CN113179229A - Verification method, verification device, storage medium and electronic equipment - Google Patents
Verification method, verification device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN113179229A CN113179229A CN202110257912.7A CN202110257912A CN113179229A CN 113179229 A CN113179229 A CN 113179229A CN 202110257912 A CN202110257912 A CN 202110257912A CN 113179229 A CN113179229 A CN 113179229A
- Authority
- CN
- China
- Prior art keywords
- signaling
- message
- user
- packet
- characteristic information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000012795 verification Methods 0.000 title claims abstract description 31
- 238000003860 storage Methods 0.000 title claims abstract description 9
- 230000011664 signaling Effects 0.000 claims abstract description 141
- 230000007781 signaling event Effects 0.000 claims abstract description 7
- 238000004458 analytical method Methods 0.000 claims abstract description 4
- 101100240462 Homo sapiens RASAL2 gene Proteins 0.000 claims description 10
- 102100035410 Ras GTPase-activating protein nGAP Human genes 0.000 claims description 10
- 238000004422 calculation algorithm Methods 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 4
- 238000009795 derivation Methods 0.000 claims description 4
- 101100240461 Dictyostelium discoideum ngap gene Proteins 0.000 claims 1
- 230000006855 networking Effects 0.000 abstract description 8
- 238000012550 audit Methods 0.000 abstract description 2
- 230000006870 function Effects 0.000 description 43
- 238000012545 processing Methods 0.000 description 16
- 238000010586 diagram Methods 0.000 description 11
- 230000008569 process Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 238000000605 extraction Methods 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- COCAUCFPFHUGAA-MGNBDDOMSA-N n-[3-[(1s,7s)-5-amino-4-thia-6-azabicyclo[5.1.0]oct-5-en-7-yl]-4-fluorophenyl]-5-chloropyridine-2-carboxamide Chemical compound C=1C=C(F)C([C@@]23N=C(SCC[C@@H]2C3)N)=CC=1NC(=O)C1=CC=C(Cl)C=N1 COCAUCFPFHUGAA-MGNBDDOMSA-N 0.000 description 2
- 230000002194 synthesizing effect Effects 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000005314 correlation function Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000004573 interface analysis Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/30—Peripheral units, e.g. input or output ports
- H04L49/3009—Header conversion, routing tables or routing tags
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/50—Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a verification method, a verification device, a storage medium and electronic equipment, wherein the method comprises the following steps: acquiring a preset first packet; when the first packet is 5GC signaling flow and 5G user plane flow, inserting user characteristic information metadata generated after decoding and decrypting the signaling into the first packet to generate a second packet; when the second packet is a metadata message with user characteristic information and the matching of the user surface flow is successful, acquiring the metadata with the user characteristic information of the second packet and marking the metadata on the tail of the user surface flow; and (4) outputting the user surface flow of the marking user characteristic information and the general data representation of the user signaling action from a preset port for analysis of a safety audit system. The method and the device can simultaneously access the 5GC signaling and the user plane flow, can decouple the 5GC signaling and the user plane flow, support the decoding and decryption of the NAS signaling and the association between signaling interfaces to extract the user characteristic information, are easy for networking deployment, and can improve the marking hit rate of the user characteristic information.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a verification method, an apparatus, a storage medium, and an electronic device.
Background
With the development of mobile communication technology, operator networks have entered the 5G era. 3GPP releases new 5G protocol specification, and provides new mobile core network structure and transmission protocol, and the old 3G/4G signaling analysis correlation function is no longer applicable.
In the aspect of analyzing and Processing a program data Packet of a switch, a Vector Packet Processing (VPP) framework of a Cisco open source can flexibly expand a plug-in to realize a user-defined high-performance data Packet Processing stack; by combining with the Intel (intel) Data Plane Development Kit (DPDK), the data processing performance and throughput can be greatly improved, and the working efficiency of the data plane application program can be improved. In a hardware level, the high performance based on an ARM framework and the low-power consumption multi-core chip tend to be mature in the server market.
Disclosure of Invention
The method and the device solve the technical problem that the prior art cannot meet the requirements of the user on the associated marking hit rate and accuracy.
The embodiment of the application provides a verification method and device with 5GC signaling decoding and decryption and user plane flow correlation marking functions, a storage medium and electronic equipment. The following presents a simplified summary in order to provide a basic understanding of some aspects of the disclosed embodiments. This summary is not an extensive overview and is intended to neither identify key/critical elements nor delineate the scope of such embodiments. Its sole purpose is to present some concepts in a simplified form as a prelude to the more detailed description that is presented later.
In a first aspect, an embodiment of the present application provides a method for signaling decoding and decryption with 5GC and marking verification associated with user plane traffic, where the method includes:
acquiring a preset first packet;
when the first packet is a 5GC signaling and a user plane message, decoding and decrypting the 5GC signaling to generate user characteristic information metadata, inserting the user characteristic information metadata into the first packet to generate a second packet, and simultaneously generating signaling action flow general representation data (CDR);
when the second packet is a 5GC user plane message and user characteristic information metadata and the correlation matching is successful, marking a user characteristic information label on the tail part of the user plane data;
and outputting the tagged user plane data and the signaling action CDR from a predetermined port.
