CN112543198B

CN112543198B - Honeypot monitoring method, honeypot core network element, equipment and storage medium

Info

Publication number: CN112543198B
Application number: CN202011412995.4A
Authority: CN
Inventors: 袁林; 梁彧; 田野; 傅强; 王杰; 杨满智; 蔡琳; 金红; 陈晓光
Original assignee: Eversec Beijing Technology Co Ltd
Current assignee: Eversec Beijing Technology Co Ltd
Priority date: 2020-12-03
Filing date: 2020-12-03
Publication date: 2023-06-02
Anticipated expiration: 2040-12-03
Also published as: CN112543198A

Abstract

The embodiment of the invention discloses a honeypot monitoring method, a honeypot core network element, honeypot core network element equipment and a storage medium. The method comprises the following steps: when the network element port is monitored to have an attack behavior, acquiring a signaling message of an attack source through a network element simulation module, simulating signaling interaction of the signaling message in a standard core network element, and responding to the signaling message in the signaling interaction process; capturing a signaling message through an attack monitoring module, analyzing the signaling message according to a communication protocol of the signaling message, extracting key information in the signaling message, and triggering a corresponding signaling event according to a response result of a network element simulation module to the signaling message; the key information is used for indicating an attack path and attack operation of an attack source; and sending the key information and the signaling event to a threat analysis platform through an event transmission module so as to monitor the attack behavior of the attack source through the threat analysis platform. According to the embodiment, the attack behavior is attracted to the honey pot core network element for unified monitoring, so that the security risk of the core network is reduced, and the security is ensured.

Description

Honeypot monitoring method, honeypot core network element, equipment and storage medium

Technical Field

The embodiment of the invention relates to a communication network technology, in particular to a honeypot monitoring method, a honeypot core network element, equipment and a storage medium.

Background

The fifth generation mobile communication technology (5th generation mobile networks,5G) is not yet commercially available, most of the commercial mobile core networks are mainly long term evolution (Long Term Evolution, LTE) core networks of the fourth generation mobile communication technology (4th Generation Mobile Networks,4G), or by enhancing the network element capability of the 4G core network to support access to 5G services, the enhanced 4G core network will coexist with a future 5G Non-independent Networking (NSA) core network for a considerable period of time, so that the security problem under the mobile network also becomes more important.

The security of the 4G and 5G NSA core networks mainly relates to the problems of signaling attack and the like caused by edge-oriented application connection in a mobile network. Meanwhile, the virtualization of the 4G core network element is accessible as IT equipment, so that penetration attack and utilization attack are easily caused, and the network is exposed to various security attack risks. Therefore, how to reduce the security risk of the core network and ensure the security and reliability of the mobile network is a problem to be solved.

Disclosure of Invention

The embodiment of the invention provides a honeypot monitoring method, a honeypot core network element, equipment and a storage medium, which can reduce the security risk of a core network and ensure the security and reliability of a mobile network.

In a first aspect, an embodiment of the present invention provides a honeypot monitoring method, which is performed by a honeypot core network element, where the honeypot core network element and a standard core network element are located inside a core network, and the honeypot core network element includes a network element simulation module, an attack monitoring module, and an event transmission module; the method comprises the following steps:

when the network element port is monitored to have an attack behavior, acquiring a signaling message of an attack source through the network element simulation module, simulating signaling interaction of the signaling message in a standard core network element, and responding to the signaling message in the signaling interaction process;

capturing the signaling message through the attack monitoring module, analyzing the signaling message according to a communication protocol of the signaling message, extracting key information in the signaling message, and triggering a signaling event corresponding to the signaling message according to a response result of the network element simulation module to the signaling message; the key information is used for indicating an attack path and an attack operation of the attack source;

And sending the key information and the signaling event to a threat analysis platform through the event transmission module so as to monitor the attack behavior of the attack source through the threat analysis platform.

In a second aspect, an embodiment of the present invention further provides a honey-comb core network element, including:

the network element simulation module is used for acquiring a signaling message of an attack source when the network element port is monitored to have an attack behavior, simulating signaling interaction of the signaling message in a standard core network element, and responding to the signaling message in the signaling interaction process;

the attack monitoring module is used for capturing the signaling message, analyzing the signaling message according to the communication protocol of the signaling message, extracting key information in the signaling message, and triggering a signaling event corresponding to the signaling message according to the response result of the network element simulation module to the signaling message; the key information is used for indicating an attack path and an attack operation of the attack source;

and the event transmission module is used for sending the key information and the signaling event to a threat analysis platform so as to monitor the attack behaviors of the attack source through the threat analysis platform.

In a third aspect, an embodiment of the present invention further provides a honeypot monitoring device, including:

One or more processors;

a memory for storing one or more programs,

the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the honeypot monitoring method as provided by any embodiment of the invention.

In a fourth aspect, embodiments of the present invention also provide a storage medium containing computer executable instructions which, when executed by a computer processor, are used to perform a honeypot monitoring method as provided by any of the embodiments of the present invention.

