CN113115314B - Method and device for protecting HSS (home subscriber server) signaling of 4G mobile communication network - Google Patents
Method and device for protecting HSS (home subscriber server) signaling of 4G mobile communication network Download PDFInfo
- Publication number
- CN113115314B CN113115314B CN202110343951.9A CN202110343951A CN113115314B CN 113115314 B CN113115314 B CN 113115314B CN 202110343951 A CN202110343951 A CN 202110343951A CN 113115314 B CN113115314 B CN 113115314B
- Authority
- CN
- China
- Prior art keywords
- signaling
- protocol
- diameter
- field
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the technical field of mobile communication, in particular to a method and a device for protecting HSS (home subscriber server) signaling of a 4G mobile communication network, wherein the method comprises the steps of quickly identifying and filtering a Diameter signaling protocol; carrying out security detection on the bottom layer protocol of the screened Diameter signaling protocol family; performing compliance detection on a Diameter signaling protocol application layer; abnormal behavior detection based on the Diameter signaling protocol. The signaling protection device is accessed between HSS equipment and DRA equipment in a non-inductive serial connection or parallel connection mode, has a signaling protection function and comprises an identification filtering module, a bottom layer signaling protocol detection module, a compliance detection module and an abnormal behavior detection module. The invention has the capability of detecting and protecting abnormal signaling, and ensures the safety of the 4G mobile communication network from the signaling level.
Description
Technical Field
The invention belongs to the technical field of mobile communication, and particularly relates to a method and a device for protecting HSS (home subscriber server) signaling of a 4G mobile communication network.
Background
The 4G mobile communication network is a mobile communication system which is completely built in China, has a wide coverage area and is the most users. The 4G mobile communication network mainly provides access authentication of the mobile terminal by the access network, data services by EPC (Evolved packet Core), and multimedia services (including VoLTE) by dedicated IMS (IP Multi-media Subsystem), and is networked as shown in fig. 2.
The IMS and the HSS in the EPC network store important information of a user, and the Entity is connected to entities such as an MME (Mobility Management Entity), an IP-GW (IP-Gateway), and the like in the EPC network, and is exposed to a risk of external network signaling attack; in the IMS, the IMS is connected to entities such AS an S/I-CSCF (Serving/Interrogating-Call Session Control Function) and an AS (Application Server), which are exposed to a risk of misoperation, and there is a possibility that a backdoor and a trojan are preset, and the backdoor and the trojan can operate the HSS to send an attack signaling to the outside.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a method and a device for protecting HSS signaling of a 4G mobile communication network, which are used for carrying out signaling detection and protection on HSS related interfaces of an IMS (IP multimedia subsystem) network and an EPC (evolved packet core) network.
In order to achieve the purpose, the invention adopts the following technical scheme:
the invention provides a method for protecting HSS signaling of a 4G mobile communication network, which comprises the following steps:
rapidly identifying and filtering a Diameter signaling protocol;
carrying out safety detection on the bottom layer protocol of the screened Diameter signaling protocol family;
performing compliance detection on a Diameter signaling protocol application layer;
abnormal behavior detection based on the Diameter signaling protocol.
Further, the quickly identifying and filtering Diameter signaling protocol includes:
the indication field of SCTP and special bytes of the bearing content are adopted to quickly filter the required detection signaling.
Further, the fast filtering of the signaling requiring detection by using the indication field of SCTP and the special byte of the bearer content includes:
firstly, judging a Chunk type field, and if the field is 0, representing the field as a data type;
then, judging a Payload protocol identifier field, if the field is 46, representing that the field is a Diameter protocol base protocol, and if the field is 0, representing that the field is other Diameter application protocols;
and finally, judging through the first byte in the bearing content of the SCTP, namely the version number information of the Diameter, wherein the current Diameter only has version 1, therefore, if the first byte is 1, the Diameter protocol is represented, and then the message is filtered and further processed.