Before the obtaining of the preset first packet, the method further includes:
acquiring a pre-analyzed 5GC signaling message;
matching the pre-analyzed 5GC message with a signaling flow table;
and when the signaling flow is successfully matched, generating the metadata message with the user characteristic information, inserting the metadata message with the user characteristic information into a preset first packet, and taking the message with the inserted metadata as a preset second packet.
Before the obtaining of the pre-analyzed 5GC signaling message and the metadata with the user characteristic information, the method further includes:
when a message input aiming at the single programmable switch is received, a preset message analysis program module is obtained;
and analyzing the message according to the preset message analysis program module to generate an analyzed message, and taking the analyzed message as a pre-analyzed message.
Optionally, when receiving a message input to the single programmable switch, before acquiring the preset message analysis program module, the method further includes:
and loading a forwarding plane program of the single programmable switch, wherein the forwarding plane program comprises a message analysis program module, a flow table matching module and a message forwarding program module.
In a second aspect, an embodiment of the present application provides a verification apparatus with 5GC signaling decoding and decryption and user plane traffic correlation marking function, the apparatus includes:
the first data acquisition module is used for acquiring a preset first packet and user characteristic information metadata;
the second packet generation module is used for generating user characteristic information metadata when the first packet is a 5GC signaling message and the matching of the signaling flow table is successful, and inserting the message with the user characteristic information metadata into the first packet to generate a second packet;
the metadata acquisition module is used for acquiring the metadata with the user characteristic information of the second packet when the second packet is a message with the user characteristic information;
and the data output module is used for outputting the 5G user plane message with the user characteristic information label and the signaling flow general representation data from a preset port.
Optionally, the apparatus further comprises:
the second data acquisition module is used for acquiring the pre-analyzed message and the in-band network telemetering metadata;
the message matching module is used for matching the pre-analyzed message with a preset flow table;
and the first message generation module is used for inserting the in-band network telemetry function metadata into the pre-analyzed message data to generate a message with inserted metadata when the matching is successful, and taking the message with inserted metadata as a preset first packet.
Optionally, the apparatus further comprises:
the program acquisition module is used for acquiring a preset message analysis program module when receiving a message input aiming at the single programmable switch;
and the second message generation module is used for analyzing the message according to the preset message analysis program module to generate an analyzed message, and taking the analyzed message as a pre-analyzed message.
Optionally, the apparatus further comprises:
and the program loading module is used for loading a forwarding plane program of the single programmable switch, and the forwarding plane program comprises a message analysis program module, a flow table matching module and a message forwarding program module.
In a third aspect, embodiments of the present application provide a computer storage medium storing a plurality of instructions adapted to be loaded by a processor and to perform the above-mentioned method steps.
In a fourth aspect, an embodiment of the present application provides an electronic device, which may include: a processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and to perform the above-mentioned method steps.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
in the embodiment of the application, a preset first packet is obtained first, then when the first packet is a 5GC signaling and a user plane message, user characteristic information metadata generated after the signaling is decoded and decrypted is inserted into the first packet to generate a second packet, when the second packet is the 5GC user plane message and the user characteristic information metadata and the association matching is successful, the user characteristic information metadata of the second packet is obtained and marked at the tail of the user plane data, and finally the user plane data with the mark is output from a preset port. The scheme provides a set of programmable switch based on the function of an ARM architecture general CPU, and the 5GC signaling decoding and decryption and the user plane flow correlation marking function verification method is verified by inputting the 5GC core network flow through a device port. The method can be deployed and implemented on one or more devices, can flexibly perform networking, supports the 5G core network with ultra-large flow, can effectively reduce networking difficulty and operation and maintenance cost, can extract user characteristic information by correlating NAS decryption and a signaling interface, and improves the hit rate and accuracy rate of user-plane correlation marking.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic flowchart of a verification method with 5GC signaling decoding and decryption and user plane traffic correlation marking function according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a 5GC signaling decoding and signaling flow matching function provided in an embodiment of the present application;
fig. 3 is a schematic flow chart illustrating a 5GC NAS signaling decryption and user characteristic information extraction function according to an embodiment of the present application;
fig. 4 is a schematic diagram of data acquisition of a 5GC core network according to an embodiment of the present disclosure;
fig. 5 is a schematic diagram of a verification process with 5GC signaling decoding and decryption and user plane traffic correlation marking function according to an embodiment of the present application;
fig. 6 is a processing flow diagram of a single programmable switch 5GC signaling decoding decryption and user plane traffic association marking function according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a verification apparatus for in-band network remote control function according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following description and the annexed drawings set forth in detail certain illustrative embodiments of the application so as to enable those skilled in the art to practice them.