According to the embodiment of the invention, when the network element port is monitored to have the attack behavior, the network element simulation module is used for acquiring the signaling message of the attack source, simulating the signaling interaction of the signaling message in the standard core network element, realizing the simulation of the real network service of the user, and attracting the attacker to the core network into the honey pot core network element. The embodiment of the invention captures and analyzes the signaling message in the signaling interaction process of the network element simulation module through the attack monitoring module, extracts the key information in the signaling message, and triggers the corresponding signaling event according to the response result of the network element simulation module to the signaling message, thereby realizing the omnibearing monitoring of the attack behavior of the attack source. According to the embodiment of the invention, the event transmission module reports the key information and the triggered signaling event analyzed by the attack monitoring module to the threat analysis platform, so that security personnel can acquire the attack information and attack operation of an attack source in time. According to the embodiment of the invention, the attack behavior is attracted to the honey pot core network element for unified monitoring, so that the security risk of the core network is reduced, and the security and reliability of the mobile network are ensured.

Drawings

FIG. 1 is a flowchart of a honeypot monitoring method according to an embodiment of the invention;

FIG. 2 is a schematic diagram of a honeypot monitoring system according to an embodiment of the invention;

FIG. 3 is a flowchart of another honeypot monitoring method according to a second embodiment of the invention;

FIG. 4 is a flowchart of a honeypot monitoring method according to a second embodiment of the invention;

fig. 5 is a working flow chart of a network element simulation module according to a second embodiment of the present invention;

FIG. 6 is a flowchart of an attack monitoring module of an S1ap type interface according to a second embodiment of the present invention;

FIG. 7 is a flowchart of an attack monitoring module of an S6a type interface according to a second embodiment of the present invention;

fig. 8 is a workflow diagram of an MQTT initialization method in a core network element of a honeypot according to a second embodiment of the present invention;

fig. 9 is a workflow diagram of a configuration method of a core network element of a honeypot according to a third embodiment of the present invention;

fig. 10 is a schematic structural diagram of a core network element of a honeypot according to a fourth embodiment of the present invention;

fig. 11 is a schematic structural diagram of a honeypot monitoring device according to a fifth embodiment of the present invention.

Detailed Description

The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.

Example 1

Fig. 1 is a flowchart of a honeypot monitoring method provided in an embodiment of the present invention, where the embodiment may be adapted to a situation that a honeypot core network element is added inside a core network to monitor and report an attack behavior of a network element port, the method may be performed by the honeypot core network element, and the honeypot core network element may be implemented in a software and/or hardware manner. The honeypot core network element may be configured in a honeypot monitoring device. As shown in fig. 1, the method includes:

step S110, when the network element port is monitored to have the attack behavior, the network element simulation module is used for acquiring the signaling message of the attack source, simulating the signaling interaction of the signaling message in the standard core network element, and responding to the signaling message in the signaling interaction process.

Fig. 2 is a schematic structural diagram of a honeypot monitoring system according to an embodiment of the invention. As shown in fig. 2, the honeypot monitoring system may include an attack source, a honeypot core network element, and a threat analysis platform. Wherein the honey pot core network element and the standard core network element are positioned inside the core network. The standard core network element refers to a signaling network element of an existing normal core network in the core network, and is used for performing signaling interaction with the base station according to a signaling message sent by the base station. For example, the standard core network elements may include a 4G core network element and a 5G core network element. The honey tank core network element comprises a network element simulation module, an attack monitoring module and an event transmission module.

The network element port may be a network element port of a honey-comb core network element, and is configured to monitor an attack behavior of an attack source. The attack may be an access attack or a traffic attack of the attack source on the core network. For example, the attack may be a probe attack in which an attack source initiates a port scan and a mobile communication service based probe attack to a network element port of a core network through a base station. The communication of legal channels has determined destination network element ports, and the communication source can directionally send signaling messages to the corresponding destination network element ports according to the agreed communication protocol, so that other network element ports can not be scanned or detected. However, since the attack source cannot accurately learn about the determined attack network element ports, the attack source can initiate port scanning and mobile communication service-based probe attack on all or most network element ports of the core network through the base station. The honey pot core network element can monitor the network element port of the honey pot core network element in real time so as to monitor whether the network element port has attack behaviors.

The network element simulation module can be a signaling network element with various access functions of supporting the access of a real user through a base station, realizing the registration, authentication, deregistration, internet surfing business and the like of the user, and is used for simulating the high interaction behavior based on signaling. For example, the network element emulation module may be a signaling network element emulating an evolved packet core (Evolved Packet Core, EPC) standard core network.

The signaling message of the attack source can be an access message sent by the attack source, which is used for realizing various access rights such as registration, authentication, deregistration, internet surfing business and the like of the attack source in the core network.

Specifically, the network element simulation module may acquire the signaling message of the attack source, have the same or similar function as the standard core network element, simulate the signaling interaction of the signaling message in the standard core network element, and respond to the signaling message in the signaling interaction process. For example, the network element simulation module acquires the connection message of the attack source, and simulates the signaling interaction of the connection message in the standard core network element. And determining whether the attack source is legal or not by judging whether the authentication parameters sent by the connection message to the network element simulation module are consistent with the authentication parameters stored in the network element simulation module. The authentication parameters are used for authenticating the identity of the attack source. If the attack source is legal, the connection acceptance message is fed back to the attack source, and if the attack source is illegal, the connection rejection message is fed back to the attack source so as to respond to the connection message of the attack source. The embodiment of the invention disguises the normal service network element in the core network environment through the network element simulation module, fits the real network service of the user, and decoys the attack source invasion, thereby obtaining the network information of the attack source.

Step S120, capturing the signaling message through the attack monitoring module, analyzing the signaling message according to the communication protocol of the signaling message, extracting key information in the signaling message, and triggering a signaling event corresponding to the signaling message according to the response result of the network element simulation module to the signaling message.