Further, the performing security detection on the bottom layer protocol of the screened Diameter signaling protocol family includes:
the bottom layer protocol of the Diameter signaling protocol family comprises an IP layer protocol and an SCTP layer protocol;
detecting an IP layer, namely only setting an IP white list of DRA, and if data packets of other IP addresses are received, judging the message as an attack message and performing alarm processing;
detecting the SCTP layer to detect the port number and the link state, if finding the non-configured peer end of the port number of the data packet, judging the message as an attack message, and performing alarm processing; if the frequency of link disconnection is abnormal, performing alarm processing; and if newly-built unconfigured links are found, performing alarm processing.
Further, the compliance detection is carried out on the Diameter signaling protocol application layer, and the detected content comprises message header length abnormity, AVP length abnormity in the message body and non-unique source address quantity;
the message header length abnormity refers to that the length of the length indication field mark of the Diameter signaling protocol is greater than the length of the message, the detection method is to analyze and extract the length field of the Diameter message header part, compare the length field with the length of a data packet delivered by a bottom layer, and alarm if the length of the field is greater than the actual length;
the number of the source addresses is not unique, namely the source host AVP is a necessary and unique field in the message, the detection method is to judge whether a plurality of source host AVPs exist, and if the plurality of source host AVPs exist, an alarm is given.
Further, the abnormal behavior detection based on the Diameter signaling protocol includes:
aiming at a signaling message sent to an internal network by an external network, the detected content comprises an unactivated protocol type, an unactivated message code, illegal access user sensitive data, illegal user position updating, an abnormal reason user logout request and a notification message of an unknown source;
aiming at the signaling message sent by the internal network to the external network, the detected content comprises the position information of an abnormal request user, an abnormal attachment cancellation notification message and the abnormal service authority of a modified user.
Further, after detecting abnormal behavior based on the Diameter signaling protocol, the method further includes:
and modifying the attack signaling into harmless information in a modification mode including modification of harmful fields in a signaling protocol, modification of a signaling protocol message header and modification of a bottom layer bearer protocol bearer identifier.
The invention also provides a 4G mobile communication network HSS signaling protection device, which is accessed between the HSS equipment and the DRA equipment in a non-inductive serial connection or parallel connection mode, and comprises the following steps:
the identification filtering module is used for quickly identifying and filtering the Diameter signaling protocol;
the bottom layer signaling protocol detection module is used for carrying out security detection on the bottom layer protocols of the screened Diameter signaling protocol family;
the compliance detection module is used for carrying out compliance detection on a Diameter signaling protocol application layer;
and the abnormal behavior detection module is used for detecting the abnormal behavior based on the Diameter signaling protocol.
Further, the apparatus further comprises:
and the attack signaling modification module is used for modifying the attack signaling into harmless information.
Compared with the prior art, the invention has the following advantages:
the invention relates to a signaling protection method of a 4G mobile communication network HSS, wherein the signaling protection objects are Sh, cx and Zh interfaces of an IMS network and Diameter signaling protocols of S6a, S6d, S6c, slg and other interfaces of an EPC network, the safety detection contents comprise a bottom layer protocol of a Diameter signaling protocol family, application lamination regularity detection of the Diameter signaling protocols, abnormal behavior detection based on the Diameter signaling protocols and the like, and the safety detection protection of the 4G EPC, the IMS network and a user protocol layer can be ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of a signaling protection method of a 4G mobile communication network HSS according to an embodiment of the present invention;
FIG. 2 is a diagram of 4G mobile communication network IMS/EPC architecture;
fig. 3 is a deployment diagram of HSS signaling guarding apparatus in 4G mobile communication network according to an embodiment of the invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
As shown in fig. 1, the method for protecting signaling of HSS in the 4G mobile communication network of the present embodiment includes the following steps:
step S101, rapidly identifying and filtering the Diameter signaling protocol.
