaky Leaky {SMS}: Extracting User Locations by Analyzing {SMS} Timings
EP2862341B1 (en) Methods, computer program products and apparatuses enabling to conceal lawful interception from network operators
US20230056017A1 (en) Method and apparatus for detecting abnormal roaming request
KR20240041505A (en) Method and apparatus for preventing sim box fraud in mobile communication network using device fingerprinting
Barbatsalou et al. Mobile forensics for PPDR communications: How and why
Wang et al. Dissecting Operational Cellular IoT Service Security: Attacks and Defenses
CN117376919A (en) Method and device for setting other pseudo base stations in 4G and 5G mobile communication
CN116266792A (en) Method and device for intercepting illegal data flow of card of Internet of things, network equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20201106