The key information is used for indicating an attack path and an attack operation of an attack source. For example, the key information may include a source IP address, a source port, a destination IP, a destination port, an opcode, message content, and the like.

The attack monitoring module can provide honeypot service for each unit in the network element simulation module, and is used for capturing and analyzing signaling messages of each unit in the signaling interaction process, and respectively packaging signaling events corresponding to the signaling messages and key information in the signaling messages so as to upload the signaling events and the key information to the threat analysis platform through the event transmission module.

For example, if the network element emulation module includes at least an emulated mobility management entity (Mobility Management Entity, MME) and an emulated home subscriber server (Home Subscriber Server, HSS), the attack monitoring module may provide three types of honeypot services, including: interfaces of three signaling control surfaces of MME-S6a, HSS-S6a and MME-S1 ap. Where S6a refers to S6 application protocol (S6 Application Protocol), and S1ap refers to S1 application protocol (S1 Application Protocol). MME-S1ap is a stream control transmission protocol (Stream Control Transmission Protocol, SCTP) based service, and MME-S6a and HSS-S6a can support transmission control protocol (Transmission Control Protocol, TCP) and SCTP based services.

In other words, the attack monitoring module may determine the honeypot service that captures the signaling message according to the type of communication protocol and the type of each unit in the network element emulation module. For example, for the simulation MME in the network element simulation module, if the communication protocol of the signaling message is TCP, the attack monitoring module may capture the signaling message through the MME-S6a, and if the communication protocol of the signaling message is SCTP, the attack monitoring module may capture the signaling message through the MME-S1ap or MME-S6 a. For the emulated HSS in the network element emulation module, if the communication protocol of the signaling message is TCP or SCTP, the attack monitoring module may capture the signaling message through the HSS-S6 a.

Specifically, in the process that the network element simulation module responds to the signaling message of the attack source, the attack monitoring module can capture and analyze the signaling message in the signaling interaction process, extract the information indicating the attack path and the attack operation of the attack source in the signaling message, and trigger the signaling event corresponding to the signaling message according to the response result of the network element simulation module to the signaling message. According to the embodiment of the invention, the network element simulation module analyzes the signaling message to obtain the key information in the signaling message, and triggers the corresponding signaling event after responding to the signaling message, so that the network information of the attack source is captured, and the effect of comprehensively monitoring the attack behavior of the attack source is achieved.

And step S130, transmitting key information and signaling events to a threat analysis platform through an event transmission module so as to monitor the attack behaviors of the attack source through the threat analysis platform.

The threat analysis platform may be an analysis platform capable of analyzing security performance of the core network, for analyzing security situations of the core network. For example, the threat analysis platform may be a server or cloud platform with security analysis functionality.

The event transmission module can encapsulate the key information analyzed by the attack monitoring module and report the key information to the threat analysis platform, and also send the signaling event triggered by the attack monitoring module to the threat analysis platform. The event transmission module can also store the key information and the signaling event and then send the key information and the signaling event to the threat analysis platform, so that the attack data loss of the key information, the signaling event and the like can be avoided. The event transmission module can also realize the safety event subscription of various related probes by interfacing with the threat analysis platform. For example, the threat analysis platform subscribes to certain specific security events stored in the event transmission module via the associated probes, and the event transmission module may send these specific security events to the threat analysis platform for the threat analysis platform to conduct business analysis for these specific security events. The embodiment of the invention reports the key information and the triggered signaling event analyzed by the attack monitoring module to the threat analysis platform through the event transmission module, and triggers the real-time warning through the threat analysis platform, thereby being beneficial to safety personnel to timely know that an attacker penetrates the intranet, and timely know which parts in the core network are controlled and which operations are specifically performed on the honey pot core network element by the attacker.

Example two

Fig. 3 is a flowchart of another honeypot monitoring method according to a second embodiment of the present invention, where the honeypot monitoring method is optimized based on the foregoing embodiment, as shown in fig. 3, and the method includes:

Step S210, when the scanning of the attack source or the detection of the network element port is monitored, triggering the attack event through the network element simulation module, and obtaining the signaling message of the attack source corresponding to the attack event.

Fig. 4 is a workflow diagram of a honeypot monitoring method according to a second embodiment of the present invention, where, as shown in fig. 4, an external attack source scans or detects a network element port of a honeypot core network element through an access network, initiates a signaling attack on the honeypot core network element, and the honeypot core network element monitors a scanning behavior and a detecting behavior of the external attack source on the network element port in real time, and when the signaling attack is monitored, triggers an attack event through a network element simulation module, and acquires a signaling message of the attack source corresponding to the attack event.

Step S220, the signaling interaction of the signaling message in the standard core network element is simulated through the network element simulation module, and the signaling message in the signaling interaction process is responded.

As shown in fig. 4, the network element simulation module may perform protocol normalization check on the signaling message, if the signaling message passes the protocol normalization check, different message responses are constructed according to different signaling messages, and the message responses are returned to the external attack source through the network element simulation module, so that the external attack source cannot distinguish between the standard core network element and the honeypot core network element, and thus real high interaction is achieved.