In an actual network, the HSS equipment receives data of multiple protocol types, and the Diameter signaling protocol family is only one of them, and needs to quickly filter signaling protocols that do not need to be processed. The HSS signaling protection device is usually connected to other Diameter peers through DRA (Diameter Routing Agent) equipment, and the DRA equipment usually adopts a load sharing or active/standby mechanism, and its IP mathematical and address are relatively stable, so that when filtering Diameter data, it may not specify IP, but use the indication field of SCTP and special bytes of the bearer content to quickly filter the detection signaling, and it does not need to completely analyze the signaling. The SCTP mainly judges two fields, firstly judges a Chunk type field, and if the field is 0, the data type is represented; then, judging a Payload protocol identifier field, if the field is 46, representing that the field is a Diameter protocol basic protocol, and if the field is 0, representing that the field is other Diameter application protocols; and finally, judging through the first byte in the bearing content of the SCTP, namely the version number information of the Diameter, wherein the current Diameter only has version 1, therefore, if the first byte is 1, the Diameter protocol is represented, and then the message is filtered and further processed. According to the signaling protocol actually used in the military network, the adaptive modification can be performed according to the above rule, for example, the value of the Payload protocol identifier field may also be 34 or other values.
Step S102, safety detection is carried out on the bottom layer protocol of the Diameter signaling protocol family after screening.
The screened Diameter signaling protocol family needs protection detection on a bottom layer protocol thereof, the bottom layer protocol of the Diameter signaling protocol family comprises an IP layer protocol and an SCTP layer protocol, wherein the detection on the IP layer protocol only needs to set an IP white list of DRA, and if data packets of other IP addresses are received, the message is judged to be an attack message and is subjected to alarm processing; detecting SCTP layer protocol to detect port number and link state, if finding the non-configured peer end of port number of data packet, judging the message as attack message, and alarming. In addition, the link state of the SCTP is also an important means for attack monitoring, and an attack may try to disconnect or borrow an existing SCTP link to perform an attack on a signaling layer, which is expressed as frequent reconnection of the link, and therefore a link state monitoring protection technology may be employed, and whether the link is abnormal is determined by the frequency of disconnection of the link, and if the number of reconnection is greater than 10 times in a day, it is determined that the network is abnormal, and an alarm is issued for subsequent processing; and if newly-built unconfigured links are found to be possible to attack, performing alarm processing.
Step S103, carrying out compliance detection on the Diameter signaling protocol application layer.
The application layer standard protocol of the Diameter signaling protocol stipulates a processing rule for various error situations of the protocol, but in the implementation process of equipment, implementation modes of manufacturers have certain differences, and the implementation modes can also be considered due to factors such as operation speed cost, and compliance detection is not strict, so that the compliance of the Diameter signaling protocol is detected, in order to improve the detection efficiency, only non-compliant signaling which can generate an attack effect is detected, and the detection content comprises the following steps: and detecting detection items such as abnormal message header length, abnormal AVP length in the message body, non-unique source address quantity and the like. The detection method is that the length field of the Diameter message head part is analyzed and extracted, and is compared with the length of a data packet delivered at the bottom layer, and if the length of the field is greater than the actual length, an alarm is given. The AVP length exception in the message body is similar to the header length exception handling rule. The source address number is not only the source host name AVP, that is, the source host AVP (ori _ host _ AVP) is a mandatory and unique field in the message, but actually in the process of writing the message, in order to achieve a certain signaling cross-domain penetration effect, the ori _ host _ AVP number is intentionally increased, the ori _ host _ AVP number is tried to cross the original Diameter area which cannot be routed, the detection method is to judge whether a plurality of source host AVPs exist, and if the plurality of source host AVPs exist, an alarm is given.
And step S104, detecting abnormal behaviors based on the Diameter signaling protocol.
The abnormal behavior detection based on signaling refers to that the abnormal behavior detection accords with the requirements of signaling protocol specifications, but the signaling content and the signaling flow behavior are abnormal and may correspond to certain attacks, and the Diameter application layer signaling message detection is divided into a signaling message (internal signaling) sent to an internal network by an external network and a signaling message (external signaling) sent to the external network by the internal network according to the signaling sending direction.