It should be understood that the embodiments described are only a few embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the application, as detailed in the appended claims.
In the description of the present application, it is to be understood that the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. The specific meaning of the above terms in the present application can be understood in a specific case by those of ordinary skill in the art. Further, in the description of the present application, "a plurality" means two or more unless otherwise specified. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
For 5G core network (5GC) data, the visibility of user characteristic information is reduced by the encryption characteristic of NAS layer information of a signaling plane, and the signaling action flow is protected by encryption, so that the difficulty of data analysis audit is increased. The NAS decryption method provided in the embodiment of the present application, based on the 3GPP 5G flow specification, analyzes and associates each signaling interface message of the 5GC, simulates key tree derivation and multi-level derivation of related keys, and finally generates an NAS key, and supports hardware accelerated decryption of all encryption algorithms of NEA1/NEA2/NEA3, so that hit rate and accuracy of user feature information extraction can be improved, the NAS decryption method can be deployed and implemented on physical network equipment based on a programmable chip, can efficiently decode and decrypt 5GC signaling, and associates and processes 5GC user plane traffic, which is described in detail below with an exemplary embodiment.
Generally, the user feature information described in the embodiment of the present application includes, but is not limited to, an International Mobile Subscriber identity (imsi) (International Mobile Subscriber identity), an International Mobile Equipment identity (imei) (International Mobile Equipment identity), a Mobile Subscriber number MSISDN (Mobile Subscriber ISDN/PSTN number), a Mobile Equipment IP address, a Mobile Subscriber location tracking code (tac) (tracking Area code), a cell number (ci cell (id)), a radio access type (RAT type), a data access network name (dnn) (data network name), and the like, so as to assist the signaling auditing system.
The method for verifying the functions of decoding and decrypting the band 5GC signaling and marking the user plane traffic association provided by the embodiment of the present application will be described in detail with reference to fig. 1 to 6. The embodiment is deployed on a programmable switch based on an ARM chip.
Please refer to fig. 1, which provides a schematic flow chart of a verification method with 5GC signaling decoding and decryption and user plane traffic correlation marking function for the embodiment of the present application. As shown in fig. 1, the method of the embodiment of the present application may include the steps of:
s101, acquiring a preset first packet;
the preset first packet is a signaling plane and a user plane traffic according to the 5G core network acquisition point mirror shown in fig. 4.
In this embodiment of the present application, a programmable switch is first used, a connection is performed in a certain manner, then a single programmable switch first loads a required forwarding plane program, where the forwarding plane program includes a message parsing program module and a message forwarding program module, and when a 5GC signaling enters from a physical port of the programmable switch, for example, as shown in fig. 2, the message parsing program module parses a received message to obtain signaling flow information, and a flow table is automatically created according to the signaling flow information, for example, the HTTP2 flow table may be (1) Entry SIP { 10.100.3.1, DIP-100.3.2.1, port-12345, DPORT 8080, STREAM _ ID 66}, and the interpretation is as follows: a piece of signaling traffic of source address SIP 10.100.3.1, destination address DIP 100.3.2.1, source TCP port SPORT 12345, destination TCP port DPORT 8080, HTTP2 flow sequence number STREAM _ ID 66 on N11 or N12 signaling interface. And the corresponding signaling message is identified as the signaling of the same mobile user after being checked according to the uniform resource locator URL. The NGAP flow table (2) Entry2{ RAN _ UE _ NGAP _ ID 1234, AMF _ ID 740, RAN _ ID 17832} is interpreted as: on the N2 signaling interface, AMF server uniquely identifies AMF _ ID 740, base station uniquely identifies RAN _ ID 17832, and base station UE uniquely identifies RAN _ UE _ NGAP _ ID 1234, which is the signaling traffic of the same mobile subscriber. In the subsequent signaling analysis processing, the feature information of the mobile user is cumulatively extracted when the Entry is matched.
When the parsed message matches the HTTP2 Entry, processing the HTTP2 includes the following operations:
(1) HTTP2 request/response message pairing, storing payload (payload) data in the flow table;
(2) decompressing HTTP2 header, obtaining HTTP header field such as state code, PATH, etc. to analyze signaling format;
(3) and analyzing the load data according to a JSON data format specified by the 3GPP, extracting corresponding mobile user characteristic information, storing the information in the equipment and generating a signaling process CDR.
When the parsed message matches the NGAP Entry2, the processing of the NGAP signaling comprises the following operations:
(1) pre-analyzing the type of the NGAP message and the carried information element IE (information element);
(2) checking whether the encrypted NAS signaling exists in the signaling or not, and if so, performing decryption processing;
(3) extracting the user characteristic information in the cell IE, accumulating and storing the user characteristic information in the equipment and generating a signaling process CDR;
(4) and when the NGAP message carries the user plane traffic association characteristics, generating a user characteristic information metadata message.