Optionally, the network element simulation module includes a simulation mobility management entity MME, a simulation home subscriber server HSS and a simulation gateway;

simulating signaling interaction of the signaling message in the standard core network element through the network element simulation module, responding to the signaling message in the signaling interaction process, and comprising:

analyzing the signaling message through the simulation MME to obtain a connection message, sending the connection message to the simulation HSS, and judging the validity of the attack source according to the connection message through the simulation HSS;

if the attack source is illegal, feeding back a connection rejection message to the attack source through the simulation MME and releasing the context to complete signaling interaction between the network element simulation module and the attack source;

if the attack source is legal, acquiring subscription data and authentication parameters of the attack source, authenticating the attack source through the simulation MME, and if the authentication is passed, feeding back a connection receiving message to the attack source through the simulation MME, and responding to the receiving and sending of the service message in the signaling interaction process, thereby completing the signaling interaction between the network element simulation module and the attack source;

wherein the connection message and the service message belong to a signaling message.

Fig. 5 is a flowchart of a network element simulation module according to a second embodiment of the present invention. As shown in fig. 5, the network element emulation module includes an emulation MME, an emulation HSS, and an emulation Gateway, where the emulation Gateway may be an emulation Service Gateway (SGW) or an emulation public data network Gateway (Public Data Network Gateway, PGW). The actual (eNodeB, eNB) may be a base station for receiving signaling messages sent by the attack source.

As shown in fig. 5, the workflow of the network element simulation module may be implemented by:

in step S2201, the attack source sends the signaling message to the real eNB, after the real eNB initiates the standard INIT UE MSG message to S1AP decoding, the signaling message is sent to an evolved packet system mobility management (Evolved Packet Syatem Mobility Management, EMM) module in the simulated MME for processing, and the connection message attach request of the Non-Access Stratum (NAS) layer is solved.

Step S2202, judging the validity of the attack source according to the connection message in the simulation HSS.

Step S2203, execute step S2202, if the attack source is an illegal user, feed back the message that the attack source is an illegal user to the simulation MME.

In step S2204, the emulation MME directly sends a connection rejection message attach reject to the real eNB and releases the context through a DL NAS TRANS message.

Step S2205, execute step S2202, if the attack source is a legal user, the emulation HSS sends the authentication parameter to the emulation MME.

Step S2206, send authentication request message to the real eNB, and perform NAS encryption integrity protection process on the attack source.

The real eNB then sends a PDN connection request message to the ESM module emulating the MME for a procedure of access point name (Access Point Name, APN) setting.

Step S2207, the emulation MME requests the emulation HSS for subscription data.

Step S2208, the emulation HSS returns the subscription data to the emulation MME.

In step S2209, the emulation MME informs the emulation gateway to establish a bearer of a session control (session) of a user plane downlink, and simultaneously, the ESM module of the emulation MME fills the connection acceptance message attach accept of the EMM module with an activation default bearer context request message of the NAS.

In step S2210, the emulation MME sends an initial context SETUP request message CTXT SETUP REQ of the encapsulated S1AP to the real eNB.

In step S2211, the simulation MME waits to receive an initial context SETUP response message CTXT SETUP RSP of the real eNB.

Step S2212, an EMM module in the simulation MME informs the simulation gateway to establish the bearing of the session of the user plane uplink.

In step S2213, the real eNB sends a connection end message attach complete to the emulation MME, where the attach complete has an activate default bearer context accept message of the ESM module.

In step S2214, the emulation MME notifies the emulation HSS that the User Equipment (UE) has been registered. Wherein the UE may be understood as the source of the attack.

Step S230, capturing the signaling message through the attack monitoring module, and analyzing the signaling message according to the communication protocol of the signaling message.

Specifically, as shown in fig. 4, the attack monitoring module captures the signaling message and parses the signaling message according to the communication protocol of the signaling message, for example, the message type of the signaling message can be determined, and the signaling message can be subjected to protocol normalization check and the like. The communication protocol may be TCP or SCTP, among others.

Step S240, determining the message type of the signaling message according to the communication protocol by an attack monitoring module; if the signaling message is a connect message or a disconnect message, step S250 is performed, and if the signaling message is a traffic message, step S260 is performed.

The message types at least comprise a connection message, a disconnection message and a service message.

As shown in fig. 4, it may be determined by the attack monitoring module that the signaling message is a connection message, a disconnection message, or a traffic message according to TCP or SCTP of the signaling message.

Step S250, extracting path information contained in the connection message or the disconnection message through the attack monitoring module, acquiring message information of the connection message or the disconnection message according to the path information, and triggering a corresponding connection event or disconnection event through the attack monitoring module according to a response result of the network element simulation module to the connection message or the disconnection message.

Specifically, on the one hand, the attack monitoring module may extract path information contained in the connection message or the disconnection message, where the path information may include a source IP address, a source port, a destination IP, and a destination port of the attack source.

Fig. 6 is a working flow chart of an attack monitoring module of an S1ap type interface according to a second embodiment of the present invention. Fig. 7 is a workflow diagram of an attack monitoring module of an S6a type interface according to a second embodiment of the present invention.

For example, as shown in fig. 6 and 7, if the communication protocol of the connection message is TCP or SCTP, the attack monitoring module may record socket identification (socket), extract source IP and source port of the attack source, extract destination IP and destination port of the attack source, and not actually monitored IP address and port number. The attack monitoring module may obtain message information of the connection message or the disconnection message according to the path information. For example, a session ID is generated from an IP five tuple, an event ID is generated from a source IP, or a current time is obtained, etc.