The internal signaling is mainly detected through a single or a plurality of signaling messages to detect the abnormal behavior of the user, and the specific detected contents comprise an inactivated protocol type, an inactivated message code, illegal access user sensitive data, illegal user position updating, a user logout request caused by abnormal reasons and a notification message of an unknown source. The specific detection method comprises the following steps: analyzing an application id field of a Diameter signaling protocol and comparing the application id field with a configured enabled interface type aiming at an invalid protocol type, and if the application id field is not in a configuration table, sending an alarm; analyzing a Command field of a Diameter signaling protocol aiming at the message code abnormality which is not started, and sending an alarm if the Command field is not in the message code specified by the application id; analyzing a Command field and an AVP field related to request information aiming at illegal access user sensitive data, detecting whether the AVP field is matched with the Command field, and if the request content is not the operation content, sending an alarm; aiming at the illegal user position updating abnormality, recording the last registered position and the current position, recording a time interval, and sending an alarm if the time interval is smaller than the shortest arrival interval of two physical position spaces; recording the entity host name attached to the user last time aiming at the abnormal user logout request caused by abnormal reasons, and sending an alarm if the user logout request is not the host name registered last time; the notification message for the position source is the same as the abnormal detection method of the user logout request for the abnormal reason.
The signaling protection can be used as a tool for judging whether an internal system has abnormal operation, the detected abnormal behavior mainly occurs in an internal network and is illegally controlled, or internal personnel initiate an abnormal information request by using a signaling-based means, and aiming at external signaling, the detected content comprises position information of an abnormal request user, abnormal attachment cancellation notification information and abnormal modification service authority of the user. The specific detection method comprises the following steps: aiming at abnormal request user position information, mainly analyzing an identification field inserted into user data in a Diameter signaling protocol, if the identification field carries a bit 1 of request position information, sending abnormal early warning information, wherein a main reason HSS generally does not need to master the specific position information of a user, and other modes are generally adopted even if the position information of the user needs to be acquired; for the abnormal attachment cancellation notification message, the attachment cancellation notification message usually has a position updating request message from other MME before being sent, and if no related message exists before, the attachment cancellation notification message sends out abnormal early warning information; aiming at the service authority of the abnormal modification user, the detection mode is similar to the flow of the position information of the abnormal request user, and the detected content mainly aims at the service authority content of the abnormal modification user.
And step S105, modifying the attack signaling into harmless information.
The modification modes are as follows: harmful field modification in the signaling protocol, signaling protocol message header modification, bottom layer bearer protocol bearer identification modification and the like.
In the modification of harmful fields in a signaling protocol, aiming at the identification 1 of the acquired information, modifying fields with the permission parameters which are not harmful to the contents such as null and the like into harmless information; aiming at the request signaling of the fake address, the address information of the request and the field generating the attack effect are modified; the version number in the message header can be modified to be not 1, and the application id can be modified to be an inactivated number; the chunk type in the underlying bearer protocol is modified to be not 0 and the payload protocol identifier is modified to be not 46 (Diameter). The method can be combined and applied, does not influence the normal link and the normal service of the current network, and can also achieve the aim of modifying the normal link and the normal service into harmless messages.