Optionally, based on the signaling decoding and decrypting function described in the embodiment of the present application, a 5GC core network structure, that is, IP addresses of service nodes such as AMF, SMF, UPF, GNB and the like, may be learned according to 3GPP specification fields without manually pre-configuring related IP information; meanwhile, the program can provide statistical analysis of link quality information of related signaling interface flow, namely signaling integrity degree, signaling normal association degree and the like, and has an auxiliary function of networking deployment and maintenance;
s102, when the first packet is a 5GC signaling and a user plane flow, inserting a user characteristic information metadata message generated after decoding and decrypting the signaling into the first packet to generate a second packet;
particularly, when handling an ultra-large core traffic and requiring a plurality of devices to jointly form a network, it is required that the convergence and offloading device should have a homologous and homoclinic property, so as to ensure that the associated user characteristic information metadata packet and the user plane traffic load in the second packet are distributed to the same device.
S103, when the second packet is a metadata packet with user characteristic information and a user plane traffic, the method includes the following steps:
(1) analyzing the user feature information metadata, and establishing a user plane traffic flow table Entry3{ GTPU _ DIP ═ 10.100.2.1, GTPU _ TEID ═ 4321, GTPU _ DIR ═ 1}, where the interpretation is that the destination address GTPU _ DIP ═ 10.100.2.1 of the GTP Tunnel of the user plane N3 interface, the end point Identifier (Tunnel Endpoint Identifier) GTPU _ TEID ═ 4321 of the GTP Tunnel, the direction of the GTP Tunnel on N3 represents GTPU _ DIR ═ 1, for example, GTPU _ DIR ═ 1 represents an uplink channel, and GTPU _ DIR ═ 0 represents a downlink channel.
And storing the characteristic information carried by the metadata message in a flow table.
(2) Analyzing the characteristics of the user plane flow tunnel, matching the flow table Entry3, and marking the user characteristic information on the tail of the user plane flow when the matching is successful. Generally, in a mobile network, the imsi and msisdn identifications have strong correlation, so that, optionally, the embodiment of the application proposes imsi index correlation msisdn,
to improve the hit rate of msisdn when marking user characteristic information.
Based on the 3gpp specification, in order to improve the security of the signaling over the air interface, generally, the N2 signaling plaintext does not carry a unique user identifier, such as IMSI/MSISDN/IMEI, so that the method of decrypting the NAS signaling and extracting the unique user identifier by cross-signaling interface association can improve the integrity and accuracy of the user feature information. As shown in fig. 3, firstly, obtaining the interface signaling of the input 5GC, decoding the N2, N11 and N12 signaling and performing signaling flow table matching respectively, then extracting Kamf derived parameter ABBA from N2, extracting Kamf derived parameter SUPI and parent key Kseaf from N12, then performing cross-over interface correlation matching on the N2 and N12 signaling, and when the correlation succeeds and carries the related parameters, deriving the Kamf key; after Kamf derivation is completed, extracting the type of an NAS signaling encryption protection algorithm, namely alg _ id, from an N2 interface, if extraction is successful, deriving a Knassec key, and if extraction is failed, traversing and colliding three encryption algorithms to derive the Knassec so as to improve the success rate of Nas decryption; when the Knasnsec is successfully derived, the NAS signaling is pre-analyzed to obtain decryption parameters such as the uplink and downlink directions and the serial number of the message, and after NAS decryption based on hardware acceleration is completed, user characteristic information can be extracted from the message and a signaling flow can be obtained; and finally, performing cross-connection association of N11 and N2 signaling to combine the extracted user characteristic information for generating a user characteristic information metadata message and a signaling process CDR.
And S104, after the signaling decoding and decryption and the user plane correlation marking are finished, outputting the processed user plane flow and signaling flow CDR from a preset port.
Based on the above-mentioned 5GC signaling and user plane association marking and NAS decryption processing flow, the core network data acquisition scheme provided in the embodiment of the present application is shown in fig. 4, where a data acquisition point includes interfaces N1, N2, N3, N11, and N12 in a 5GC core network structure in a 3GPP specification, and these interfaces are also interfaces for all support processing of the verification device described in this embodiment.
In this embodiment, as shown in fig. 5, a preset first packet is first obtained, then when the first packet is a packet with a 5GC signaling and a user plane format, a password decrypts the signaling, a user characteristic information metadata packet and a signaling flow CDR are generated, the generated user characteristic information metadata packet is inserted into the first packet to generate a second packet, when the second packet is a packet with a user plane and matches the user characteristic information metadata successfully, the user characteristic information metadata of the second packet is obtained, the user characteristic information is marked on the tail of the user plane traffic, and finally the user plane traffic with the user characteristic information tag and the signaling flow CDR are output from a predetermined port. The scheme provides a programmable switch with high-performance packet processing capacity based on an ARM architecture processor, 5GC signaling and user plane traffic are accessed through a device port, and a user plane traffic correlation marking and CDR function output signaling are verified. The method can be deployed and implemented on physical programmable chip-based network equipment (or a programmable exchange chip simulator provided by a chip manufacturer), and can decrypt encrypted signaling messages and realize signaling cross-interface analysis association, so that the marking hit rate and the marking accuracy of user characteristic information can be improved.
Please refer to fig. 6, which is a schematic flow chart of a verification method with 5GC signaling decoding and decryption and user plane traffic correlation marking function according to an embodiment of the present application. The embodiment is exemplified by applying the verification method with 5GC signaling decoding and decryption and user plane traffic correlation marking function to a single programmable switch. The verification method of the in-band network telemetry function can comprise the following steps:
s201, loading a forwarding surface program of the single programmable switch, wherein the forwarding surface program comprises a signaling decoding and decrypting module, a user surface associated marking program module, a signaling flow table and user surface flow table matching module and a message forwarding program module;
s202, when receiving the message input by the programmable switch, acquiring a preset signaling processing program, decoding and decrypting the interface signaling of N2, N11 and N12, and establishing a signaling flow table;
s203, when the signaling flow table is successfully matched, associating each signaling interface, integrating the user characteristic information, and generating a signaling CDR and a user characteristic information metadata message;
s204, inserting the user characteristic information metadata message into a first packet to generate a second packet;
s205, obtaining a user plane message and a user plane characteristic information metadata message;
s206, analyzing the user plane characteristic information metadata message, extracting GTP flow characteristics and establishing a user plane flow table;
s207, matching the user plane message with a user flow table;
s208, marking the user characteristic information on the tail part of the user surface message when the user flow table is successfully matched;
s209, outputting the user plane flow with the label and the signaling flow CDR from a preset port;
the following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.
Please refer to fig. 7, which shows a schematic structural diagram of a verification apparatus with 5GC signaling decoding decryption and user plane traffic correlation marking functions according to an exemplary embodiment of the present application. The verification device with 5GC signaling decoding and decryption and user plane flow related marking functions can be realized into all or part of electronic equipment through software, hardware or the combination of the software and the hardware. The device 1 comprises a first data acquisition module 10, a signaling decoding and decrypting correlation module 20, a user characteristic information and signaling CDR synthesizing module 30, a second packet generating module 40, a second data acquisition module 50, a user flow correlation marking module 60 and a signaling CDR and marking data output module 70.
A first data obtaining module 10, configured to obtain a preset first packet, that is, 5GC signaling data;
a signaling decoding and decrypting correlation module 20, configured to decode and decrypt a signaling message and perform correlation processing on signaling of each interface when the first packet is a packet in a 5GC signaling format;
a user characteristic information and signaling CDR synthesizing module 30, configured to extract and synthesize user characteristic information and signaling CDR flow when the signaling message is decoded and decrypted successfully;
and a second packet generation module 40, configured to generate a message according to the user feature information in a fixed format, insert the message into the first packet, and generate a second packet.
A second data obtaining module 50, configured to obtain the user characteristic information metadata packet and the 5GC user plane packet;
the user flow correlation marking module 60 is used for establishing a user plane flow table, and marking the user characteristic information on the tail of the user plane message when the user plane message is successfully matched with the flow table;
a signaling CDR and marking data output module 70, configured to output the user plane traffic with the user feature information and the signaling flow CDR from a preset port when synthesis of the signaling CDR is completed and marking of the user plane traffic is successful;
it should be noted that, when the verification method of the tape 5GC signaling decoding and decryption and the user plane traffic related marking function is executed, the verification apparatus with the 5GC signaling decoding and decryption and the user plane traffic related marking function provided in the foregoing embodiment is exemplified by only the division of the above functional modules, and in practical application, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the above described functions. In addition, the verification apparatus with 5GC signaling decoding and decryption and user plane traffic associated marking function provided in the above embodiment and the verification method embodiment with 5GC signaling decoding and decryption and user plane traffic associated marking function belong to the same concept, and the detailed implementation process is shown in the method embodiment, and is not described herein again.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the embodiment of the application, a preset first packet is obtained first, then when the first packet is a 5GC signaling and a user plane message, user characteristic information metadata generated after the signaling is decoded and decrypted is inserted into the first packet to generate a second packet, when the second packet is the 5GC user plane message and the user characteristic information metadata and the association matching is successful, the user characteristic information metadata of the second packet is obtained and marked at the tail of the user plane data, and finally the user plane data with the mark is output from a preset port. The scheme provides a set of programmable switch based on the function of an ARM architecture general CPU, and the 5GC signaling decoding and decryption and the user plane flow correlation marking function verification method is verified by inputting the 5GC core network flow through a device port. The method can be deployed and implemented on one or more devices, can flexibly perform networking, supports the 5G core network with ultra-large flow, can effectively reduce networking difficulty and operation and maintenance cost, can extract user characteristic information by correlating NAS decryption and a signaling interface, and improves the hit rate and accuracy rate of user-plane correlation marking.
The present application further provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the method for verifying the marking function with 5GC signaling decoding and decryption and user plane traffic correlation according to the above embodiments of the method.
Please refer to fig. 8, which is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. As shown in fig. 8, the electronic device 1000 may include: at least one processor 1001, at least one switch chip 1002, a user interface 1003, a memory 1005, at least one communication bus 1006, and a set of 10GE +100GE network interfaces 1004.
The communication bus 1006 is used for realizing connection communication among these components.
The user interface 1003 may include a management network card and a serial port to provide a CLI-based device configuration and management interface.
The network interface 1004 may optionally include a set of standard 10GE and 100GE optical ports, among others.
The switch chip 1002 is used for providing functions of the network interface 1004, such as wire speed forwarding, traffic preprocessing, and traffic replication.
The Memory 1005 may include a Random Access Memory (RAM) or a Read-Only Memory (Read-Only Memory). Optionally, the memory 1005 includes a non-transitory computer-readable medium. The memory 1005 may be used to store an instruction, a program, code, a set of codes, or a set of instructions. The memory 1005 may include a stored program area and a stored data area, wherein the stored program area may store instructions for implementing an operating system, instructions for at least one function (such as reading and writing files, sound playing function, image playing function, etc.), instructions for implementing the various method embodiments described above, and the like; the storage data area may store data and the like referred to in the above respective method embodiments. The memory 1005 may optionally be at least one memory device located remotely from the processor 1001. As shown in fig. 8, the memory 1005, which is a kind of computer storage medium, may include an operating system, a network communication module, a user interface module, and a verification application with 5GC signaling decoding decryption and user plane traffic associated marking function.
In the electronic device 1000 shown in fig. 8, the user interface 1003 is mainly used as an interface for providing input for a user, and acquiring data input by the user; and the processor 1001 may be configured to invoke the verification application with 5GC signaling decoding decryption and user plane traffic associated marking function stored in the memory 1005, and specifically perform the following operations:
acquiring a preset first packet;
when the first packet is a message in an in-band network telemetry format, inserting the in-band network telemetry metadata into the first packet to generate a second packet;
when the second packet is a message in an in-band network telemetry format and is successfully matched with a preset flow table, acquiring in-band network telemetry metadata of the second packet;
outputting the in-band network telemetry metadata from a predetermined port.
In one embodiment, the processor 1001, before performing the acquiring the predetermined first packet and the in-band network telemetry metadata, further performs the following:
acquiring a pre-analyzed message and in-band network telemetry metadata;
establishing a corresponding signaling flow table and a user flow table and matching the pre-analyzed signaling and user messages;
and when the matching is successful, inserting the in-band network telemetry function metadata into the pre-analyzed message data to generate a message with inserted metadata, and taking the message with inserted metadata as a preset first packet.
In one embodiment, the processor 1001, when executing the obtaining the pre-parsed message and the in-band network telemetry metadata, further performs the following:
when a message input aiming at the single programmable switch is received, a preset message analysis program module is obtained;
and analyzing the message according to the preset message analysis program module to generate an analyzed message, and taking the analyzed message as a pre-analyzed message.
In one embodiment, the processor 1001, before executing the obtaining of the preset message parser module when receiving the message input to the single programmable switch, further executes the following operations:
and loading a forwarding plane program of the single programmable switch, wherein the forwarding plane program comprises a message analysis program module, a flow table matching module and a message forwarding program module.
In the embodiment of the application, a preset first packet is obtained first, then when the first packet is a 5GC signaling and a user plane message, user characteristic information metadata generated after the signaling is decoded and decrypted is inserted into the first packet to generate a second packet, when the second packet is the 5GC user plane message and the user characteristic information metadata and the association matching is successful, the user characteristic information metadata of the second packet is obtained and marked at the tail of the user plane data, and finally the user plane data with the mark is output from a preset port. The scheme provides a set of programmable switch based on the function of an ARM architecture general CPU, and the 5GC signaling decoding and decryption and the user plane flow correlation marking function verification method is verified by inputting the 5GC core network flow through a device port. The method can be deployed and implemented on one or more devices, can flexibly perform networking, supports the 5G core network with ultra-large flow, can effectively reduce networking difficulty and operation and maintenance cost, can extract user characteristic information by correlating NAS decryption and a signaling interface, and improves the hit rate and accuracy rate of user-plane correlation marking.
Those of skill in the art would appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application. It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments disclosed herein, it should be understood that the disclosed methods, articles of manufacture (including but not limited to devices, apparatuses, etc.) may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form. The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment. In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
It should be understood that the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. The present application is not limited to the procedures and structures that have been described above and shown in the drawings, and various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (10)
1. A verification method for decoding and decrypting 5GC signaling and marking related to user plane traffic is characterized by comprising the following steps:
acquiring a preset first packet;
when the first packet is a 5GC signaling and a user plane message, decoding the decryption signaling to generate user characteristic information metadata, and inserting the user characteristic information metadata into the first packet to generate a second packet;
marking a user plane message when the second packet is a user plane message and user characteristic information metadata and the user plane message is successfully matched with the user characteristic information metadata;
and outputting the user surface message of the marking user characteristic information and the CDR of the user signaling action from a preset port.
2. The method of claim 1, wherein before acquiring the predetermined second packet, further comprising:
acquiring a preset first packet, decoding and decrypting HTTP2/NGAP (NAS) protocol signaling, and presetting a signaling flow table;
matching a pre-decoded 5GC signaling message with a preset flow table, and extracting user characteristic information metadata;
and when the matching is successful, extracting the user characteristic information carried by the first packet to generate a user characteristic information metadata message, and inserting the user characteristic information metadata message into the first packet to generate a second packet.
3. The method of claim 2, wherein prior to decrypting the HTTP2/ngap (nas) protocol signaling, further comprising:
when the pre-decoded NGAP signaling message is successfully matched with a preset NGAP flow table, carrying out NAS key derivation and 5G encryption algorithm selection according to 3GPP specifications;
and when the pre-decoded HTTP2 signaling message is successfully matched with the preset HTTP2 flow table, decoding the N11/N12 interface signaling.
4. The method according to claim 3, wherein before obtaining a predetermined message parser module when receiving a message input for the single programmable switch, the method further comprises:
and loading a forwarding plane program of the single programmable switch, wherein the forwarding plane program comprises a message analysis decryption program module, a flow table matching module and a message forwarding program module.
5. A verification apparatus for 5GC signaling decryption and marking with user plane traffic association, the apparatus comprising:
a first data acquisition module;
a first packet generation module, configured to decode and decrypt the 5GC signaling to generate user characteristic information metadata when the first packet is a 5GC signaling and a user plane packet, and insert the user characteristic information metadata into the first packet to generate a second packet;
the user surface data marking module is used for marking a user surface data with a user characteristic information label when the second package is a packet with a user surface message and user characteristic information metadata and the correlation matching is successful;
and the data output module is used for outputting the labeled user plane data and the general user signaling action data to represent the CDR from a preset port.
6. The apparatus of claim 5, further comprising:
and the first data acquisition module is used for acquiring 5GC signaling and user plane traffic.
7. The apparatus of claim 6, further comprising:
the program acquisition module is used for acquiring a preset message analysis program module when receiving a message input aiming at the single programmable switch;
and the message generation module is used for decoding and decrypting the 5GC signaling message by the message analysis program module to generate a user characteristic information metadata message and generating a message in a universal representation data (CDR) format from a signaling action flow.
8. The apparatus of claim 7, further comprising:
and the program loading module is used for loading a forwarding plane program of the single programmable switch, and the forwarding plane program comprises a message analysis program module, a user characteristic information matching module and a message forwarding program module.
9. A computer storage medium, characterized in that it stores a plurality of instructions adapted to be loaded by a processor and to perform the method steps according to any of claims 1 to 4.
10. An electronic device, comprising: a processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and to perform the method steps of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110257912.7A CN113179229A (en) | 2021-03-10 | 2021-03-10 | Verification method, verification device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110257912.7A CN113179229A (en) | 2021-03-10 | 2021-03-10 | Verification method, verification device, storage medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113179229A true CN113179229A (en) | 2021-07-27 |
Family
ID=76921901
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110257912.7A Pending CN113179229A (en) | 2021-03-10 | 2021-03-10 | Verification method, verification device, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113179229A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115021877A (en) * | 2022-05-17 | 2022-09-06 | 中国电信股份有限公司 | Signaling test method and device, storage medium and electronic equipment |
| CN116684864A (en) * | 2023-08-03 | 2023-09-01 | 武汉博易讯信息科技有限公司 | 4G-to-5G switching scene NAS decryption method, system, equipment and readable medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105430692A (en) * | 2015-10-27 | 2016-03-23 | 合肥浩瀚深度信息技术有限公司 | Method for associating signaling flows of 4G and 3G networks |
| CN105450473A (en) * | 2015-12-07 | 2016-03-30 | 湖南戎腾网络科技有限公司 | User traceability association method for LTE network and front-end collector |
| CN105578491A (en) * | 2014-10-17 | 2016-05-11 | 任子行网络技术股份有限公司 | Method and device for associating 4G user information with application data |
| CN106506514A (en) * | 2016-11-21 | 2017-03-15 | 北京集奥聚合科技有限公司 | A kind of 4G mobile datas signaling plane and correlating method and the system of user plane |
| CN109561462A (en) * | 2019-01-24 | 2019-04-02 | 重庆重邮汇测电子技术研究院有限公司 | A kind of multi-protocol association method and system suitable for 5G terminal emulator |
| US20200106812A1 (en) * | 2018-09-27 | 2020-04-02 | Palo Alto Networks, Inc. | Network slice-based security in mobile networks |
| CN111404798A (en) * | 2020-03-09 | 2020-07-10 | 湖北微源卓越科技有限公司 | System and method for multi-user rule matching and flow replication |
| CN112055422A (en) * | 2020-09-18 | 2020-12-08 | 电信科学技术第十研究所有限公司 | Method and device for associating 5G signaling with user plane data |
| CN112134846A (en) * | 2020-08-21 | 2020-12-25 | 宜通世纪科技股份有限公司 | Method, system, device and medium for analyzing signaling data of communication network |
-
2021
- 2021-03-10 CN CN202110257912.7A patent/CN113179229A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105578491A (en) * | 2014-10-17 | 2016-05-11 | 任子行网络技术股份有限公司 | Method and device for associating 4G user information with application data |
| CN105430692A (en) * | 2015-10-27 | 2016-03-23 | 合肥浩瀚深度信息技术有限公司 | Method for associating signaling flows of 4G and 3G networks |
| CN105450473A (en) * | 2015-12-07 | 2016-03-30 | 湖南戎腾网络科技有限公司 | User traceability association method for LTE network and front-end collector |
| CN106506514A (en) * | 2016-11-21 | 2017-03-15 | 北京集奥聚合科技有限公司 | A kind of 4G mobile datas signaling plane and correlating method and the system of user plane |
| US20200106812A1 (en) * | 2018-09-27 | 2020-04-02 | Palo Alto Networks, Inc. | Network slice-based security in mobile networks |
| CN109561462A (en) * | 2019-01-24 | 2019-04-02 | 重庆重邮汇测电子技术研究院有限公司 | A kind of multi-protocol association method and system suitable for 5G terminal emulator |
| CN111404798A (en) * | 2020-03-09 | 2020-07-10 | 湖北微源卓越科技有限公司 | System and method for multi-user rule matching and flow replication |
| CN112134846A (en) * | 2020-08-21 | 2020-12-25 | 宜通世纪科技股份有限公司 | Method, system, device and medium for analyzing signaling data of communication network |
| CN112055422A (en) * | 2020-09-18 | 2020-12-08 | 电信科学技术第十研究所有限公司 | Method and device for associating 5G signaling with user plane data |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115021877A (en) * | 2022-05-17 | 2022-09-06 | 中国电信股份有限公司 | Signaling test method and device, storage medium and electronic equipment |
| CN115021877B (en) * | 2022-05-17 | 2023-11-14 | 中国电信股份有限公司 | Signaling test method and device, storage medium and electronic equipment |
| CN116684864A (en) * | 2023-08-03 | 2023-09-01 | 武汉博易讯信息科技有限公司 | 4G-to-5G switching scene NAS decryption method, system, equipment and readable medium |
| CN116684864B (en) * | 2023-08-03 | 2023-11-03 | 武汉博易讯信息科技有限公司 | 4G-to-5G switching scene NAS decryption method, system, equipment and readable medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| FI108827B (en) | A method for implementing connection security in a wireless network | |
| CN107888381B (en) | Method, device and system for realizing key import | |
| CN110535748B (en) | VPN tunnel mode optimization method and system | |
| CN113179229A (en) | Verification method, verification device, storage medium and electronic equipment | |
| CN109831775B (en) | Processor, baseband chip and SIM card information transmission method | |
| CN110392044B (en) | Information transmission method and device based on video networking | |
| CN105848145A (en) | WIFI intelligent configuration method and device | |
| CN114828140B (en) | Service flow message forwarding method and device, storage medium and electronic equipment | |
| CN109889521A (en) | Memory, communication channel multiplexing implementation method, device and equipment | |
| CN110061962A (en) | A kind of method and apparatus of video stream data transmission | |
| CN110048833B (en) | Electric power service encryption method and device based on quantum satellite key network | |
| CN112217685B (en) | Tunnel detection method, terminal device, system, computer device and storage medium | |
| CN112910774B (en) | Communication method, system and network forwarding equipment | |
| CN112217769B (en) | Data decryption method, data encryption method, data decryption device, data encryption device, data decryption equipment and data decryption medium based on tunnel | |
| CN105592030A (en) | IP message processing method and device | |
| WO2022227484A1 (en) | Data communication method and apparatus, computer device, and storage medium | |
| CN113922972B (en) | Data forwarding method and device based on MD5 identification code | |
| CN114338527B (en) | IPv6 active identifier processing method and system | |
| CN108810981B (en) | Data transmission method and device | |
| CN107800758B (en) | Wind control data processing method, device and system | |
| CN114024598B (en) | Forwarding interface test method and device | |
| CN111262837B (en) | Data encryption method, data decryption method, system, equipment and medium | |
| CN105915531B (en) | A kind of unlocking screen method and terminal | |
| CN104836598B (en) | Method for processing business, apparatus and system based on near-field communication | |
| CN114826748A (en) | Audio and video stream data encryption method and device based on RTP, UDP and IP protocols |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210727 |
|
| RJ01 | Rejection of invention patent application after publication |