For example, as shown in fig. 6 and fig. 7, if the communication protocol of the disconnection message is TCP or SCTP, the attack monitoring module may obtain the source IP, the source port, the destination IP, the destination port, and the session ID according to the socket, obtain the event ID according to the source IP, obtain the connection duration according to the difference between the current time and the start time, and so on.

On the other hand, the attack monitoring module can trigger a corresponding connection event or disconnection event according to the response of the network element simulation module to the connection message or the disconnection message.

For example, when the honeypot core network element is in a connection state with the attack source and no data is received in a unit time, the honeypot core network element may actively disconnect, and trigger a disconnection event through the attack monitoring module.

Step S260, extracting the operation code and the message content contained in the service message by the attack monitoring module, and triggering the corresponding signaling event by the attack monitoring module according to the type of the operation code and the type of the message content according to the response result of the network element simulation module to the service message.

Wherein the message content may be a signaling code stream of a signaling message. As shown in fig. 4, the honeypot core network element may perform a protocol normalization check on the operation code and the message content included in the service message through the attack monitoring module, if the operation code and the message content are checked by the protocol normalization check, and if the operation code and the message content are not checked by the protocol normalization check, the error operation code and the error content are checked by the honeypot core network element. The honey pot core network element can trigger a corresponding signaling event according to the response result of the network element simulation module to the service message.

The attack monitoring module may include an S1ap type interface and an S6a type interface.

Optionally, for the S1ap type interface in the attack monitoring module, as shown in fig. 6, the operation code and the message content included in the service message are extracted, and according to the response result of the network element simulation module to the service message, a corresponding signaling event is triggered by the attack monitoring module according to the type of the operation code and the type of the message content, including:

judging whether the operation code in the service message is legal or not;

when the service information is illegal, triggering an abnormal signaling event according to a refusal response result of the network element simulation module to the service information, extracting an error operation code in the service information, and extracting error content of the service information;

when the operation code is legal, judging whether the operation code accords with the network element attribute;

when the service information is not matched, triggering an abnormal signaling event according to a refusal response result of the network element simulation module to the service information, extracting an error operation code in the service information, and extracting error content of the service information;

when the operation codes are matched with the service information, triggering corresponding service events according to the receiving response result of the network element simulation module to the service information, and extracting the operation codes and the information content of the service information.

The S1ap type interface may be an interface between the base station and the emulated MME, the bearer protocol may adopt SCTP, the service protocol may be an S1ap protocol, and the MME-S1ap interface may trigger security events such as a connection event, a disconnection event, an abnormal signaling event, and a service event.

An erroneous opcode may be understood as an opcode that does not comply with the protocol normalization check. Error content may be understood as message content that does not comply with the protocol normalization check.

The opcodes may include s1-setup Request, attach Request, authentication Request, authentication Response, security mode command, security mode complete, ESM information Request, PDN connectivity reqeust, path switch Request, uplink NAS transport, UE capability info indication, UE Context release Request, and handle over cancel, among others.

And extracting an operation code and message content for normal S1ap interface signaling, and carrying out normal service response by the honey pot core network element, triggering a service event and carrying out attack retention. For the service data of the MME-S1ap port is S1ap/NAS protocol, firstly judging the legality of the operation code of the received service data, and triggering an abnormal signaling event if the operation code is not the operation code specified by the protocol or the operation code specified by the protocol and is not the operation code processed by the MME.

Optionally, determining whether the operation code in the service message is legal includes:

judging whether the operation code in the service message is an operation code specified by a protocol;

If the operation code is not the operation code specified by the protocol, determining that the operation code is illegal;

if the operation code is the operation code specified by the protocol, judging whether the operation code is the operation code processed by the MME;

if the operation code is not processed by the MME, determining that the operation code is illegal;

if the operation code is the operation code processed by the MME, determining that the operation code is legal.

The operation code processed by the MME can be understood as an operation code that can be processed by the emulation MME. For example, if the opcode is an opcode emulating HSS processing, but not an opcode emulating MME processing, then it is determined that the opcode is not legal.

Optionally, for the S6a type interface in the attack monitoring module, as shown in fig. 7, the operation code and the message content included in the service message are extracted, and according to the response result of the network element simulation module to the service message, a corresponding signaling event is triggered by the attack monitoring module according to the type of the operation code and the type of the message content, including:

checking whether the signaling header in the service message is legal;

when the signaling header is illegal, triggering an abnormal signaling event according to a refusal response result of the network element simulation module to the service message, and extracting an error signaling header in the service message;

when the signaling header is legal, checking whether an operation code in the service message is legal or not;

When the operation code is illegal, triggering an abnormal signaling event according to a refusal response result of the network element simulation module to the service message, and extracting an error operation code and error content in the service message;

when the operation code is legal, judging whether the service message is a peer-to-peer connection operation or a peer-to-peer disconnection operation according to the operation code;

if yes, modifying the current connection state into a peer connection state or a peer disconnection event, and triggering the peer connection event or the peer disconnection event according to the receiving response result of the network element simulation module to the peer connection operation or the peer disconnection operation;

if not, extracting the operation code and the message content in the service message, and triggering the corresponding service event according to the receiving response result of the network element simulation module to the service message.

The S6a type interface may be an MME-S6a interface and an HSS-S6a interface. The bearers of the S6a type interface in the core network may include both TCP and SCTP protocols. The S6a type interface may trigger security events such as connection events, disconnection events, abnormal signaling events, and traffic events. Fig. 7 is a case where the bearer for the S6a type interface is TCP.