As shown in fig. 3, this embodiment further provides a HSS signaling protection device for a 4G mobile communication network, where the protection device is connected between an HSS device and a DRA device in an noninductive serial connection or parallel connection manner, where the serial connection manner employs hardware direct connection and software direct connection technologies, so as to ensure that normal services of an IMS and an EPC network are not affected even if an application layer is disconnected, and the parallel connection manner logically ensures that normal operation of the 4G network is not affected, the signaling protection device has a signaling protection function, and can perform exception detection on a Diameter signaling protocol, where an object of signaling protection is a Diameter signaling protocol of Sh, cx, zh interfaces of the IMS network and S6a, S6d, S6c, slg interfaces of the EPC network; the signaling protection device specifically comprises:
the identification filtering module is used for quickly identifying and filtering the Diameter signaling protocol;
the bottom layer signaling protocol detection module is used for carrying out security detection on the bottom layer protocols of the screened Diameter signaling protocol family;
the compliance detection module is used for carrying out compliance detection on a Diameter signaling protocol application layer;
the abnormal behavior detection module is used for detecting the abnormal behavior based on the Diameter signaling protocol;
and the attack signaling modification module is used for modifying the attack signaling into harmless information.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Finally, it should be noted that: the above description is only a preferred embodiment of the present invention, and is only used to illustrate the technical solutions of the present invention, and not to limit the protection scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (4)
1. A signaling protection method of a 4G mobile communication network (HSS) is characterized by comprising the following steps:
rapidly identifying and filtering a Diameter signaling protocol;
carrying out security detection on the bottom layer protocol of the screened Diameter signaling protocol family;
performing compliance detection on a Diameter signaling protocol application layer;
detecting abnormal behaviors based on a Diameter signaling protocol;
the rapid identifying and filtering of the Diameter signaling protocol comprises the following steps:
adopting an indication field of SCTP and special bytes of bearing content to quickly filter the signaling required to be detected;
the rapid filtering of the signaling to be detected by using the indication field of the SCTP and the special byte of the bearer content includes:
firstly, judging a Chunk type field, and if the field is 0, representing that the field is a data type;
then, judging a Payload protocol identifier field, if the field is 46, representing that the field is a Diameter protocol base protocol, and if the field is 0, representing that the field is other Diameter application protocols;
finally, the first byte in the bearing content of the SCTP is used for judging, namely the version number information of the Diameter, the current Diameter is only version 1, therefore, if the first byte is 1, the Diameter protocol is represented, and then the signaling required to be detected is filtered and further processed;
the safety detection of the bottom layer protocol of the screened Diameter signaling protocol family includes:
the bottom layer protocol of the Diameter signaling protocol family comprises an IP layer protocol and an SCTP layer protocol;
only an IP white list of DRA is needed to be set for IP layer detection, and if data packets of other IP addresses are received, a required detection signaling is judged to be an attack message for alarm processing;
detecting the SCTP layer to detect the port number and the link state, if the port number of the data packet is found to be a non-configured peer port number, judging the required detection signaling to be attack information, and performing alarm processing; if the link disconnection frequency is abnormal, performing alarm processing; if newly building an unconfigured link, performing alarm processing;
the method comprises the following steps of carrying out compliance detection on a Diameter signaling protocol application layer, wherein the detected content comprises message header length abnormity, AVP length abnormity in a message body and non-unique source address quantity;
the message header length abnormity refers to that the length of the length indication field mark of the Diameter signaling protocol is greater than the length of the message, the detection method is to analyze and extract the length field of the Diameter message header part, compare the length field with the length of a data packet delivered by a bottom layer, and alarm if the length of the field is greater than the actual length;
the source address quantity is not only the source host name AVP, namely the source host AVP is a necessary and only field in the message, the detection method is to judge whether a plurality of source host AVPs exist, if a plurality of source host AVPs exist, then an alarm is given;
the abnormal behavior detection based on the Diameter signaling protocol comprises the following steps:
aiming at a signaling message sent to an internal network by an external network, the detected content comprises an inactivated protocol type, an inactivated message code, illegal access user sensitive data, illegal user position updating, a user logout request of an abnormal reason and a notification message of an unknown source;
aiming at the signaling message sent by the internal network to the external network, the detected content comprises the position information of an abnormal request user, an abnormal attachment cancellation notification message and the abnormal service authority of a modified user.
2. The method of claim 1, wherein after the detecting of the abnormal behavior based on the Diameter signaling protocol, the method further comprises:
and modifying the attack signaling into harmless information in a modification mode including modification of harmful fields in a signaling protocol, modification of a signaling protocol message header and modification of a bottom layer bearer protocol bearer identifier.
3. A kind of 4G mobile communication network HSS signalling protector, characterized by, this protector inserts between HSS apparatus and DRA apparatus in a noninductive way of connecting in series or connecting in parallel, including:
the identification filtering module is used for quickly identifying and filtering the Diameter signaling protocol;
the bottom layer signaling protocol detection module is used for carrying out safety detection on the bottom layer protocol of the screened Diameter signaling protocol family;
the compliance detection module is used for carrying out compliance detection on a Diameter signaling protocol application layer;
the abnormal behavior detection module is used for detecting the abnormal behavior based on the Diameter signaling protocol;
the rapid identifying and filtering of the Diameter signaling protocol comprises the following steps:
adopting an indication field of SCTP and special bytes of bearing content to quickly filter the signaling required to be detected;
the rapid filtering of the signaling to be detected by using the indication field of the SCTP and the special byte of the bearer content includes:
firstly, judging a Chunk type field, and if the field is 0, representing that the field is a data type;
then, judging a Payload protocol identifier field, if the field is 46, representing that the field is a Diameter protocol basic protocol, and if the field is 0, representing that the field is other Diameter application protocols;
finally, the first byte in the bearing content of the SCTP is used for judging, namely the version number information of the Diameter, the current Diameter is only version 1, therefore, if the first byte is 1, the Diameter protocol is represented, and then the signaling required to be detected is filtered and further processed;
the safety detection of the bottom layer protocol of the screened Diameter signaling protocol family includes:
the bottom layer protocol of the Diameter signaling protocol family comprises an IP layer protocol and an SCTP layer protocol;
only the IP white list of DRA is needed to be set for IP layer detection, and if data packets of other IP addresses are received, the signaling needing to be detected is judged to be attack information and is subjected to alarm processing;
detecting the SCTP layer to detect the port number and the link state, if the port number of the data packet is found to be a non-configured peer port number, judging the required detection signaling to be attack information, and performing alarm processing; if the frequency of link disconnection is abnormal, performing alarm processing; if newly building an unconfigured link, performing alarm processing;
the method comprises the following steps of carrying out compliance detection on a Diameter signaling protocol application layer, wherein the detected content comprises message header length abnormity, AVP length abnormity in a message body and non-unique source address quantity;
the message header length abnormity refers to that the length of the length indication field mark of the Diameter signaling protocol is greater than the length of the message, the detection method is to analyze and extract the length field of the Diameter message header part, compare the length field with the length of a data packet delivered by a bottom layer, and alarm if the length of the field is greater than the actual length;
the source address quantity is not only the source host name AVP, namely the source host AVP is a necessary and only field in the message, the detection method is to judge whether a plurality of source host AVPs exist, if a plurality of source host AVPs exist, then an alarm is given;
the abnormal behavior detection based on the Diameter signaling protocol comprises the following steps:
aiming at a signaling message sent to an internal network by an external network, the detected content comprises an inactivated protocol type, an inactivated message code, illegal access user sensitive data, illegal user position updating, a user logout request of an abnormal reason and a notification message of an unknown source;
aiming at the signaling message sent by the internal network to the external network, the detected content comprises the position information of an abnormal request user, an abnormal attachment cancellation notification message and the abnormal service authority of a modified user.
4. 4G mobile communication network HSS signaling prevention apparatus according to claim 3, characterized in that the apparatus further comprises:
and the attack signaling modification module is used for modifying the attack signaling into harmless information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110343951.9A CN113115314B (en) | 2021-03-30 | 2021-03-30 | Method and device for protecting HSS (home subscriber server) signaling of 4G mobile communication network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110343951.9A CN113115314B (en) | 2021-03-30 | 2021-03-30 | Method and device for protecting HSS (home subscriber server) signaling of 4G mobile communication network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113115314A CN113115314A (en) | 2021-07-13 |