For the S6a type interface, the service data is a Diameter protocol, firstly, the Diameter header of the received service data is judged, the protocol version is judged, whether the message length is legal or not is judged, and then whether the protocol operation code is legal or not is further analyzed. For signaling that does not meet the protocol specification, an exception signaling event is triggered. And further judging the operation code of the signaling meeting the protocol specification, if the signaling is in the peer-to-peer connection operation, in order to better trap the attacker connection access, removing the judgment of legality such as the domain name of the peer-to-peer end, returning a peer-to-peer connection response, modifying the peer-to-peer connection state, generating a peer-to-peer connection success event, and if the signaling is in the peer-to-peer connection operation, generating a peer-to-peer disconnection event. For example, CER (Capabilities-Exchange-Request), CEA (Capabilities-Exchange-Answer), DWR (Device-watch-Request), DWA (Device-watch-Answer), DPR (Disconnect-Peer-Request), DPA (Disconnect-Peer-Answer), and the like. For normal S6a interface signaling, extracting operation codes and signaling code streams, and enabling the honey tank core network element to perform normal service response, trigger service events and perform attack retention. For example, the attack monitoring module may mainly detect signaling of the S6a interface, and may include 8 operation codes including ULR (Update-Location-Request), CLR (Cancel-Location-Request), AIR (Authentication-Information-Request), IDR (Insert-subsystem-Data-Request), DSR (Delete-subsystem-Data-Request), PUR (Purgeue-Request), RSR (Reset-Request), NOR (notification-Request).

The embodiment of the invention can realize high interaction with a remote attack source based on the 4G and 5G NSA mobile network protocols by processing the connection event, the disconnection event, the service event and the abnormal signaling event, and can effectively trap the subsequent signaling behavior of the attack source.

Step S270, key information and signaling events are sent to the threat analysis platform through the event transmission module, so that the attack behavior of the attack source is monitored through the threat analysis platform.

As shown in fig. 4, the event transmission module sends the key information and the signaling event to the threat analysis platform, so as to report the abnormal situation.

Optionally, sending, by the event transmission module, the critical information and the signaling event to the threat analysis platform, including:

the event transmission module encapsulates the key information and the signaling event to obtain an event encapsulation package;

acquiring an access path of the MQTT server through a message queue telemetry transmission (Message Queuing Telemetry Transport, MQTT) service configured in the event transmission module, and establishing connection with the MQTT server according to the access path;

and sending the event package to the MQTT server through the event transmission module, and storing and sending the event package to the threat analysis platform through the MQTT server.

As shown in fig. 6 and fig. 7, the operation code, the message content, the event and the like are packaged by the event transmission module to obtain an event package, and the event package is stored and sent to the threat analysis platform by the MQTT server.

Fig. 8 is a working flow chart of an MQTT initialization method in a core network element of a honeypot according to a second embodiment of the present invention. As shown in fig. 8, the MQTT initialization method may be implemented as follows:

step S2701, MQTT initialization.

The configuration file of the honey pot core network element comprises an MQTT header file mosquito.h which is used for initializing the MQTT.

Step S2702: whether the initialization flag is successful is determined, if so, step S2703 is executed, and if not, step S2704 is executed.

Step S2703, the initialization process is exited.

Step S2704, initializing the MQTT library resources.

Step S2705, determine whether creation of the MQTT object is successful, and if not, execute step S2706, and if so, execute step S2707.

Step S2706, releasing the MQTT library resources.

Step S2707, the MQTT server configuration information is acquired.

The MQTT server configuration information may include, among other things, IP addresses and monitoring port information.

Step S2708, call the creation function, create the connection with the MQTT server, judge whether the creation is successful, if not, execute step S2709, if yes, execute step S2710.

Step S2709, an error is presented.

Step S2710, set MQTT initialization success mark.

Step S2711: the MQTT initialization is completed.

After the MQTT server establishes connection with the event transmission module, various security events can be transmitted. But three services MME-S6a, HSS-S6a, MME-S1AP of the core network element of the honeypot need to be configured with probe information, mainly including event type, probe ID, and event name events. The format may be selected in the following form: secevent/Probe ID/events.

Meanwhile, three service MME-S6a, HSS-S6a and MME-S1ap monitoring IP addresses and ports of the mobile core network honeypot are configured according to network topology and network element information of mobile network deployment.

The embodiment of the invention provides a high interaction mechanism of signaling through the network element simulation module, thereby realizing the simulation of the real network service of the user. The attack monitoring module determines the message type of the signaling message according to the communication protocol, further extracts corresponding key information according to different message types, triggers corresponding security events according to the response of the network element simulation module to the signaling message, reports the key information and the security events to the threat analysis platform, triggers real-time alarm, and is helpful for security personnel to know that an attacker penetrates the intranet, knows which part of the honeypot core network is controlled and which operation is performed on the honeypot core network element by the attacker in time.

Example III

Fig. 9 is a workflow diagram of a configuration method of a honeypot core network element according to a third embodiment of the present invention, where the configuration method of the honeypot core network element is optimized based on the foregoing embodiment, as shown in fig. 9, and may be implemented by:

step S301, a JavaScript object profile (JavaScript Object Notation, json) file configured by the system is read.

Step S302, judging whether the file is successfully opened, if not, executing step S303, and if yes, executing step S304.

Step S303, exiting.

Step S304, reading the content of the configuration file.

Step S305, a cJSON_Parse function is called, and a cJSON format is generated.

Step S306, a cJSON_GetObjectItem function is called, and the number of services in the configuration file is obtained.

Specifically, the cJSON_GetObjectItemCaseSensitive or cJSON_GetObjectItem Is called to obtain the value of the corresponding name, whether the type of the value Is correct or not Is judged through the cJSON_IS, if the value Is correct, the value Is obtained through members such as valuestring or valuedouble, and if the value Is incorrect, the method Is exited.

Step S307, determining whether the service is the present honeypot service, if not, executing step S308, and if so, executing step S309.

The honey service may be understood as a configuration service corresponding to the honey core network element provided by the embodiment of the present invention.

Step S308, continuing to find the next service.

Step S309, the IP address and port number of the service are read.

Step S310, reading the common variable of the service.

The common variables may include event ID timeout duration, heartbeat time, and the like, among others.

Step S311, releasing the cJSON object and closing the file.

Step S312, starting the honeypot service according to the information specified by the configuration file.

The embodiment of the invention calls the cJSON_GetObjectItem function by reading the json file configured by the system and the content of the configuration file, acquires the number of the services in the configuration file, and circularly judges whether the services are the honey pot services, if so, reads the IP address, the port number and the public variable of the services, thereby realizing the configuration of the honey pot core network element in the core network.

Example IV

Fig. 10 is a schematic structural diagram of a core network element of a honeypot according to a fourth embodiment of the present invention. The honey tank core network element can be realized by software and/or hardware, can be generally integrated in honey tank monitoring equipment, and can reduce the safety risk of the core network and ensure the safety and reliability of a mobile network by executing a honey tank monitoring method. As shown in fig. 10, the honeypot core network element includes:

the network element simulation module 410 is configured to obtain a signaling message of an attack source when it is detected that an attack behavior exists on a network element port, simulate signaling interaction of the signaling message in a standard core network element, and respond to the signaling message in the process of the signaling interaction;

An attack monitoring module 420, configured to capture the signaling message, parse the signaling message according to a communication protocol of the signaling message, extract key information in the signaling message, and trigger a signaling event corresponding to the signaling message according to a response result of the network element simulation module to the signaling message; the key information is used for indicating an attack path and an attack operation of the attack source;

the event transmission module 430 is configured to send the key information and the signaling event to a threat analysis platform, so as to monitor an attack behavior of the attack source through the threat analysis platform.

Optionally, the network element simulation module 410 is specifically configured to:

triggering an attack event when an attack source scans or detects a network element port, and acquiring a signaling message of the attack source corresponding to the attack event.

Optionally, the network element simulation module comprises a simulation mobile management entity MME, a simulation home subscriber server HSS and a simulation gateway;

the network element simulation module 410 is specifically configured to:

if the attack source is legal, acquiring subscription data and authentication parameters of the attack source, authenticating the attack source through the simulation MME, and if the authentication is passed, feeding back a connection acceptance message to the attack source through the simulation MME, and responding to the receiving and sending of the service message in the process of signaling interaction, thereby completing the signaling interaction between the network element simulation module and the attack source;

Optionally, the attack monitoring module 420 is specifically configured to:

determining, by the attack monitoring module, a message type of the signaling message according to the communication protocol; the message type at least comprises a connection message, a disconnection message and a service message;

if the signaling message is a connection message or a disconnection message, extracting path information contained in the connection message or the disconnection message by the attack monitoring module, acquiring message information of the connection message or the disconnection message according to the path information, and triggering a corresponding connection event or disconnection event by the attack monitoring module according to a response result of the network element simulation module to the connection message or the disconnection message.

And if the signaling message is a service message, extracting an operation code and message content contained in the service message by the attack monitoring module, and triggering a corresponding signaling event by the attack monitoring module according to the type of the operation code and the type of the message content according to a response result of the network element simulation module to the service message.

Optionally, for the S1 application protocol S1ap type interface in the attack monitoring module, the attack monitoring module 420 is specifically configured to:

judging whether the operation code in the service message is legal or not;

when the service information is not matched with the network element simulation module, triggering an abnormal signaling event according to a refusal response result of the network element simulation module to the service information, extracting an error operation code in the service information, and extracting error content of the service information;

Optionally, the attack monitoring module 420 is specifically configured to:

if the operation code processed by the MME is not the operation code, determining that the operation code is illegal;

and if the operation code is the operation code processed by the MME, determining that the operation code is legal.

Optionally, for the S6 application protocol S6a type interface in the attack monitoring module, the attack monitoring module 420 is specifically configured to:

checking whether the signaling header in the service message is legal or not;

if not, extracting the operation code and the message content in the service message, and triggering a corresponding service event according to the receiving response result of the network element simulation module to the service message.

Optionally, the event transmission module 420 is specifically configured to:

encapsulating the key information and the signaling event through the event transmission module to obtain an event encapsulation package;

acquiring an access path of an MQTT server through a Message Queue Telemetry Transmission (MQTT) service configured in the event transmission module, and establishing connection with the MQTT server according to the access path;

and sending the event package to the MQTT server through the event transmission module, and storing and sending the event package to a threat analysis platform through the MQTT server.

The honey pot core network element provided by the embodiment of the invention can execute the honey pot monitoring method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.

Example five

Fig. 11 is a schematic structural diagram of a honeypot monitoring device according to a fifth embodiment of the present invention, where, as shown in fig. 11, the honeypot monitoring device includes a processor 500, a memory 510, an input device 520, and an output device 530; the number of processors 500 in the honeypot monitoring device may be one or more, one processor 500 being illustrated in fig. 11; the processor 500, memory 510, input means 520 and output means 530 in the honeypot monitoring device may be connected by a bus or other means, for example by a bus connection in fig. 11.

The memory 510 is used as a computer readable storage medium for storing software programs, computer executable programs, and modules, such as program instructions and/or modules corresponding to the honeypot monitoring method in the embodiment of the present invention (e.g., the network element simulation module 410, the attack monitoring module 420, and the event transmission module 430 in the honeypot core network element). The processor 500 executes various functional applications and data processing of the honeypot monitoring device by running software programs, instructions and modules stored in the memory 510, i.e., implements the honeypot monitoring method described above.

The memory 510 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for functions; the storage data area may store data created according to the use of the terminal, etc. In addition, memory 510 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, the memory 510 may further include memory remotely located with respect to the processor 500, which may be connected to the honeypot monitoring device through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The input device 520 may be used to receive entered numeric or character information and to trigger key signal inputs related to user settings and function control of the honeypot monitoring apparatus. The output means 530 may comprise a display device such as a display screen.

Example six

The sixth embodiment of the present invention further provides a storage medium containing computer executable instructions, where the computer executable instructions when executed by a computer processor are used to perform a honeypot monitoring method, where the method is executed by a honeypot core network element, where the honeypot core network element and a standard core network element are located inside a core network, where the honeypot core network element includes a network element simulation module, an attack monitoring module, and an event transmission module; the method comprises the following steps:

Of course, the storage medium containing the computer executable instructions provided in the embodiments of the present invention is not limited to the above-described method operations, and may also perform the related operations in the honeypot monitoring method provided in any embodiment of the present invention.

From the above description of embodiments, it will be clear to a person skilled in the art that the present invention may be implemented by means of software and necessary general purpose hardware, but of course also by means of hardware, although in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, etc., and include several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments of the present invention.

It should be noted that, in the above embodiment of the honeypot core network element, each unit and module included are only divided according to the functional logic, but not limited to the above division, so long as the corresponding function can be implemented; in addition, the specific names of the functional units are also only for distinguishing from each other, and are not used to limit the protection scope of the present invention.

Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.

Claims

1. The honeypot monitoring method is characterized by being executed by a honeypot core network element, wherein the honeypot core network element and a standard core network element are positioned in a core network, and the honeypot core network element comprises a network element simulation module, an attack monitoring module and an event transmission module; the method comprises the following steps:

2. The method according to claim 1, wherein when the network element port is monitored to have an attack behavior, the obtaining, by the network element emulation module, the signaling message of the attack source includes:

when the scanning of the attack source or the detection of the network element port is monitored, triggering an attack event through the network element simulation module, and acquiring a signaling message of the attack source corresponding to the attack event.

3. The method according to claim 1, wherein the network element emulation module comprises an emulated mobility management entity MME, an emulated home server HSS, and an emulated gateway;

the step of simulating the signaling interaction of the signaling message in the standard core network element through the network element simulation module, responding the signaling message in the signaling interaction process comprises the following steps:

4. The method according to claim 1, wherein the extracting, by the attack monitoring module, the key information in the signaling message, and triggering, according to a response result of the network element emulation module to the signaling message, a signaling event corresponding to the signaling message, includes:

if the signaling message is a connection message or a disconnection message, extracting path information contained in the connection message or the disconnection message by the attack monitoring module, acquiring message information of the connection message or the disconnection message according to the path information, and triggering a corresponding connection event or disconnection event by the attack monitoring module according to a response result of the network element simulation module to the connection message or the disconnection message;

5. The method according to claim 4, wherein for the S1 application protocol S1ap type interface in the attack monitoring module, the extracting the operation code and the message content included in the service message, according to the response result of the network element emulation module to the service message, triggering, by the attack monitoring module, a corresponding signaling event according to the type of the operation code and the type of the message content, includes:

judging whether the operation code in the service message is legal or not;

6. The method of claim 5, wherein said determining whether the operation code in the service message is legitimate comprises:

7. The method according to claim 4, wherein for the S6 application protocol S6a type interface in the attack monitoring module, the extracting the operation code and the message content included in the service message, according to the response result of the network element emulation module to the service message, triggering, by the attack monitoring module, a corresponding signaling event according to the type of the operation code and the type of the message content, includes:

checking whether the signaling header in the service message is legal or not;

8. The method of claim 1, wherein said sending, by said event transmission module, said critical information and signaling event to a threat analysis platform comprises:

9. A honeypot core network element, comprising:

the event transmission module is used for sending the key information and the signaling event to a threat analysis platform so as to monitor the attack behaviors of the attack source through the threat analysis platform;

The honey pot core network element and the standard core network element are positioned inside the core network.

10. A honeypot monitoring device, the honeypot monitoring device comprising:

one or more processors;

a memory for storing one or more programs,

when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement, by the honeypot core network element, the honeypot monitoring method of any of claims 1-8;

the honeypot core network element is integrated in the honeypot monitoring device.

11. A storage medium containing computer executable instructions which, when executed by a computer processor, are for performing the honeypot monitoring method of any of claims 1-8.