CN113115314B true CN113115314B (en) | 2022-11-01 |
Family
ID=76712990
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110343951.9A Active CN113115314B (en) | 2021-03-30 | 2021-03-30 | Method and device for protecting HSS (home subscriber server) signaling of 4G mobile communication network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113115314B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114339767B (en) * | 2021-12-30 | 2024-04-05 | 恒安嘉新(北京)科技股份公司 | Signaling detection method and device, electronic equipment and storage medium |
CN115843030B (en) * | 2023-01-05 | 2023-05-05 | 中国电子科技集团公司第三十研究所 | Signaling protection device and access control method |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105873063A (en) * | 2015-12-28 | 2016-08-17 | 中国人民解放军信息工程大学 | Mobile communication internetwork signal prevention method and device |
CN109040127A (en) * | 2018-09-18 | 2018-12-18 | 中国人民解放军战略支援部队信息工程大学 | The detection device and method of Diameter flood attack |
CN109246144A (en) * | 2018-10-31 | 2019-01-18 | 中国人民解放军战略支援部队信息工程大学 | HSS unauthorized access detection device and method in IMS network |
CN109257376A (en) * | 2018-11-02 | 2019-01-22 | 中国人民解放军战略支援部队信息工程大学 | IMS network Diameter deformity fragment attack detection device and method |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8478828B2 (en) * | 2010-02-12 | 2013-07-02 | Tekelec, Inc. | Methods, systems, and computer readable media for inter-diameter-message processor routing |
US9860390B2 (en) * | 2011-08-10 | 2018-01-02 | Tekelec, Inc. | Methods, systems, and computer readable media for policy event record generation |
CN107979567A (en) * | 2016-10-25 | 2018-05-01 | 北京计算机技术及应用研究所 | A kind of abnormality detection system and method based on protocal analysis |
-
2021
- 2021-03-30 CN CN202110343951.9A patent/CN113115314B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105873063A (en) * | 2015-12-28 | 2016-08-17 | 中国人民解放军信息工程大学 | Mobile communication internetwork signal prevention method and device |
CN109040127A (en) * | 2018-09-18 | 2018-12-18 | 中国人民解放军战略支援部队信息工程大学 | The detection device and method of Diameter flood attack |
CN109246144A (en) * | 2018-10-31 | 2019-01-18 | 中国人民解放军战略支援部队信息工程大学 | HSS unauthorized access detection device and method in IMS network |
CN109257376A (en) * | 2018-11-02 | 2019-01-22 | 中国人民解放军战略支援部队信息工程大学 | IMS network Diameter deformity fragment attack detection device and method |
Non-Patent Citations (1)
Title |
---|
一种HSS移动目标防御方法;赵星;《计算机应用研究》;20160429;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN113115314A (en) | 2021-07-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2401849B1 (en) | Detecting malicious behaviour on a computer network | |
EP2850803B1 (en) | Integrity monitoring to detect changes at network device for use in secure network access | |
CN113115314B (en) | Method and device for protecting HSS (home subscriber server) signaling of 4G mobile communication network | |
CN111010409B (en) | Encryption attack network flow detection method | |
EP3297248B1 (en) | System and method for generating rules for attack detection feedback system | |
US20070022468A1 (en) | Packet transmission equipment and packet transmission system | |
US20030084321A1 (en) | Node and mobile device for a mobile telecommunications network providing intrusion detection | |
CN106850637B (en) | Abnormal traffic detection method based on traffic white list | |
JPWO2006006217A1 (en) | Unauthorized connection detection system and unauthorized connection detection method | |
JP3618245B2 (en) | Network monitoring system | |
JP2007531398A (en) | Wireless LAN intrusion detection method based on protocol anomaly analysis | |
CN105873063B (en) | Method and device for protecting signaling between mobile communication networks | |
JP2008054204A (en) | Connection device, terminal device, and data confirmation program | |
CN111327592B (en) | Network monitoring method and related device | |
JP4823728B2 (en) | Frame relay device and frame inspection device | |
US20170034166A1 (en) | Network management apparatus, network management method, and recording medium | |
CN114900377B (en) | Induction data packet-based illegal external connection monitoring method and system | |
JP2008141352A (en) | Network security system | |
JP2014036408A (en) | Communication apparatus, communication system, communication method, and communication program | |
JP2002318739A (en) | Device, method and system for processing intrusion data measures | |
US11683337B2 (en) | Harvesting fully qualified domain names from malicious data packets | |
CN113961920A (en) | Suspicious process processing method and device, storage medium and electronic equipment | |
CN109547442B (en) | GTP protocol protection method and device | |
KR20150043843A (en) | Information spill prevention apparatus | |
CN113904920A (en) | Network security defense method, device and system based on lost equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |