CN113206814B - Network event processing method and device and readable storage medium - Google Patents

Network event processing method and device and readable storage medium Download PDF

Info

Publication number
CN113206814B
CN113206814B CN202010077699.7A CN202010077699A CN113206814B CN 113206814 B CN113206814 B CN 113206814B CN 202010077699 A CN202010077699 A CN 202010077699A CN 113206814 B CN113206814 B CN 113206814B
Authority
CN
China
Prior art keywords
network element
core network
message
network
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010077699.7A
Other languages
Chinese (zh)
Other versions
CN113206814A (en
Inventor
黄亚达
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202010077699.7A priority Critical patent/CN113206814B/en
Priority to PCT/CN2020/124932 priority patent/WO2021151335A1/en
Publication of CN113206814A publication Critical patent/CN113206814A/en
Application granted granted Critical
Publication of CN113206814B publication Critical patent/CN113206814B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud

Abstract

The application discloses a network event processing method, a device and a readable storage medium, wherein the method comprises the following steps: the safety event processing function network element receives first indication information sent by the data analysis network element, wherein the first indication information is used for indicating a second network element to generate a network safety abnormal event; the safety event processing function network element determines N third network elements which have incidence relation with the second network element according to the first indication information; aiming at one of the N third network elements, the third network element has the capacity of processing the service of the second network element; and aiming at one of the N third network elements, the safety event processing function network element sends a first safety strategy corresponding to the third network element, wherein the first safety strategy corresponding to the third network element comprises indication information used for indicating the third network element to stop processing the service of the second network element.

Description

Network event processing method and device and readable storage medium
Technical Field
The present application relates to the field of mobile communications technologies, and in particular, to a network event processing method and apparatus, and a readable storage medium.
Background
With the application of the fifth generation mobile communication technology (5G) to the vertical industry, including medical health, intelligent furniture, intelligent transportation and the like, the 5G core network attracts more and more professional hackers or national level network troops to launch infiltration, latency and attack on the 5G network due to the introduction of a plurality of IT technologies, such as virtualization platforms, container platforms, and more applications of open source third party IT components, and the common participation of multi-party suppliers in networking, and the service value borne by the 5G network is higher and higher.
The third generation partnership project (3 gpp) specification, netWork Data Analysis Function (NWDAF) elements in a 5G NetWork architecture may perform NetWork Data Analysis. The network data analysis function may obtain data from a network function network element (NF) and an Operation, administration, and Maintenance (OAM) system, and provide the result to the NF network element and an Application Function (AF) for use after analysis.
At present, the analysis of network security through an NWDAF network element only includes identifying and analyzing services for an abnormal user, for example, the NWDAF network element receives an identification service for a first network element subscribing to the abnormal user, and the NWDAF network element may collect information such as a session message and a charging message of a user from a corresponding network element, for example, an access and mobility management function (AMF) network element and a Session Management Function (SMF) network element, according to the subscription, and further the NWDAF network element may determine whether the abnormal user exists according to the collected session message and charging message of the user. When it is determined that there is an abnormal user, the NWDAF network element may send a notification message of the abnormal user to the first network element subscribing to the abnormal user, and the first network element may process the abnormal user according to the notification message.
However, in the above method, only the event that the user has an exception can be analyzed, and the notification of the exception user is performed only for the network element that subscribes to the exception user, which shows that the existing processing scheme for the network exception event is single, and the network security is poor.
Disclosure of Invention
The embodiment of the application provides a network event processing method and device, and a readable storage medium, which are used for determining N third network elements related to a second network element when a network abnormal event occurs in the second network element, so that the N third network elements perform isolation processing on services corresponding to the second network element, and thus, all network elements related to the network abnormal event can be processed, and thus, potential safety hazards of a network can be more comprehensively processed, and the security of the network can be improved.
In this application, the first network element may be a core network element, the second network element may include a second core network element, the third network element may include a third core network element, and the fourth network element may include a fourth core network element.
In a first aspect, an embodiment of the present application provides a network event processing method, including: a security event processing function network element receives first indication information sent by a network data analysis function network element, wherein the first indication information is used for indicating the second network element to generate a network security abnormal event; the safety event processing function network element determines N third network elements which have incidence relation with the second network element according to the first indication information; for a third network element of the N third network elements, the third network element has a capability of processing a service of the second network element; and for a third network element of the N third network elements, the network element with the security event processing function sends, to the third network element, a first security policy corresponding to the third network element, where the first security policy corresponding to the third network element includes indication information used for indicating the third network element to isolate a service corresponding to the second network element.
By the method, the network element with the security event processing function acquires the network security abnormal event sent by the network element with the network data analysis function, confirms that the second network element sends the security abnormal event, and further confirms the third network element which has an association relation with the second network element according to the second network element, for example, the third network element can be a network element which has signaling interaction with the second network element and can also be a network element which provides service for the second network element.
In a possible implementation manner, the third network element sends, to the third network element, the first security policy corresponding to the third network element for the security event processing function network element, and includes that the security event processing function network element sends, to the AMF network element, the first security policy corresponding to the access and mobility management function network element, where the first security policy corresponding to the access and mobility management function network element includes indication information used to indicate that the access and mobility management function network element isolates a service corresponding to the second network element. The specific step of the access and mobility management functional network element isolating the service corresponding to the second network element may be that the access and mobility management functional network element does not process the message sent by the second network element any more, so that occurrence of a network security event caused by processing the message of the second network element having the network security abnormal event by the access and mobility management functional network element can be avoided, and network security can be further improved.
In a possible implementation manner, the sending, by the security event processing function network element, the first security policy corresponding to the third network element includes sending, by the security event processing function network element, the first security policy corresponding to the message forwarding network element to a message forwarding network element, where the first security policy corresponding to the message forwarding network element includes indication information used for indicating that the message forwarding network element stops message forwarding to the second network element. Furthermore, the message forwarding network element can not forward the message of the second network element any more, so that the diffusion of the network security event of the second network element caused by the message forwarding network element forwarding the message of the second network element with the network security abnormal event can be avoided, and the network security can be further improved.
In a possible implementation manner, the sending, by the security event processing function network element, the first security policy corresponding to the third network element includes sending, by the security event processing function network element, the first security policy corresponding to the NRF network element to a network warehouse function (NRF) network element, where the first security policy corresponding to the NRF network element includes user authorization indication information used for indicating that the NRF network element no longer authorizes the second network element, and/or revokes authorization indication information of a user of the second network element; furthermore, the NRF network element can stop or revoke the user authorization for the second network element, thereby avoiding the occurrence of a network security event of the second network element caused by the user of the second network element, and further improving the network security.
In a possible implementation manner, the sending, by the security event processing function network element, the first security policy corresponding to the third network element includes sending, by the security event processing function network element, the first security policy corresponding to the routing transmission controller, where the first security policy corresponding to the routing transmission controller includes indication information used for indicating that the routing transmission controller network element ignores a routing forwarding request for a message of a network segment of the second network element; furthermore, the routing transmission controller can stop the routing forwarding of the message of the network segment of the second network element, thereby avoiding the occurrence of the network security event of the second network element caused by the routing forwarding of the message of the second network element with the network security event by the routing transmission controller, and further improving the network security.
In a possible implementation manner, the sending, by the security event processing function network element, the first security policy corresponding to the third network element includes sending, by the security event processing function network element, the first security policy corresponding to the virtualized resource management network element, where the first security policy corresponding to the virtualized resource management network element includes indication information used for indicating the virtualized resource management network element to release the virtual machine corresponding to the second network element. Furthermore, the virtualized resource management network element can release the virtual machine corresponding to the second network element, so that the operation of the virtual machine of the second network element can be stopped, thereby avoiding the occurrence of the network security event of the second network element, and further improving the network security.
In a possible implementation manner, the sending, by the security event processing function network element, the first security policy corresponding to the third network element includes sending, by the security event processing function network element, the first security policy corresponding to the access and mobility management function network element, where the first security policy corresponding to the access and mobility management function network element includes indication information used for indicating that the access and mobility management function network element releases the user bound to the second network element. Furthermore, the network element with the access and mobility management function can release the user of the second network element, thereby avoiding the occurrence of the network security event of the second network element caused by the user of the second network element and further improving the network security.
In a possible design, the first indication information is further used to indicate an abnormal service corresponding to the network security abnormal event; the safety event processing function network element determines M fourth network elements which have an incidence relation with the second network element according to the first indication information; for a fourth network element in the M fourth network elements, the fourth network element has a capability of processing the abnormal service; and the security event processing function network element sends a second security policy corresponding to the fourth network element, where the second security policy corresponding to the fourth network element includes indication information for indicating the fourth network element to stop or cancel processing of the abnormal service.
In the method, the fourth network element related to the abnormal service is determined through the abnormal service corresponding to the network security abnormal event, and then the corresponding second security policy is sent to the fourth network element, so that the fourth network element effectively isolates the abnormal service related to the second network element, and the influence of the abnormal service generated by the abnormal network element on the network performance is reduced.
In a possible implementation manner, the sending, by the security event processing function network element, the second security policy corresponding to the fourth network element includes sending, by the security event processing function network element, the second security policy corresponding to the access and mobility management function network element, where the second security policy corresponding to the access and mobility management function network element includes indication information used for indicating the fourth network element to isolate an abnormal service of the second network element; therefore, the access and mobility management function network element can not process the abnormal service of the second network element any more, thereby avoiding the occurrence of the network security event caused by the processing of the abnormal service of the second network element with the network security abnormal event by the access and mobility management function network element and further improving the network security.
In a possible implementation manner, the sending, by the security event processing function network element, the second security policy corresponding to the fourth network element includes sending, by the security event processing function network element, the second security policy corresponding to the access and mobility management function network element, where the second security policy corresponding to the access and mobility management function network element includes indication information used for indicating the access and mobility management function network element to release the user corresponding to the abnormal service; therefore, the access and the mobility management function network element can release the user corresponding to the abnormal service of the second network element, thereby avoiding the occurrence of network security events caused by the user corresponding to the abnormal service of the second network element and further improving the network security.
In a possible implementation manner, the sending, by the security event processing function network element, the second security policy corresponding to the fourth network element includes sending, by the security event processing function network element, the second security policy corresponding to the PCF network element to a Policy Control Function (PCF) network element, where the second security policy corresponding to the PCF network element includes indication information used for indicating the PCF network element to release a user corresponding to the abnormal service; therefore, the PCF network element can release the user corresponding to the abnormal service of the second network element, thereby avoiding the occurrence of network security events caused by the user corresponding to the abnormal service of the second network element and further improving the network security.
In a possible implementation manner, the sending, by the security event processing function network element, the second security policy corresponding to the fourth network element includes sending, by the security event processing function network element, the second security policy corresponding to the message forwarding network element, where the second security policy corresponding to the message forwarding network element includes indication information used for indicating that the message forwarding network element ignores a message forwarding request for an abnormal service of the second network element; furthermore, the message forwarding network element can ignore the indication information of the message forwarding request of the abnormal service of the second network element, so that the occurrence of the network security event of the abnormal service caused by the forwarding of the message of the abnormal service of the second network element, in which the network security event occurs, by the message forwarding network element can be avoided, and the network security can be further improved.
In a possible implementation manner, the sending, by the security event processing function network element, the second security policy corresponding to the fourth network element includes sending, by the security event processing function network element, the second security policy corresponding to the NRF network element, where the second security policy corresponding to the NRF network element includes indication information used for indicating that the NRF network element stops or revokes user authorization for an abnormal service of the second network element; therefore, the NRF network element can stop or release the authorization of the user corresponding to the abnormal service of the second network element, thereby avoiding the occurrence of network security events caused by the user corresponding to the abnormal service of the second network element and further improving the network security.
In a possible implementation manner, the sending, by the security event processing function network element, the second security policy corresponding to the fourth network element includes sending, by the security event processing function network element, the second security policy corresponding to the routing transmission controller, where the second security policy corresponding to the routing transmission controller includes indication information used for indicating that the routing transmission controller ignores a routing forwarding request for a message of a network segment of the second network element. Furthermore, the routing transmission controller can ignore the indication information of the message routing forwarding request of the abnormal service of the second network element, thereby avoiding the occurrence of the network security event of the abnormal service caused by the routing forwarding of the message of the abnormal service of the second network element, which has the network security event, by the routing transmission controller, and further improving the network security.
In a second aspect, the present application provides a method for processing a network event, where a network element having a network data analysis function acquires message interaction behavior information of K first network elements, and for a first network element of the K first network elements, the message interaction behavior information of the first network element includes attribute information used for indicating a message transmitted by the first network element; k is a positive integer; the network data analysis function network element determines that a second network element has a network security abnormal event according to the message interaction behavior information of the K first network elements; and the network data analysis function network element sends first indication information to a security event processing function network element, wherein the first indication information is used for indicating the second network element to generate the network security abnormal event.
Compared with the prior art, the NDWAF network element can acquire the message interaction behavior information of each network element by adding the acquisition service of the message interaction behavior information of K first network elements, and then determines that the second network element has a network security abnormal event by analyzing the attribute information of the message transmitted by the first network element.
A possible design, for one of the K first network elements, where the attribute information of the message transmitted by the first network element includes one or more of the following: the type of the message, the message content of the message, the interface for transmitting the message on the first network element, and the interface for transmitting the message by the opposite terminal corresponding to the message. Furthermore, the attribute information of the message transmitted by the first network element to the network data analysis function network element may include related information corresponding to the message generated during the interaction between the network elements, and further, the network data analysis function network element may determine whether to send the network security abnormal event between the network elements according to the related information corresponding to the message generated during the interaction between the network elements, so as to effectively identify whether the network security abnormal event occurs.
In one possible design, if it is determined that the number of messages received by the first network element from the second network element is greater than a first threshold, the data analysis network element determines that a distributed denial of service (DDoS) attack event of the second network element to the first network element exists; the first threshold is determined based on historical message frequency.
By the method, the network data analysis function network element determines the occurrence of the abnormity according to the number of the messages of the second network element received by the first network element, and further can determine that the second network element is the abnormal network element and identify that the DDoS attack event occurs on the second network element, so that the SPF can be instructed to perform corresponding processing on the network security abnormity event of the DDoS attack occurring on the second network element, and the network security is improved.
In one possible design, the message interaction behavior information of the K first network elements includes: a first message and a second message; and if the data analysis network element determines that the first identity identifier of the second network element in the first message is inconsistent with the second identity identifier of the second network element in the second message, determining that a network security abnormal event exists in the second network element. Furthermore, the network data analysis function network element can determine that the second network element has the network security abnormal event according to the inconsistency of the identity identifiers of the second network element carried in the different messages, so that the SPF can be instructed to perform corresponding processing on the network security abnormal event with the inconsistency of the identity identifiers of the second network element carried by the second network element, and thus, the network security is improved.
In one possible design, the message interaction behavior information of the K first network elements includes: an interactive behavior message from a first terminal equipment (UE) of the K first network elements; and if the data analysis network element determines that the interactive behavior messages of the first UE from the second network element are inconsistent, determining that a network security abnormal event exists in the first UE from the second network element. Furthermore, the network data analysis function network element can determine that the first UE has a network security abnormal event according to the existence of the message which cannot be corresponded in the interactive behavior message related to the first UE in different messages, and in addition, since the interactive behavior message of the first UE comes from the second network element, it can determine that the second network element has the network security abnormal event, so that the SPF can be instructed to perform corresponding processing on the network security abnormal event of the second network element, which is inconsistent with the interactive behavior message of the first UE, thereby improving the network security.
In one possible design, the message interaction behavior information of the K first network elements includes: interactive behavior messages of second UE from the K first network elements and user information query requests of the second UE from the second network elements; and if the data analysis network element determines that network element identifiers in the second network element are inconsistent in the user information query request of the second UE from the second network element, determining that network security abnormal events occur in at least two network elements corresponding to the network element identifiers which are inconsistent. The network data analysis function network element determines that the network security abnormal event exists in the related network element according to the inconsistency of the network element identifiers of the network elements related to the same UE in different messages, so that the SPF can be indicated to perform corresponding processing on the network security abnormal event with the inconsistency of the network element identifiers of the related network elements, and the network security is improved.
In a third aspect, a communications apparatus is provided for implementing the various methods described above. The communication device may be the security event handling function network element in the first aspect, or a device including the security event handling function network element; alternatively, the communication device may be the network data analysis function network element in the second aspect, or a device including the network data analysis function network element. The communication device comprises corresponding modules, units or means (means) for implementing the above method, and the modules, units or means can be implemented by hardware, software or by hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above functions.
In a sixth aspect, a communication apparatus is provided, including: a processor and a memory; the memory is configured to store computer instructions that, when executed by the processor, cause the communication device to perform the method of any of the above aspects. The communication device may be the security event handling function network element in the first aspect, or a device including the security event handling function network element; alternatively, the communication device may be the network data analysis function network element in the second aspect, or a device including the network data analysis function network element.
In a seventh aspect, a communication apparatus is provided, including: a processor; the processor is configured to be coupled to the memory, and to execute the method according to any one of the above aspects after reading the instruction in the memory. The communication device may be the security event handling function network element in the first aspect, or a device including the security event handling function network element; alternatively, the communication device may be the network data analysis function network element in the second aspect, or a device including the network data analysis function network element.
In an eighth aspect, a computer-readable storage medium is provided, having stored therein instructions, which when run on a computer, cause the computer to perform the method of any of the above aspects.
In a ninth aspect, there is provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of any of the above aspects.
In a tenth aspect, there is provided a communication device (which may be a chip or a system of chips, for example) comprising a processor for implementing the functionality referred to in any of the above aspects. In one possible design, the communication device further includes a memory for storing necessary program instructions and data. When the communication device is a chip system, the communication device may be constituted by a chip, or may include a chip and other discrete devices.
For technical effects brought by any one of the design manners in the fifth aspect to the tenth aspect, reference may be made to the technical effects brought by different design manners in the first aspect or the second aspect, and details are not described here.
In an eleventh aspect, there is provided a communication system comprising: a security event processing function network element receives first indication information sent by a network data analysis function network element, wherein the first indication information is used for indicating that a network security abnormal event occurs in the second network element; the safety event processing function network element determines N third network elements which are in incidence relation with the second network element according to the first indication information; for a third network element of the N third network elements, the third network element has a capability of processing a service of the second network element; for a third network element of the N third network elements, the security event processing function network element sends, to the third network element, a first security policy corresponding to the third network element, where the first security policy corresponding to the third network element includes indication information used for indicating the third network element to isolate a service corresponding to the second network element. A network data analysis function network element acquires message interaction behavior information of K first network elements, and aiming at one first network element in the K first network elements, the message interaction behavior information of the first network element comprises attribute information used for indicating a message transmitted by the first network element; k is a positive integer; the network data analysis function network element determines that a second network element has a network security abnormal event according to the message interaction behavior information of the K first network elements; and the network data analysis function network element sends first indication information to a security event processing function network element, wherein the first indication information is used for indicating the second network element to generate the network security abnormal event. The technical effects of the eleventh aspect can be referred to the technical effects of the first aspect or the second aspect, and are not described herein again.
Drawings
Fig. 1 is a schematic diagram of a network architecture provided in the present application;
FIG. 2 is a schematic diagram of a 5G network architecture based on a service-oriented architecture;
FIG. 3 is a schematic diagram of a 5G network architecture based on a point-to-point interface;
fig. 4 is a schematic flow chart of a network event processing method provided in the present application;
fig. 5 is a schematic flow chart of a network event processing method provided in the present application;
fig. 6 is a schematic flow chart of a network event processing method provided in the present application;
fig. 7 is a schematic flow chart of a network event processing method provided in the present application;
FIG. 8 is a schematic diagram of a network event processing apparatus according to the present application;
fig. 9 is a schematic diagram of a network event processing apparatus according to the present application.
Detailed Description
Fig. 1 illustrates a communication system 10 provided in an embodiment of the present application. As shown in fig. 1, the communication system 10 includes a network data analysis function network element 101 and a security event processing function network element 102. The network data analysis function network element 101 and the security event processing function (SPF) network element 102 may communicate directly or may communicate through forwarding of other devices, which is not specifically limited in this embodiment of the present disclosure.
As shown in fig. 1, a network data analysis function network element 101 is configured to obtain message interaction behavior information of K first network elements, where, for a first network element in the K first network elements, the message interaction behavior information of the first network element includes attribute information used to indicate a message transmitted by the first network element; k is a positive integer; the network data analysis function network element determines that a second network element has a network security abnormal event according to the message interaction behavior information of the K first network elements; and the network data analysis function network element sends first indication information to an SPF network element, wherein the first indication information is used for indicating the second network element to generate the network security abnormal event.
The security event processing function network element 102 is configured to receive first indication information sent by a network data analysis function network element, where the first indication information is used to indicate that a network security abnormal event occurs in the second network element; the SPF network element determines N third network elements which have an incidence relation with the second network element according to the first indication information; for a third network element of the N third network elements, the third network element has a capability of processing a service of the second network element; for a third network element of the N third network elements, the SPF network element sends, to the third network element, a first security policy corresponding to the third network element, where the first security policy corresponding to the third network element includes indication information used for indicating the third network element to isolate a service corresponding to the second network element.
The specific implementation of the above scheme will be described in detail in the following method embodiments, and will not be described herein again.
Based on the communication system provided in this embodiment of the present application, compared with the prior art, by adding an acquisition service for the message interaction behavior information of K first network elements, a network data analysis function network element may acquire the message interaction behavior information of each network element, and further, by analyzing attribute information of a message transmitted by the first network element, determine that a network security abnormal event occurs in a second network element, and compared with the prior art, only an abnormal behavior of a user can be identified.
The system architecture of the embodiment of the present application may be applied to a 5G network architecture, and fig. 2 and fig. 3 exemplarily show schematic diagrams of the communication system 10 of the embodiment of the present application applied to the 5G network architecture. The relevant network elements in the system architecture are described below with reference to fig. 2 and 3.
The terminal device may be a device for implementing a wireless communication function, such as a terminal or a chip that can be used in the terminal. The terminal may be a User Equipment (UE), an access terminal, a terminal unit, a terminal station, a mobile station, a distant station, a remote terminal, a mobile device, a wireless communication device, a terminal agent or a terminal device, etc. in a 5G network or a PLMN which is evolved in the future. The access terminal may be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), a handheld device with wireless communication function, a computing device or other processing device connected to a wireless modem, a vehicle-mounted device or a wearable device, a Virtual Reality (VR) terminal device, an Augmented Reality (AR) terminal device, a wireless terminal in industrial control (industrial control), a wireless terminal in self driving (self), a wireless terminal in remote medical (remote medical), a wireless terminal in smart grid (smart grid), a wireless terminal in transport security (transport security), a wireless terminal in city (smart), a wireless terminal in smart home (smart), etc. The terminal may be mobile or stationary.
The terminal device may establish a connection with the operator network through an interface (e.g., N1, etc.) provided by the operator network, and use a service such as data and/or voice provided by the operator network. The terminal device may also access the DN via an operator network, use operator services deployed on the DN, and/or services provided by a third party. The third party may be a service party other than the operator network and the terminal device, and may provide services such as data and/or voice for the terminal device. The specific expression form of the third party may be determined according to an actual application scenario, and is not limited herein.
The RAN is a sub-network of the operator network and is an implementation system between the service node and the terminal device in the operator network. The terminal device is to access the operator network, first through the RAN, and then may be connected to a service node of the operator network through the RAN. The RAN device in this application is a device that provides a wireless communication function for a terminal device, and is also referred to as an access network device. RAN equipment in this application includes, but is not limited to: next generation base station (gndeb, gNB), evolved node B (eNB), radio Network Controller (RNC), node B (NB), base Station Controller (BSC), base Transceiver Station (BTS), home base station (e.g., home evolved node B, or home node B, HNB), base Band Unit (BBU), transmission point (TRP), transmission Point (TP), mobile switching center, etc. in 5G. For convenience of description, the RAN device is simply referred to as RAN in this application.
Optionally, the RAN device in this embodiment refers to a device accessing a core network, and may be, for example, a base station, a broadband network service gateway (BNG), a convergence switch, a non-third generation partnership project (3 rd generation partnership project,3 gpp) access device, and the like. The base station may include various forms of base stations, such as: macro base stations, micro base stations (also referred to as small stations), relay stations, access points, etc.
The AMF network element, the access and mobility management functions, mainly supporting the functions of registration management, connectivity management, mobility management, etc. of the terminal, is a control plane network element provided by the operator network, and is responsible for the access control and mobility management of the terminal equipment accessing the operator network, including, for example, mobility state management, allocating user temporary identity, authenticating and authorizing the user, etc.
The SMF network element, the Session management function, mainly supports functions of Session establishment, modification, release, etc., and is also responsible for functions related to Session, such as UE IP address allocation and management, UPF selection and control, tunnel maintenance Service and Session Continuity (SSC) mode selection between the UPF and AN node, roaming, etc. The network element is a control plane network element provided by an operator network and is responsible for managing Protocol Data Unit (PDU) sessions of terminal devices. A PDU session is a channel for transmitting PDUs, and a terminal device needs to transfer PDUs to and from the DN through the PDU session. The PDU session is established, maintained, deleted and the like by the SMF network element.
The UPF network element and the user plane function are mainly responsible for packet routing and forwarding of data messages. Is a gateway provided by the operator and is a gateway for the operator's network to communicate with the DN. The UPF network element comprises user plane related functions such as data packet routing and transmission, packet detection, service usage reporting, quality of Service (QoS) processing, legal monitoring, uplink packet detection, downlink data packet storage and the like.
A DN, which may also be referred to as a Packet Data Network (PDN), is a network located outside an operator network, where the operator network may access multiple DNs, and multiple services may be deployed on the DNs, so as to provide services such as data and/or voice for a terminal device. For example, the DN is a private network of a certain intelligent factory, a sensor installed in a workshop of the intelligent factory can be a terminal device, a control server of the sensor is deployed in the DN, and the control server can provide services for the sensor. The sensor can communicate with the control server, obtain the instruction of the control server, transmit the sensor data gathered to the control server, etc. according to the instruction. For another example, the DN is an internal office network of a company, the mobile phone or computer of the employee of the company may be a terminal device, and the mobile phone or computer of the employee may access information, data resources, and the like on the internal office network of the company.
The UDM network element is a control plane network element provided by an operator, and is responsible for storing information such as a subscriber permanent identifier (SUPI), a credential (trusted identity), a security context (security context), and subscription data of a subscribed user in an operator network. These information stored by the UDM network element can be used for authentication and authorization of the terminal device to access the operator network. The subscriber of the operator network may be specifically a user using a service provided by the operator network, for example, a user using a mobile phone core card of china telecommunications, or a user using a mobile phone core card of china mobile, and the like. The above-mentioned Permanent Subscription Identifier (SUPI) of the subscriber may be the number of the mobile phone core card, etc. The credentials and security context of the subscriber may be a small file stored with an encryption key of the core card of the mobile phone or information related to encryption of the core card of the mobile phone, and used for authentication and/or authorization. The security context may be data (cookie) or token (token) stored on the user's local terminal (e.g., cell phone), etc. The subscription data of the subscriber may be a service associated with the mobile phone core card, such as a traffic package or a network using the mobile phone core card. It should be noted that the information related to the permanent identifier, the credentials, the security context, the authentication data (cookie), and the token equivalent authentication and authorization are not distinguished or limited in the present application for convenience of description. Unless specifically stated otherwise, the embodiments of the present application will be described in the context of security, but the embodiments of the present application are equally applicable to authentication, and/or authorization information in other expressions.
AUSF network element, authentication server function, supporting user access authentication. Is a control plane network element provided by the operator and is typically used for primary authentication, i.e. authentication between the terminal device (subscriber) and the operator network. After receiving an authentication request initiated by a subscriber, the AUSF network element authenticates and/or authorizes the subscriber through authentication information and/or authorization information stored in the UDM network element, or generates authentication and/or authorization information of the subscriber through the UDM network element. The AUSF network element may feed back authentication information and/or authorization information to the subscriber.
The NEF network element is a control plane network element provided by an operator. The NEF network element opens the external interface of the operator network to the third party in a secure manner. When the SMF network element needs to communicate with a network element of a third party, the NEF network element may serve as a relay for the communication between the SMF network element and the network element of the third party. When the NEF network element is used as a relay, it can be used as a translation of the identification information of the subscriber and a translation of the identification information of the network element of the third party. For example, when NEF sends SUPI of a subscriber from the carrier network to a third party, the SUPI may be translated into its corresponding external Identity (ID). Conversely, when the NEF element sends an external ID (the third party's element ID) to the operator network, it can be translated to SUPI.
An Application Function (AF) network element mainly provides Application layer services, and also supports interaction with a 5G core network to provide services, such as influencing data routing decisions, policy control functions, or providing some services of a third party to a network side. In a specific application, the AF network element generally refers to a third party server or an application server.
The PCF network element and the policy control function support a unified policy framework to manage the network behavior.
Is a control plane function provided by the operator for providing policies to network elements. As one implementation, the policy may include an access control policy, a mobility management policy, a charging related policy, a QoS related policy, an authorization related policy, and the like.
The NRF network element may be configured to provide a network element discovery function, and provide network element information corresponding to a network element type, such as address information and/or identification information, based on a request from another network element. The NRF network element also provides network element management services such as network element registration, update, de-registration, and network element status subscription and push.
And the CHF network element is used for providing a charging function and supporting the offline and online charging functions of the user.
And the NWDAF network element is used for a network data analysis function. And the system is responsible for analysis of safety data and identification of abnormal safety events.
The SPF network element is used for a security policy function, supports network-level security policy control and is responsible for policy determination and cooperation of security events.
The network element or entity corresponding to the network data analysis functional network element 101 in fig. 1 may be an NWDAF network element in the 5G network architecture, and the network element or entity corresponding to the security event processing functional network element 102 in fig. 1 may be an SPF network element in the 5G network architecture. In the embodiment of the present application, a network data analysis function network element 101 is an NWDAF network element, and a security event processing function network element 102 is an SPF network element.
The network data analysis function network element or the security event processing function network element in the embodiment of the present application may also be referred to as a communication device, which may be a general device or a special device, and this is not specifically limited in the embodiment of the present application. The related functions of the network data analysis function network element or the security event processing function network element in the embodiment of the present application may be implemented by one device, may also be implemented by multiple devices together, and may also be implemented by one or more function modules in one device, which is not specifically limited in this embodiment of the present application. It is understood that the above functions may be network elements in a hardware device, or software functions running on dedicated hardware, or a combination of hardware and software, or virtualization functions instantiated on a platform (e.g., a cloud platform). In this application, the network element with network data analysis function refers to a network element with functions of data collection and analysis and obtaining data analysis result, which may be an NWDAF network element in fig. 1 or fig. 2, or may be a Management Data Analysis Service (MDAS) network element or other network elements with similar functions. For convenience of description, the network data analysis functional network element is an NWDAF network element in 5G, and the network data analysis functional network element may be referred to as an NWDAF network element for short. In the embodiment of the present application, an NWDAF network element may also be referred to as a network analysis function or a network analysis function network element, which have the same meaning and are collectively described herein.
The embodiment of the application provides a deployment mode of an NWDAF network element. The NWDAF may be implemented in a distributed manner, and the distributed entity may be deployed at the NF side of the 5GC, the RAN side (in the figure, RAN equipment is taken as an example of the gNB), and inside the UE. When deployed on the 5GC NF/gNB side, the software module can be built in the 5GC NF/gNB as a software module. Interactive interfaces exist between distributed entities of the NWDAF. In actual deployment, NWDAF deployments on the AMF network element side and the SMF side may be independent physical devices, or independent virtual devices, or software modules deployed in the AMF network element/SMF, or independent software modules deployed close to the AMF network element or SMF in physical location or network location. The NWDAF may interact with the 5GC NF, gNB, OAM to obtain information, and obtain information from the UE, and provide analysis results to the AF, including the AF on the center side and distributed AF entities deployed at each Edge Mobile Edge Computing (MEC). The NWDAF network element may obtain data to be analyzed from one or more of an NF network element (such as an SMF, a PCF network element, a RAN, a UPF, etc. shown in fig. 2 or fig. 3), an AF, a data warehouse, or an OAM, and then perform analysis and obtain a data analysis result. The NWDAF network element may perform data analysis based on a data analysis request or a subscription message sent by a certain consumer network element (for example, the consumer network element may be an NF network element, RAN equipment, terminal equipment, or the like), or the data analysis network element may be triggered according to other conditions, such as periodic triggering, initial event triggering, or the like. After obtaining the data analysis result, the data analysis network element may send the data analysis result to the consumer network element that requests to obtain the data analysis result, or store the data analysis result in a data warehouse, or store the data analysis result in the data analysis network element.
In addition, as shown in fig. 2, a schematic diagram of a 5G network architecture based on a service-oriented architecture is shown. Wherein, the 5G network architecture may further include one or more of the following network elements: a network open function (NEF) network element, a PCF network element, a Unified Data Management (UDM) network element, AN NRF network element, AN AF network element, AN NWDAF network element, AN authentication server function (AUSF) network element, AN AMF network element, AN SMF network element, a (radio) access network (R) AN, and a User Plane Function (UPF) network element, and the like, which are not specifically limited in this embodiment of the present application. In the above 5G network architecture, the parts other than the (radio) access network part may be referred to as core network parts. For convenience of description, the (R) AN will be referred to as RAN in the following description.
The terminal device communicates with the AMF network element through a next generation network (N) 1 interface (N1 for short), the RAN device communicates with the AMF network element through an N2 interface (N2 for short), the RAN device communicates with the UPF network element through an N3 interface (N3 for short), the UPF network element communicates with the DN through an N6 interface (N6 for short), the AMF network element communicates with the SMF network element through an N11 interface (N11 for short), the AMF network element communicates with the UDM network element through an N8 interface (N8 for short), the AMF network element communicates with the AUSF network element through an N12 interface (N12 for short), the AMF network element communicates with the PCF network element through an N15 interface (N15 for short), the SMF network element communicates with the PCF network element through an N7 interface (N7 for short), the SMF network element communicates with the UPF network element through an N4 interface (N4 for short), the SMF network element communicates with the UDM network element through an N10 interface (N10 for short), the UDM network element communicates with the PCF network element through an N13 for short, and the AUF network element communicates with the AF network element through an N5 (AF network element) for short.
In addition, it should be noted that control plane network elements in the 5G network architecture shown in fig. 2, such as an AMF network element, an SMF network element, an UDM network element, an AUSF network element, a PCF network element, an LSMF network element, or an AF network element, may also use a service interface for interaction. For example, as shown in fig. 2, the serving interface provided by the AMF network element to the outside may be Namf; the external serving interface provided by the SMF network element may be Nsmf; a serving interface externally provided by the UDM network element can be Nudm; the service interface provided by the PCF network element to the outside may be Npcf, the service interface provided by the AUSF network element to the outside may be Nausf, and the service interface provided by the AF network element to the outside may be Naf. For a description, reference may be made to the 5G system architecture (5G system architecture) in the 23501 standard, which is not repeated herein. The embodiment of the application provides a deployment mode of an SPF network element. The SPF network elements may be deployed in various manners, where the SPF network elements may be implemented in a distributed manner, and the distributed entities may be deployed on a NF side of the 5GC, a RAN side (in the figure, RAN equipment is taken as an example, a gNB), and inside the UE. As shown in fig. 2, a possible deployment manner of the new increased NF SPF network element is shown, and the SPF network element may be used as a standard NF of a 5G core network, and is directly docked with the standard defined 5G core network NF through an SBA interface.
As shown in fig. 3, the schematic diagram of a 5G network architecture based on a point-to-point interface is shown, where introduction of functions of a network element may refer to introduction of functions of a corresponding network element in fig. 2, and details are not repeated. The main differences between fig. 3 and fig. 2 are: the interfaces between the various network elements in fig. 2 are point-to-point interfaces rather than serviced interfaces.
In the architecture shown in fig. 3, the terminal device communicates with the AMF network element through an N1 interface (referred to as N1 for short), the RAN device communicates with the AMF network element through an N2 interface (referred to as N2 for short), the RAN device communicates with the UPF network element through an N3 interface (referred to as N3 for short), the UPF network element communicates with the DN through an N6 interface (referred to as N6 for short), the AMF network element communicates with the SMF network element through an N11 interface (referred to as N11 for short), the AMF network element communicates with the UDM network element through an N8 interface (referred to as N8 for short), the AMF network element communicates with the AUSF network element through an N12 interface (referred to as N12 for short), and the AMF network element communicates with the vPCF network element through an N15 interface (referred to as N15 for short); the SMF network element communicates with the vPCF network element through an N7 interface (N7 for short), the vPCF network element communicates with the hPCF network element through an N24 interface (N24 for short), the vPCF network element communicates with the AF network element through an N5 interface (N5 for short), the SMF network element communicates with the UPF network element through an N4 interface (N4 for short), the SMF network element communicates with the UDM network element through an N10 interface (N10 for short), and the UDM network element communicates with the AUSF network element through an N13 interface (N13 for short).
The embodiment of the application further provides a deployment mode of the SPF network element, and as shown in fig. 3, the SPF network element can be used as a management plane function and indirectly docked with the 5G core network NF through a management plane interface. As shown in fig. 3, the NFs interfacing with the security policy SPF network elements may be many and may expand as network functionality evolves. For example, the NFs interfacing with the security policy SPF network element may include: processing AMF network elements/SMF network elements related to UE signaling; processing PCF network element/UDM related to UE strategy and subscription data; NRF network element/SCF network element for processing communication between core network NF; access to, for example, virtualized resource management network elements and routing defined network (SDN) elements may also be paired with functional domains outside of core network NF elements, thereby responding to security events in a broader functional domain. In a specific implementation process, the SPF network element may be directly interfaced through an SBA interface in fig. 3, or indirectly interfaced through a management plane interface in fig. 3, which is not limited herein. It should be noted that the figure only shows one implementation manner, and in practical applications, there may be other deployment manners, such as deploying one NWDAF network element and one SPF network element, or deploying an SPF network element in an NWDAF network element (for example, deploying the SPF network element in a central location).
The NF network elements in this application may be the Core network elements in fig. 2 or fig. 3, i.e. 5G Core network (5 GC) NFs, or may also be Core network elements in future communication systems, such as the sixth generation (6 th generation, 6G), i.e. 6GC NFs. For convenience of illustration, the examples of the present application are described with NF as 5GC NFs. It should be noted that, when the following description of the embodiment of the present application is provided, NF may be referred to as 5GC NF, and when there are multiple NFs, it may also be referred to as 5GC NFs, or NFs for short.
The NWDAF network element is a newly introduced network function of the 5G core network, and provides data analysis service for other network functions of the 5G core network, and the analyzed information may be statistical information of past events or prediction information. According to the current 3GPP protocol 23.288-g10, NWDAF network elements have supported some analysis use cases: such as slicing load, service experience, network performance, user-related behavior, etc. The user-related behavior analysis relates to abnormal user behavior analysis, and is used for identifying a hijacked or abused user terminal, so that the user terminal is prevented from being stolen, or is used for launching an attack and other events to a network. The network function may directly or indirectly Subscribe to the NWDAF network element for a security-related data analysis service, for example, a trusted consumer network function (consumer NF) within the 5G core network may directly Subscribe to the NWDAF network element for a subscriber identification analysis service, for example, a subscribed subscriber identification analysis service may be a NWDAF _ analysis Subscription _ sub-description (NWDAF _ Analytics _ sub) for the network function to Subscribe to an abnormal subscriber identification analysis service from the NWDAF network element. An external application function may send a subscription request to a network capability exposure function (NEF); further, the NEF forwards the subscription request to the NWDAF network element, so that the AF subscribes the user identification analysis service to the NWDAF network element. And the NWDAF network element determines that the user behavior analysis result is a subscription message corresponding to the user identification analysis service subscribed by the AF according to the analysis and the strategy of an operator, and sends the user behavior analysis result to the NEF subscribed with the user behavior analysis service so that the NEF sends the user behavior analysis result to the AF. Or, the NWDAF network element determines, according to the analysis and the policy of the operator, that the user behavior analysis result is a subscription message corresponding to the user identification analysis service subscribed by the consumer NF network element, and may send the user behavior analysis result to the consumer NF subscribed to the user behavior analysis service. And the network element subscribing the abnormal user identification analysis service performs corresponding processing on the user behavior analysis result, such as releasing a corresponding terminal. However, the NWDAF network element only analyzes the UE behavior information, and does not analyze the behavior of the core network function. Due to the introduction of a plurality of IT technologies such as a virtualization platform, a container platform and more applications of open-source third-party IT components in the 5G core network, and the participation of a plurality of suppliers in networking, the 5G core network function is directly attacked, penetrated, hijacked and other security abnormal behaviors. In addition, because the user behavior analysis service can only obtain the result of the NWDAF network element analyzing the user behavior by subscribing to the NWDAF network element, in many scenarios, a security abnormal behavior relates to participation of a plurality of network functions, and one security abnormal behavior may affect normal operation of the plurality of network functions, and the subscription mode of the user behavior analysis service enables the user behavior analysis result to be only sent to the network element subscribing to the user behavior analysis service, and other network functions related to the true security abnormal behavior cannot obtain the user behavior analysis result, or cannot process the related security abnormal behavior, which also results in low security of the network element of the core network.
Based on the above, an embodiment of the present application provides a network event processing method, as shown in fig. 4, which is a schematic flow chart of a network performance data analysis method provided in the embodiment of the present application, and includes the following steps:
step 401: and the NWDAF network element acquires the message interaction behavior information of the K first network elements.
Wherein the message interaction behavior information may correspond to a function of the core network element. For example, the core network element may be any one of the network elements in the above embodiments. The message interaction behavior information of the K first network elements may be message interaction behavior information of the first network element subscribed by the NWDAF network element, or message interaction behavior information of other core network elements acquired by the first network element subscribed by the NWDAF network element. For a first network element in the K first network elements, the message interaction behavior information of the first network element includes attribute information for indicating a message transmitted by the first network element; and K is a positive integer. The attribute information of the message transmitted by the first network element may include: the type of the message may be specifically determined according to an interface of the message transmitted by the first network element); message content (e.g., UE identity, IP address of a network element, identity of the network element, certificate of the network element, content of a request, etc.) of the message, and an interface for transmitting the message on the first network element (which may be determined according to the first network element, e.g., NWDAF network element analysis subscription service interface, event analysis service (NWDAF _ analysis info) interface, NWDAF network element analysis notification (NWDAF _ analysis info _ Notif), AMF network element Communication interface (Namf _ Communication), AMF network element event open service interface, SMF event open service interface, SPF network element security policy interface, security log (Nnf _ SecurityLog) interface, etc.); an interface through which the opposite end corresponding to the message transmits the message (which may be determined according to a network element of the opposite end of the first network element, for example, an NWDAF network element analysis subscription service interface, an AMF network element event open service interface, an SMF event open service interface, an SPF network element security policy interface, etc.).
In step 401, in a possible manner, the NWDAF network element may send a message interaction behavior information subscription request to the K first network elements, where the message interaction behavior information subscription request is used to subscribe to the message interaction behavior information of the K first network elements; the message interaction behavior information of the first network element may be message interaction behavior information generated by the first network element, or may be message interaction behavior information of other core network elements acquired by the first network element.
For example, the first network element subscribed by the NWDAF network element may be an AMF network element, and then the AMF network element may report access information and mobility information of the terminal device accessing to the operator network, for example, including mobility state information, a temporary identity allocated to the user, authentication information, authorized user information, and the like, to the NWDAF network element. The AMF network element may also report session-related information, such as session establishment, session modification and session release, an IP address of the UE, and a selected UPF, which is sent to the AMF network element by the SMF, to the NWDAF network element as message interaction behavior information.
For another example, the NWDAF network element sends a user behavior subscription request to the AMF network element through an open interface of the AMF network element, where the user behavior subscription request is used to subscribe to an AMF network element event open service (Namf _ EventExposure) to obtain UE behavior information such as access mobility of the terminal. The AMF network element can send a UE behavior message to the NWDAF network element in a periodic mode; the UE behavior information may include: location information of the UE (which may include a tracking area identity TAI or a Cell identity Cell ID where the UE is located), an access technology type of the UE, movement of the UE into or out of an interest area, a UE registration state change, and the like. The AMF network element may send the UE behavior message to the NWDAF network element through a subscription or in an event manner.
For another example, the NWDAF network element may obtain the UE behavior information such as UE session management through an open service interface subscribed to the SMF, for example, an SMF event open service (Nsmf _ EventExposure). The SMF may also report the UE session message to the NWDAF network element periodically or on an event. The UE session message may include the following UE behavior information: and the IP address of the UE is changed, the PDU session is released, the user plane path is changed, and the like, call information or charging information is obtained.
Step 402: and the NWDAF network element determines that a network security abnormal event occurs in the second network element according to the message interaction behavior information of the K first network elements.
In the following, it is described by taking 1 first network element as K first network elements, and the message interaction behavior information includes a message received by the first network element from the second network element. Of course, the message interaction behavior information may also be directly sent by the first network element, or may also be obtained in a manner of sending a signaling message to the first network element through another network element, and the like, which is not limited herein.
In step 402, in a possible implementation manner, the NWDAF network element may determine whether a network security exception event exists according to a message frequency sent by the message interaction behavior information. For example, if it is determined that the number of messages received by the first network element from the second network element is greater than a first threshold, it is determined that a DDoS attack event of the second network element on the first network element exists; the first threshold is determined based on historical message frequency.
In another possible implementation manner, the NWDAF network element may determine that the first message of the first network element is inconsistent with the second message of the second network element according to the message interaction behavior information, and then determine that a network security exception event may exist.
In the foregoing step 402, there are many possible embodiments for the NWDAF network element to determine that the network security exception event occurs in the second network element, which is described in the following through embodiment a1, embodiment a2, and embodiment a 3.
In the implementation mode a1, the data analysis network element determines that a network security abnormal event may exist according to the first message and the second message included in the message interaction behavior information of the K first network elements. And if the first identity identification of the second network element in the first message is determined to be inconsistent with the second identity identification of the second network element in the second message, determining that a network security abnormal event exists in the second network element.
Taking the first network element as a charging function network element CHF and a session management function network element SMF as an example. The first message is a first charging request of a first UE identification from the SMF; the second message is registration information of the AMF network element aiming at the UE identification; at this time, if the data analysis network element determines that the registration information of the UE identifier does not include the registration information of the first UE identifier; it may be determined that the first UE identity in the first charging request is illegal registration information, and therefore, a tampering event may exist in the first network element.
In embodiment a2, a data analysis network element determines, according to an interactive behavior message from a first UE of K first network elements included in message interactive behavior information of the K first network elements, whether a network security exception event exists in the first UE. At this time, if it is determined that the interactive behavior messages of the first UE are inconsistent, it is determined that a network security abnormal event exists in the first UE.
For example, the first network element is taken as a CHF network element and an AMF network element of a charging function network. The first message is a first charging request of a first UE identifier; the second message is registration information of the AMF network element aiming at the UE identification; at this time, if the data analysis network element determines that the registration information of the UE identifier does not include the registration information of the first UE identifier; it may be determined that the first UE in the first charging request is identified as illegal registration information, and it may be determined that the first UE may have a tampered network security exception.
For another example, the NWDAF network element may perform user behavior analysis according to the AMF network element and the UE behavior message reported by the SMF. Specifically, the NWDAF network element may analyze the user behavior information reported by the AMF network element and the SMF according to an internal data analysis algorithm, and identify the misused or hijacked user and the user behavior. For example, an abnormal UE location, an abnormally long data flow, an abnormally frequent access, etc. may be identified, and it may be determined that a network security exception event exists in the first UE.
In embodiment a3, the data analysis network element determines that the network element may have a network security abnormal event according to an interactive behavior message of a second UE of the K first network elements and a user information query request from the second UE of the second network element, where the interactive behavior message of the messages of the K first network elements includes the interactive behavior message. And if the data analysis network element determines that the network element identifications in the second network element are inconsistent in the user information query request of the second UE from the second network element, determining that network security abnormal events occur in at least two network elements corresponding to the network element identifications which are inconsistent.
Taking the first network element as SMF1, the second network element as SMF2, and the second network element illegally obtaining the certificate of SMF1 and sending the user information query request of the second UE to the AMF network element, take the example of illegally stealing the user information of the second UE. The user information query request comprises a certificate of the first network element and a network element identifier of the second network element, for example, an IP address or a port of the second network element; the SMF1 sends a second message to the AMF network element, wherein the second message can be any message or a set of multiple messages interacted between the SMF1 and the AMF network element; wherein the second message comprises: the network element identifier of the first network element, for example, a certificate of the first network element, an IP address or a port of the first network element, and the like. At this time, the data analysis network element may determine, according to the user information query request of the second UE and the second message, that the certificate of the network element in the user information query request of the second UE is consistent with the certificate of the network element corresponding to the second message, but the IP address of the network element corresponding to the user information query request of the second UE is not consistent with the IP address of the network element in the second message, determine that the network element corresponding to the user information query request of the second UE and the network element corresponding to the second message have a network security abnormal event.
Step 403: the NWDAF network element sends the first indication information to the SPF network element.
The first indication information is used for indicating the second network element to have the network security abnormal event.
Embodiment b1, a possible design, the network security exception event may include: the first network element is subjected to a DDoS attack event. For example, if it is determined that the second network element initiates a DDoS attack on the first network element according to the message interaction behavior information, it may be determined that a network security abnormal event exists in the second network element and/or the first network element.
In embodiment b2, the network security exception event may include: a security exception event of the second network element and/or the first network element; there may be a variety of exceptions to the security exception event of the second network element and/or the first network element. For example, there may be a risk of being impersonated in the first network element or the second network element, and in a possible scenario, the security exception event of the second network element and/or the first network element may be represented as: a first message of a first network element and a second message of a second network element have inconsistent network security abnormal events, and the first message and the second message have the same identification information; at this time, it may be considered that the first network element and/or the second network element may be at risk of being misused, and further, the NWDAF network element may determine, according to another message related to the first message or another message related to the second message, a reason that the first message of the first network element is inconsistent with the second message of the second network element, and further determine the misused or tampered network element, and further determine that the network security exception event is that the first network element and/or the second network element is misused or tampered.
In embodiment b3, a network security exception that the second network element and/or the first network element steals the user information may exist, and in a possible scenario, the security exception of the second network element and/or the first network element may be represented as: the first identity identifier of the first network element is inconsistent with the second identity identifier of the first network element, and the first network element sends a query request of user information to the second network element.
Embodiment b4, the network security exception event may further include: a network security exception event for the user; for example, in one possible scenario, a user's security exception event may be represented as: the first user identifier carried in the first message sent by the first network element is the same as the first user identifier carried in the second message sent by the second network element, and the first message is inconsistent with the second message, and it can also be determined that a network security abnormal event exists for the user corresponding to the first user identifier.
Embodiment b5, the network security exception event may further include: network security exceptions for exception traffic. For example, the message interaction behavior information of the K first network elements includes: interactive behavior messages of a second UE from the K first network elements and user information query requests of the second UE from the second network element; if the data analysis network element determines that the network element identifiers in the second network element are inconsistent in the user information query request of the second UE from the second network element, it may determine that the user information query request of the second UE is an abnormal service, and determine that at least two network elements corresponding to the network element identifiers that are inconsistent have a network security abnormal event of the abnormal service.
By adding the service interface of the message interaction information of each 5G core network element, the NDWAF can acquire the message interaction behavior information of each network element, and further improve the detection capability of the abnormal behavior of the network function by analyzing the message interaction behavior information of each network element, thereby effectively improving the recognition rate and the recognition accuracy of the safe invasion event of the network function.
Step 404: the SPF network element receives the first indication information sent by the NWDAF network element.
In a specific implementation process, the SPF network element may send a network security abnormal event subscription request to the NWDAF network element to obtain the first indication information of the network security abnormal event from the NWDAF network element, and may also send an inquiry request of the network security abnormal event to the NWDAF network element to receive the first indication information sent by the NWDAF network element, which is not limited herein.
Step 405: and the SPF network element determines N third network elements which have incidence relation with the second network element according to the first indication information.
Wherein, for one of the N third network elements, the third network element has a capability of processing a service of the second network element.
Step 406: and aiming at one third network element in the N third network elements, the SPF network element sends a first security policy corresponding to the third network element.
The first security policy corresponding to the third network element includes indication information for indicating the third network element to stop processing the related service of the second network element.
In the embodiment c1, the SPF network element may determine different security policies according to different types of network security exception events. For example, the isolation policy for each third network element may be set according to the third network element associated with the network security abnormal event, the isolation policy for each user may also be set according to the user associated with the network security abnormal event, and of course, the isolation policy for the third network element related to each user may also be set according to the user associated with the network security abnormal event.
For example, the network security abnormal event is a DDoS attack event of the second network element to the first network element; at this time, the third network element may be the second network element and/or a network element related to the second network element, and may determine an isolation policy for the third network element according to the DDoS attack event. For example, the SPF network element determines to isolate the related service of the third network element according to the DDoS attack event, and releases the corresponding user on the third network element.
In example c1, the third network element may be an AMF network element, where the SPF network element sends, to the AMF network element, a first security policy corresponding to the AMF network element, where the first security policy corresponding to the AMF network element includes indication information used to indicate the AMF network element to stop processing of the message of the second network element; the first security policy corresponding to the AMF network element includes a user for instructing the AMF network element to release the user bound to the second network element. For another example, the SPF network element may instruct the AMF network element to stop establishing and/or releasing the user session associated with the second network element; the specific implementation process may include: the SPF network element sends a first security policy message to the AMF network element; the first security policy message is used to instruct the AMF network element to release the user session established by the second network element.
For example c2, the third network element may be a message forwarding network element, so the SPF network element may instruct a message forwarding (SCP) network element to stop forwarding a message from the second network element, and the specific implementation process may include: the SPF network element sends a first security policy message to a message forwarding network element (SCP) network element; the first security policy message includes an NF identifier or an IP address of the second network element; the first security policy message is used to instruct the SCP network element to stop forwarding messages from the second network element.
In example c3, the third network element may be any network element in the network that may establish a communication connection with the second network element. Therefore, the SPF network element may instruct the third network element to stop establishing the communication connection with the second network element, and the specific implementation process may include: the SPF network element sends a second security policy message to a third network element; the first security policy message comprises an NF identifier of the second network element; the second security policy message is used for the third network element to ignore establishing a connection with the second network element.
For example, the third network element is an NRF network element, and the SPF network element sends, to the NRF network element, a first security policy corresponding to the NRF network element, where the first security policy corresponding to the NRF network element includes a user authorization for instructing the NRF network element to stop the user authorization for the second network element;
for example, the third network element may be a routing transmission controller, SDN, network element, and the SPF network element may instruct the SDN network element to prevent routing forwarding of messages of a network segment corresponding to the second network element. The specific implementation process may include: the SPF network element sends a first security policy message to a SDN network element; the first security policy message is used to instruct the SDN network element to prevent routing forwarding of messages of a network segment corresponding to the second network element.
For example, the third network element is a virtualized resource Management (MANO) network element, the SPF network element sends a first security policy corresponding to the MANO network element, and the first security policy corresponding to the MANO network element includes a virtual machine for instructing the MANO network element to release the second network element.
In embodiment d1, the first indication information may be further used to indicate an abnormal service corresponding to the network security abnormal event. The SPF network element may determine a fourth network element that needs to execute the second security policy according to the abnormal traffic. Specifically, the SPF network element may determine, according to the first indication information, M fourth network elements having an association relationship with the second network element; for a fourth network element in the M fourth network elements, the fourth network element has a capability of processing the abnormal service; for a fourth network element of the M fourth network elements, the SPF network element may send, to the fourth network element, a second security policy corresponding to the fourth network element, where the second security policy corresponding to the fourth network element includes indication information used to instruct the fourth network element to stop or cancel processing of the abnormal service.
There are various application scenarios possible in embodiment d1, and the following examples are given by scenarios 1 and 2.
In scenario 1, the message transmitted by the first network element includes a first message and a second message, where the interactive behavior message of the first UE in the first message is inconsistent with the interactive behavior message of the first UE in the second message, and the possible reason is that the interactive behavior message of the first UE in the first message is tampered, or the interactive behavior message of the first UE in the second message is tampered, and the NWDAF network element may determine whether the tampered message is the first message or the second message according to other interactive behavior messages of the first UE related to the messages transmitted by the K first network elements. Here, the first UE identity in the first message is described as an example of the presence of tampering. The second security policy for determining that the tampering exists in the interactive behavior message of the other first UEs may refer to the embodiment in which the tampering exists in the first UE identity in the first message, and is not described herein again.
In scenario 1, there is a tampering problem for the first UE identity in the first message, which is described below by examples d1-d 5.
In example d1, the fourth network element may be an SMF network element, and at this time, the SPF network element may isolate the service of the first UE initiated by the SMF network element, that is, may instruct the SMF network element to stop executing the operation corresponding to the first UE. For example, the execution of the service request of the first UE generated by the SMF network element is stopped, and the session between the first UE and the SMF network element is released. In the specific implementation process, the method can comprise the following steps: the SPF network element generates a second security policy request; the second security policy request is used to stop executing the service request of the first UE generated by the SMF network element; and releasing the session between the first UE and the SMF network element.
Example d2, the fourth network element is an AMF network element, and the SPF network element sends, to the AMF network element, a second security policy corresponding to the AMF network element, where the second security policy corresponding to the AMF network element includes a request for instructing the AMF network element to stop executing the abnormal service; for example, the abnormal traffic may be a session of a first UE related to the first network element, and the AMF network element may release the session of the first UE. The method specifically comprises the following steps: the SPF network element sends a security policy request of an abnormal user to the AMF network element; and the security policy request of the abnormal user is used for indicating the AMF network element to release the session of the first UE. Further, the SPF network element may further send a second security policy corresponding to the AMF network element, where the second security policy corresponding to the AMF network element includes a user, for example, a first UE, for instructing the AMF network element to release the abnormal service.
In example d3, the fourth network element is an AMF network element, and if the SPF network element determines that the SMF network element has a risk of being impersonated, the SPF network element may further isolate a service between the SMF network element and the AMF network element. For example, an AMF network element associated with the SMF network element may be instructed to release the session with the UE identified by the first UE involved in the request initiated by the SMF network element to the AMF network element. At this time, since the network element that may involve the risk of being misused may include a plurality of network elements, all or part of the service request initiated by the SMF network element may be isolated. For example, if the SPF network element can determine an spoofed network element and an spoofed network element, the spoofed network element can be used as an isolated network element to isolate a service initiated by the spoofed network element. If the SPF network element cannot determine the spoofed network element and the spoofed network element, but only determines that the network element has the risk of being spoofed, the services initiated by the network element having the risk of being spoofed can be isolated. In the specific implementation process, the method can comprise the following steps: the SPF network element sends a security policy request of an abnormal user to the AMF network element; and the security policy request of the abnormal user is used for indicating the AMF network element to release the session of the UE related to the SMF network element.
Example d4, the fourth network element is a PCF network element, the SPF network element sends, to the PCF network element, the second security policy corresponding to the PCF network element, where the second security policy corresponding to the PCF network element includes a user indicating that the PCF network element releases the abnormal service, so that the PCF network element isolates the user related to the first UE identity. In the specific implementation process, the method can comprise the following steps: the SPF network element sends a security policy request of an abnormal user to the PCF network element; and the security policy request of the abnormal user is used for indicating the PCF network element to release the session and the network of the first UE identifier.
Example d5, if the SPF network element determines that the tampered object of the first UE identifier is the second network element, it may determine that the second network element has a risk of being misused, and further may initiate a second security policy for isolating the abnormal service of the second network element to the fourth network element. Specifically, the SPF network element may send a second security policy request to the fourth network element; the second security policy request is used for indicating isolation of abnormal traffic of the second network element. For example, the fourth network element is an SCP network element, the SPF network element sends a second security policy corresponding to the SCP network element, where the second security policy corresponding to the SCP network element includes a message that is used to instruct the SCP network element to stop forwarding an abnormal service to the second network element; or, the fourth network element is an NRF network element, and the SPF network element sends a second security policy corresponding to the NRF network element, where the second security policy corresponding to the NRF network element includes user authorization for instructing the NRF network element to stop an abnormal service to the second network element; or the fourth network element is an SDN network element, and the SPF network element sends a second security policy corresponding to the SDN network element, where the second security policy corresponding to the SDN network element includes a message for instructing the SDN network element to stop forwarding a network segment of an abnormal service of the second network element.
Scenario 2 is described with reference to a scenario in which a user privacy message is stolen. At this time, the NWDAF network element or the SPF network element may determine that a network security event that steals the user privacy message may exist in a manner that the network element queries the user information, and the NWDAF network element or the SPF network element may determine that the second network element has a risk of being falsely used by determining that an object that steals the user privacy message is the second network element by that the first identity identifier of the second network element in the first message is not consistent with the second identity identifier of the second network element in the second message. Of course, the NWDAF network element or the SPF network element may also determine that an object stealing the user privacy message exists according to the inconsistency of other interactive behavior messages, which is not described herein again.
In a specific scenario, taking the second network element as a first SMF, and taking the first network element as an AMF network element as an example; the first message may include: the second network element sends a query request of third UE information to the first network element; the query request comprises a first identity of the first network element; the second message includes: and the second identity of the first network element. If the NWDAF network element determines that the second network element corresponding to the first identity identifier is an abnormal network element according to the fact that the first identity identifier of the second network element is not consistent with the second identity identifier of the second network element and the first identity identifier has a network security abnormal event. At this time, the security exception event may include: and indicating the first SMF as an abnormal network element. For another example, the SPF network element may determine that the first SMF corresponding to the first identity is an abnormal network element according to that the first identity of the second network element is not consistent with the second identity of the second network element and the first identity has a network security abnormal event.
For example, the first identity identifier may be an IP address IP1 corresponding to the first SMF network element, and if the second network element steals the TSL certificate of the second SMF, the second network element is used to verify that the query request of the third UE information is sent to the first network element, at this time, the NWDAF network element may receive the first message from the AMF network element, where the first message includes: IP1 of the first SMF network element, TSL certificate of the second SMF network element, and query request of the third UE information. The NWDAF network element may further receive a second message sent by the second SMF network element, where the second message includes: IP2 of the second SMF network element, TSL certificate of the second SMF network element.
Furthermore, the NWDAF network element may determine, according to the first message and the second message, that the query request for the third UE information sent by the first SMF network element has a network security exception. Further, the nwdf network element may also determine that the first SMF network element is an abnormal network element according to an inquiry request including other UE information of the TSL certificate sent by the second SMF network element and the second identity of the second SMF network element (the IP address IP2 corresponding to the second SMF network element).
And then, the SPF network element determines a second security policy according to the network security abnormal event of the NWDAF network element. The second security policy may be the quarantine of the session or network for the second network element and/or the session or network of the user to which the second network element relates. Specifically, the method may include: the SPF network element generates a second security policy according to the abnormal network element, isolates the service of the abnormal network element and/or releases the corresponding user on the abnormal network element; the SPF network element sends a second security policy to a fourth network element; the second security policy is used to instruct the fourth network element to stop sending the relevant information of the user to the abnormal network element.
By the method, after the NWDAF network element detects the security abnormal event, the network security abnormal event can be informed to the SPF network element with the newly added security event processing function, and then the SPF network element is used for responding to the network security event through the newly added security policy interfaces in various fields, cooperating with and combining the multifunctional fields, so that the processing of the security abnormal event is effectively improved, and the network security performance is effectively improved. The influence of the security exception on the network can be effectively controlled.
The network event processing method provided in the embodiment of the present application is described in detail below. A specific implementation method comprises two main network functions, one is an NWDAF network element which is responsible for analyzing security data and identifying abnormal security events, and the NWDAF is used for subscribing message interaction information of the corresponding network element. One is a newly added security policy network element SPF network element, which is responsible for policy determination of network security events and handling of network security exception events. Fig. 5 is a schematic flow chart of a network performance data analysis method according to an embodiment of the present disclosure. The example that an NF (e.g., the second network element) is hijacked, DDoS attack is performed on other NFs (e.g., the first network element) maliciously, and the availability of the other network elements NF related to the first network element is affected is taken as an example for explanation. The method comprises the following steps:
step 501: and the NWDAF network element receives the message interaction behavior information of the first network element.
In a possible manner, the manner of obtaining the message interaction behavior information of the first network element may be obtained through a data open interface corresponding to the first network element, for example, the AMF network element may be obtained through an extended event open service (Namf _ eventeissue) interface, and the SMF may be obtained through an extended event open service (Nsmf _ eventeissue) interface. In a specific implementation process, the message interactive behavior information interface may also be an extended event analysis service (nwdaf _ analysisinfo) interface, which is used to increase the analysis types of the message interactive behavior information, such as NF behavior anomaly, user behavior anomaly, and the like. In addition, the NF screening parameters can be carried to limit or screen the NF range to be analyzed, so that the data size of the NWDAF network element analysis is saved, and the network data analysis efficiency is improved. For example, the NF screening parameters may include at least one of: NF type, NF identification or NF list, the slice to which the NF belongs, and the like.
In another possible manner, in step 501a, the NWDAF network element sends a subscription request of the message interaction information of the NF to the NF, so as to obtain the message interaction behavior information sent by the NF. The message interaction behavior information of the NF obtained by the NWDAF network element may be message interaction behavior information of the NF interacting with other NF signaling, or may subscribe the NF message interaction behavior information to the NF through a newly added signaling, for example, an NF security log (Nnf _ SecurityLog). The message interaction behavior information of the subscribed NF may include all interface message types sent and received by the NF, all events occurring in the message, the content of the interface message, and the like. The content of the interface message may include: complete data, summary, key information, etc. of the interface message. For specific interfaces supported by NF, reference may be made to the above embodiments, which are not described herein again.
If the second network element is controlled by the malicious penetration of the external user, the first message is frequently sent to the peripheral NF, for example, the SMF1 sends a plurality of first messages to the AMF network element 1 for a short time through an AMF network element Communication interface (naf _ Communication), which causes the processing resources and interface bandwidth resources of the AMF network element 1 to be occupied, and the capability of processing normal services to be reduced. At this time, the AMF network element 1 reports, periodically or in an event, a message sent by the second network element to the first network element as the message interactive behavior information of the first network element according to the collection requirement of the message interactive behavior information of the NWDAF network element.
Step 502: and the NWDAF network element performs classification judgment on the interaction events of the AMF network element 1 and determines network security abnormal events.
The network security abnormal event is that the first network element is attacked by the DDoS of the second network element.
In a possible implementation manner, the NWDAF network element determines that, according to an internal algorithm, for example, according to a specified rule judgment, such as a historical traffic model of the AMF network element 1, a message received by the second network element NF rises above a preset threshold within a specified time, and then determines that a sudden service burst occurs in an interaction event process of the AMF network element 1, and a DDoS attack may exist. Another possible implementation manner is to classify and judge whether a DDoS attack exists in the interaction event process of the first network element AMF network element 1 according to a model trained by historical abnormal or normal service signaling interaction data according to a machine learning or Artificial Intelligence (AI) algorithm. The embodiment of the present application is not limited to a specific algorithm, and the NWDAF network element may determine that the first network element NF may be attacked by the DDos according to the specifically adopted algorithm.
Step 503: the NWDAF network element sends the first indication information to the SPF network element.
The first indication information may be an NWDAF _ analyticnfo _ Notif message, and includes: the first network element AMF network element 1 may be attacked by the DDos of the second network element SMF 1.
In a possible implementation manner, the SPF network element may send a subscription request of a network security exception event to the NWDAF network element through an analysis service (NWDAF _ analysisinfo) interface of the NWDAF network element, and then the NWDAF network element may determine, according to the subscription request of the network security exception event, that it is necessary to report to the SPF network element that the first network element AMF network element 1 may be attacked by the DDos of the second network element SMF 1.
Step 504: the SPF network element determines a first security policy according to the first indication information.
Specifically, the security policy may be a security policy configured locally or in the background, and further, the SPF network element determines that the SMF of the second network element may be intruded according to the NF type, and determines the security policy to be executed on the second network element according to the condition judgment of the security policies corresponding to other NFs such as DDoS attack.
For example, the SPF network element determines that the second network element initiates a DDoS attack, and may determine that the second network element needs to perform service and network isolation, and in addition, because the second network element is an SMF1, it also needs to isolate a session of a user related to the SMF, and release a corresponding user on the SMF 1. Traffic and network isolation may have a variety of processing means. For example, the SPF network element may send the security policy instruction to a network element of the control center corresponding to the service or the network, so that the network element of the control center corresponding to the service or the network executes the security policy message corresponding to the second network element.
Step 505: the SPF network element sends the first security policy to a third network element.
In step 504a, the third network element is an SCP network element, and the SPF network element may send a first security policy to the SCP network element, and instruct the SCP network element to stop forwarding the message of the second network element, where the first security policy message may carry a network element identifier NF ID or an IP address of the second network element SMF 1.
In step 504b, the third network element is an NRF network element, and according to the first security policy, the SPF network element may send the first security policy to the NRF network element, indicate the NRF network element to isolate mutual discovery between the NF and SMF1, and avoid establishing a connection between the SMF1 and the NF. The message may carry an NF identifier corresponding to SMF 1.
In step 504c, the third network element is a PCF network element or an AMF network element, and the SPF network element may send the first security policy to the PCF network element or the AMF network element, so as to instruct to release the user session of the corresponding second network element.
Specifically, for a service that may exist on the second network element SMF1, the SPF network element may send a security policy message of the second network element to the PCF network element or directly to the corresponding AMF network element, so as to instruct to release the user corresponding to SMF 1. Alternatively, the SPF network element may be configured to instruct to release the subscriber corresponding to the SMF1 by directly sending the security policy message of the second network element to the corresponding AMF network element.
In step 504d, the third network element is an SDN network element, and the SPF network element may further send a first security policy to the SDN network element, where the first security policy is used to instruct the SDN network element to isolate the network segment corresponding to the SMF1 in the routing plane, so that the SPF network element implements isolation of the SMF1 by the network element outside the range of the 5G core network NF.
Step 505: and the third network element receives the first security policy and executes the first security policy.
In step 505a, the SCP network element receives the first security policy, stops forwarding the message corresponding to the SMF1 according to the indicated first security policy, and may perform packet loss processing on the received message sent by the second network element SMF 1.
In step 505b, after receiving the first security policy, the NRF network element rejects all discovery requests to other NFs initiated by the SMF1 according to the indicated first security policy, and does not return the SMF1 as a discovery request to the SMF by other NFs, thereby isolating the initiation of the connection between the SMF1 and other NFs.
In step 505c, after receiving the first security policy of the SPF network element, the AMF network element initiates a connection release for the user session established by the SMF 1.
In step 505d, after receiving the first security policy, the SDN network element sends configuration to the corresponding router, and rejects routing forwarding of the original address network segment or the destination address network segment corresponding to the SMF 1.
The following specific implementation method includes two main network functions, which may be deployed on one network element or separately, and is not limited herein. Taking the example of being deployed on one network element, that is, the first network element includes functions of an NWDAF network element, and a security policy network element SPF network element, the first network element is responsible for analyzing security data and recognizing an abnormal security event, and subscribes information interaction behavior information of the network element, and the first network element is also responsible for determining a security policy of the security event and processing cooperation of the security abnormal event. The SPF network element may not be deployed as a separate NF, but embedded as a function in the NWDAF network element.
In a possible scenario, when a message sent by the NF is maliciously tampered, for example, the second network element is an SMF, and an accounting request sent by the SMF is maliciously tampered, the UE1 in the UE ID of the pirate user is changed into a UE2, thereby resulting in a scenario of maliciously pirating and illegal profit. As shown in fig. 6, a schematic flow chart of a network event processing method provided in the embodiment of the present application is shown, where the method includes the following steps:
step 601: and the AMF network element sends the message interaction behavior information to the NWDAF network element.
The message interaction behavior information may be a message that the UE1 completes registration, or a service message of the UE1 initiated by the UE. The AMF network element may report the registered message interaction behavior information of the UE1 to the NWDAF network element through the event publishing service interface or the security log interface, indicating that the UE1 is registered.
Step 602: the second network element sends the first message to the first network element.
And the second network element is a tampered network element and sends a service request to the first network element. For example, with the second network element as SMF1, the user identity UE1 in SMF1 is tampered with as the user identity UE2. The specific tampering manner may be that, in the tampered first network element SMF1, a processing module of the charging message may be tampered, for example, the processing module of the first network element SMF1 is injected with a malicious program, and the user identifier in the charging bill generated by the user identifier UE1 of the pirate user may be modified to be UE2. Taking the first network element as a CHF network element as an example, the first message is a charging request message (Nchf _ convertgedcharging) sent by the SMF1, and the charging request carries a tampered user identifier (UE 2).
Step 603: and the CHF sends the message interaction behavior information to the NWDAF network element.
For example, the CHF may send the first message sent by the second network element to the NWDAF network element as the message interaction behavior information.
Further, the CHF may generate a charging bill for the user UE2 according to the charging request sent by the second network element. At this time, the CHF may send the charging bill and the first message to the NWDAF network element as message interaction behavior information. The charging bill may also be sent to the NWDAF network element as a message interaction behavior information, which is used to indicate that the first network element SMF1 requests to generate a charging network behavior for the UE2.
Step 604: the NWDAF network element/SPF network element determines a network security abnormal event and sends first indication information to the PSF.
According to a possible implementation manner, the NWDAF network element may determine whether a network security abnormal event caused by malicious stealing occurs according to the integrity of the UE2 charging message. In a possible scenario, SMF1 may be hijacked, which may cause a problem that an NWDAF network element may not be able to determine whether malicious pirating occurs according to the integrity of a charging message, and therefore, the NWDAF network element may compare whether inconsistent messages exist according to messages related to a session of the same user involved by a plurality of network elements, and further determine a tampered object. For example, the first message may be a charging message related to SMF1 processing UE2, and the second message may be a session message related to SMF1 processing UE2, or the second message may be a session message related to other network elements processing UE2, and the NWDAF network element may determine whether a network security exception event exists according to whether the first message is inconsistent with the second message. For example, if it is determined that the first network element does not report the second message that SMF1 processes the session service of UE2, the NWDAF network element may determine that SMF1 does not process the service of UE2, that is, it may determine that a network behavior in which SMF1 requests to generate a charging request for UE2 has a network security anomaly, and the session corresponding to UE2 is not processed by the first network element, so that a wrong key module of SMF1 may be intruded when SMF1 sends a request for CHF, so that the bill data of the key service data of the first network element is tampered. Specifically, the NWDAF network element may determine an abnormal billing bill according to a rule abnormality determination or by using other AI algorithms such as big data, and further determine a network security abnormal event.
Step 605: the SPF network element determines a second security policy according to the network security event and sends the second security policy to a fourth network element.
In step 605a, the SPF network element sends a second security policy to the AMF network element, where the second security policy is used to indicate that the UE1 user of the SMF1 is abnormal, and suggests the AMF network element to stop charging for the abnormal UE1 and release the corresponding UE1.
If the SPF network element is set on the NWDAF network element, the message format of the second security policy may be an analysis service message (NWDAF _ analysis info) of the NWDAF network element or a security policy message (SecPolicy) of the SPF network element.
Step 605b: the SPF network element sends the security policy to the CHF, and informs the SMF1 that the charging message of the UE2 sent by the SMF1 is an abnormal charging message.
Step 605c: the SPF network element sends the security policy to the PCF network element, and notifies the UE1 of the exception, so as to instruct the user of the UE1 to stop using the network, or stop the UE1 from using the specified session.
Step 606: and the fourth network element receives the second security policy and executes the second security policy.
Step 606a: the AMF network element may initiate a release message to the UE1 according to the second security policy.
Step 606b: and the CHF stops the SMF 1-initiated charging bill generation of the UE2 according to the second security policy.
Step 606c: the PCF network element may stop the user of UE1 from using the network, or stop UE1 from using the specified session, according to the second security policy.
Step 607: the SPF network element determines a first security policy according to the network security event and sends the first security policy to a third network element.
Step 607a: the SPF network element sends a first security policy to the NRF network element.
The first security policy is used for indicating that the first network element SMF1 is abnormal and needs to isolate the first network element SMF 1.
Step 607: and the third network element executes the first security policy according to the first security policy.
Step 608a: the NRF network element may stop the mutual discovery between the SMF1 and the other network elements NF according to the security policy message.
In addition, the first security policy in the first embodiment may also be applied to this embodiment, and the specifically selected scheme may be determined according to the first security policy of the SPF network element.
The following specific implementation method includes two main network functions, which may be deployed on one network element, that is, the first network element includes functions of an NWDAF network element, and a security policy network element SPF network element, and the first network element is responsible for analyzing security data and identifying an abnormal security event, and subscribes information of a network element corresponding to the first network element. The first network element is also responsible for policy determination and coordination of security events. In this example, it is assumed that identity information of the NF is stolen, so that a network element that steals the identity information may falsify the identity information, and further illegally obtain user information, thereby causing key information leakage. As shown in fig. 7, a schematic flow chart of a network event processing method provided in the embodiment of the present application is shown, where the method includes the following steps:
step 701: the SMF2 sends an information inquiry request of the UE2 to an AMF network element.
The SMF2 establishes connection with the AMF network element by illegally obtaining the TLS certificate of the SMF1, and sends a query request of the position information of the UE2 to the AMF network element through an interface of event release service of the AMF network element. One possible way, SMF2 illegally obtains the TLS authentication certificate of SMF 1. The SMF1 is controlled remotely by a hacker through a background, or the hacker penetrates an internal network of the SMF1 through an application of vulnerability injection, and then a TLS authentication certificate of the SMF1 is obtained. Further, the SMF2 may impersonate the identity of the SMF1, send a query request for user information to the AMF network element, and further illegally obtain the user information.
Step 702: and the first network element AMF network element sends message interaction behavior information to the NWDAF network element.
The AMF network element may use the location information of the UE2 sent to the SMF2 as the message interaction behavior information, and may also use a received query request for the location information of the UE2 sent by the SMF2 as the message interaction behavior information, and report the message interaction behavior information to the NWDAF network element periodically or in an event. For example, the message interaction behavior information may include: an inquiry request of the location information of the UE2 sent by the SMF2, an IP address IP1 of the SMF2, a TLS certificate of the SMF1, and the like.
Further, the AMF network element sends the location information of the UE2 to the SMF2 according to the information query request of the UE2. At this time, the AMF network element may report the location information of the UE2 sent to the SMF2 to the NWDAF network element periodically or in an event as the message interaction behavior information.
Step 702a: and the SMF1 sends the message interaction behavior information to the NWDAF network element.
Furthermore, the NWDAF network element may also receive message interaction behavior information reported by the SMF1 to the NWDAF network element, where the message interaction behavior information includes an identifier of the SMF1, for example, an IP address IP1 of the SMF 1.
Step 703: and the NWDAF network element determines a second network element with the network security abnormal event according to the message interaction behavior information.
Specifically, the NWDAF network element may determine that at least 1 SMF is an abnormal network element according to the message interaction behavior information sent by the second network element AMF network element, the message interaction behavior information reported by the SMF1 network element, and the IP address of the SMF2 that is the request for the information query request of the UE2, which are different from the IP address of the SMF1 in the message interaction behavior information reported by the SMF1 to the NWDAF network element, and may determine that the second network element is the SMF1 and the SMF2. Further, the NWDAF network element may further compare whether there is inconsistent message interaction behavior information according to the query request sent by SMF2 for the UE and the query request sent by SMF1 for the UE, so as to determine an abnormal network element. For example, the NWDAF network element determines that the SMF1 network element has only requested the information of UE1, and does not send a query request for the location information of UE2. It can also be determined that a network security exception event exists in the SMF2 network element. The NWDAF network element may further determine, according to the message interaction behavior information reported by the other network elements NF, that the second network element SMF2 corresponding to the IP2 may be fake, and that the location information of the UE2 may be leaked.
Step 704: and the NWDAF network element sends first indication information to the SPF network element, wherein the first indication information is used for indicating a network security abnormal event.
Step 705: and the SPF network element receives the first indication information and sends a second security policy to a fourth network element according to the first indication information.
In step 705a, the SPF network element may send the second security policy to the AMF network element.
The second security policy is used to indicate information leakage of the UE2 and indicate the AMF network element to stop sending or receiving messages of the flow control UE2. For example, the AMF network element may stop responding to the query request for the UE2 information according to the second security policy, or may also be configured to stop responding to the query request for the UE2 information from the abnormal network element request of the SMF1 or SMF2, so as to avoid affecting normal services of other network elements.
Step 706: and the fourth network element executes the second security policy according to the received second security policy.
In step 706a, the AMF network element stops sending the user information of UE2 to SMF2 according to the second security policy, or the AMF network element stops sending the location information of UE2 to SMF1 according to the second security policy. The specific implementation manner may be determined according to the determined abnormal network element, for example, if the abnormal network element is determined to be the SMF2, the user information of the UE2 may only be stopped from being sent to the SMF2, and if the abnormal network element is determined to be the SMF2 or the SMF1, the user information of the UE2 may be stopped from being sent to the SMF1 and the SMF2.
Step 707: and the SPF network element sends the first security policy to the third network element according to the first indication information.
Step 707a: the SPF network element may send the second security policy to the SCP network element.
Wherein the second security policy is used to instruct the SCP network element to stop forwarding messages to SMF1 or SMF2. The SCP network element may determine the SMF2 network element according to the IP address carried in the message, for example, if the IP address carried in the message is IP2, it may be determined that the sender of the message is SMF2, so as to avoid interference generated by the SMF1 certificate carried by SMF2.
Step 707b: the SPF network element can send a first security policy to a virtual machine resource management center (MANO) network element;
the first security policy is used for instructing the MANO network element to release the virtual machine of the SMF2 corresponding to the IP2, and further preventing network penetration and information stealing of the SMF2 of the second SMF network element.
Step 708: and the first network element executes the first security policy according to the received first security policy.
Step 708a: and the SCP network element stops the message forwarding of the SMF1 or the SMF2 according to the first security policy.
Step 708b: and the MANO network element releases the virtual machine of the second SMF network element SMF2 corresponding to the IP2 according to the first security policy.
In addition, the first security policy in the first embodiment may also be applied to this embodiment, and the specifically selected scheme may be determined according to the first security policy of the SPF network element.
The above-mentioned scheme provided by the embodiment of the present application is introduced mainly from the perspective of interaction between network elements. It is to be understood that the above-described implementation of each network element includes, in order to implement the above-described functions, a corresponding hardware structure and/or software module for performing each function. Those of skill in the art will readily appreciate that the present invention can be implemented in hardware or a combination of hardware and computer software, with the exemplary elements and algorithm steps described in connection with the embodiments disclosed herein. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
As shown in fig. 8, which is a possible exemplary block diagram of a network event processing apparatus according to an embodiment of the present application, the apparatus 800 may exist in the form of software or hardware. The apparatus 800 may include: a processing unit 802 and a communication unit 801. As one implementation, the communication unit 801 may include a receiving unit and a transmitting unit. The processing unit 802 is used for controlling and managing the operation of the apparatus 800. The communication unit 801 is used to support communication of the apparatus 800 with other network entities.
The processing unit 802 may be a processor or a controller, and may be, for example, a general-purpose Central Processing Unit (CPU), a general-purpose processor, a Digital Signal Processing (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure of the embodiments of the application. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors, among others. The communication unit 801 is an interface circuit of the apparatus for receiving signals from other apparatuses. For example, when the device is implemented in the form of a chip, the communication unit 801 is an interface circuit for the chip to receive a signal from another chip or device, or an interface circuit for the chip to transmit a signal to another chip or device.
The apparatus 800 may be an NWDAF network element or an SPF network element in the above embodiments, and may also be a chip for the NWDAF network element or a chip for the SPF network element. For example, when the apparatus 800 is an NWDAF network element or an SPF network element, the processing unit 802 may be a processor, for example, and the communication unit 801 may be a transceiver, for example. Optionally, the transceiver may include a radio frequency circuit, and the storage unit may be, for example, a memory. For example, when the apparatus 800 is a chip for a data analysis network element or a security event processing SPF network element, the processing unit 802 may be a processor, for example, and the communication unit 801 may be an input/output interface, a pin or a circuit, for example. The processing unit 802 may execute computer-executable instructions stored in a storage unit, which may optionally be a storage unit in the chip, such as a register, a cache, and the like, and may also be a storage unit located outside the chip in the data analysis network element or the security event processing SPF network element, such as a read-only memory (ROM) or another type of static storage device, a Random Access Memory (RAM), and the like, which may store static information and instructions.
In one embodiment, the apparatus 800 is an NWDAF network element in the above embodiments. The communication unit 801 is configured to acquire message interaction behavior information of K first network elements, where, for a first network element in the K first network elements, signaling interaction behavior information of the first network element includes attribute information used to indicate a message transmitted by the first network element; k is a positive integer; and sending first indication information to an SPF network element, wherein the first indication information is used for indicating the second network element to generate the network security abnormal event. The processing unit 802 is configured to determine that a network security abnormal event occurs in the second network element according to the message interaction behavior information of the K first network elements;
in the case that the apparatus 800 is an NWDAF network element in the foregoing embodiment, in a possible design, for a first network element in the K first network elements, the attribute information of the message transmitted by the first network element includes one or more of the following items: the type of the message, the message content of the message, the interface for transmitting the message on the first network element, and the interface for transmitting the message by the opposite terminal corresponding to the message.
In a possible design of the apparatus 800, in the case of an NWDAF network element in the foregoing embodiment, the processing unit 802 is configured to determine that a DDoS attack event of the first network element by the second network element exists if it is determined that the number of messages received by the first network element from the second network element is greater than a first threshold; the first threshold is determined based on historical message frequency.
In a possible design of the apparatus 800 for an NWDAF network element in the foregoing embodiment, the message interaction behavior information of the K first network elements includes: a first message and a second message; a processing unit 802, configured to determine that a network security exception event exists in the second network element if it is determined that the first identity identifier of the second network element in the first message is inconsistent with the second identity identifier of the second network element in the second message.
In a possible design of the apparatus 800 for an NWDAF network element in the foregoing embodiment, the message interaction behavior information of the K first network elements includes: an interactive behavior message from a first UE of the K first network elements; a processing unit 802, configured to determine that a network security exception event exists in the first UE if it is determined that the interactive behavior messages of the first UE are inconsistent.
In a possible design of the apparatus 800 for an NWDAF network element in the foregoing embodiment, the message interaction behavior information of the K first network elements includes: interactive behavior messages of second UE from the K first network elements and user information query requests of the second UE from the second network elements; a processing unit 802, configured to determine that, if it is determined that, in the user information query request of the second UE from a second network element, network element identifiers in the second network element are inconsistent, at least two network elements corresponding to the network element identifiers that are inconsistent have a network security exception event.
It can be understood that, when the apparatus is used in the foregoing network event processing method, specific implementation procedures and corresponding beneficial effects may refer to relevant descriptions in the foregoing method embodiments, and are not described herein again.
In another embodiment, the apparatus 800 is an SPF network element in the above-described embodiment. The communication unit 801 is configured to receive first indication information sent by an NWDAF network element, where the first indication information is used to indicate that a network security exception event occurs in the second network element; and sending a first security policy corresponding to a third network element to the third network element for one of the N third network elements, where the first security policy corresponding to the third network element includes indication information for indicating the third network element to isolate a service corresponding to the second network element. A processing unit 802, configured to determine, according to the first indication information, N third network elements having an association relationship with the second network element; and aiming at one of the N third network elements, the third network element has the capability of processing the service of the second network element.
In the case of the SPF network element in the above embodiment, the apparatus 800 is a possible design, and the communication unit 801 is configured to perform one or more of the following:
the third network element is an AMF network element, and sends a first security policy corresponding to the AMF network element, where the first security policy corresponding to the AMF network element includes indication information used for indicating the AMF network element to stop processing of a message of the second network element; the third network element is an SCP network element, and a first security policy corresponding to the SCP network element is sent to the SCP network element, wherein the first security policy corresponding to the SCP network element comprises a message used for indicating the SCP network element to stop forwarding the message to the second network element; the third network element is an NRF network element, and sends a first security policy corresponding to the NRF network element, where the first security policy corresponding to the NRF network element includes a user authorization for instructing the NRF network element to stop the user authorization for the second network element; the third network element is an SDN network element, and a first security policy corresponding to the SDN network element is sent to the SDN network element, where the first security policy corresponding to the SDN network element includes a message for instructing the SDN network element to stop forwarding a network segment of the second network element; the third network element is an MANO network element, and the first security policy corresponding to the MANO network element is sent to the MANO network element and comprises a virtual machine used for indicating the MANO network element to release the second network element; the third network element is an AMF network element, and sends a first security policy corresponding to the AMF network element, where the first security policy corresponding to the AMF network element includes a user for instructing the AMF network element to release the user bound to the second network element.
In a possible design of the apparatus 800 in the case of the SPF network element in the foregoing embodiment, the first indication information is further used to indicate an abnormal service corresponding to the network security abnormal event; a processing unit 802, configured to determine, according to the first indication information, M fourth network elements that have an association relationship with the second network element; for a fourth network element in the M fourth network elements, the fourth network element has a capability of processing the abnormal service; for a fourth network element in the M fourth network elements, the communication unit 801 is configured to send, to the fourth network element, a second security policy corresponding to the fourth network element, where the second security policy corresponding to the fourth network element includes indication information used to instruct the fourth network element to stop or cancel processing of the abnormal service.
In the case of the SPF network element in the above embodiment, the apparatus 800 is a possible design, and the communication unit 801 is configured to perform at least one of the following:
the fourth network element is an AMF network element, and a second security policy corresponding to the AMF network element is sent to the AMF network element, where the second security policy corresponding to the AMF network element includes a request for instructing the fourth network element to stop executing the abnormal service; the fourth network element is an AMF network element or a PCF network element, the F sends a second security policy corresponding to the AMF network element, and the second security policy corresponding to the AMF network element comprises a user used for indicating the AMF network element to release the abnormal service; or sending a second security policy corresponding to the PCF network element, where the second security policy corresponding to the PCF network element includes a user for instructing the PCF network element to release the abnormal service; the fourth network element is an SCP network element, and sends a second security policy corresponding to the SCP network element, where the second security policy corresponding to the SCP network element includes a message used for instructing the SCP network element to stop forwarding the message to the second network element; the fourth network element is an NRF network element, and sends a second security policy corresponding to the NRF network element, where the second security policy corresponding to the NRF network element includes a user authorization for instructing the NRF network element to stop the second network element; the fourth network element is an SDN network element, and sends a second security policy corresponding to the SDN network element, where the second security policy corresponding to the SDN network element includes a message used for instructing the SDN network element to stop forwarding a network segment of the second network element.
As shown in fig. 9, a schematic diagram of a network event processing apparatus provided in the embodiment of the present application is shown, where the apparatus may be an NWDAF network element and/or an SPF network element in the above embodiments. The apparatus 900 includes: a processor 902 and a communication interface 903. Optionally, the apparatus 900 may further include a memory 901. Optionally, the apparatus 900 may also include a communication line 904. Wherein the communication interface 903, the processor 902, and the memory 901 may be connected to each other through a communication line 904; the communication line 904 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication lines 904 may be divided into address buses, data buses, control buses, and the like. For ease of illustration, only one thick line is shown in FIG. 9, but this does not indicate only one bus or one type of bus.
The processor 902 may be a CPU, microprocessor, ASIC, or one or more integrated circuits configured to control the execution of programs according to embodiments of the present application.
The processor 902 may be configured to determine that a network security abnormal event occurs in the second network element according to the message interaction behavior information of the K first network elements; the network data analysis function network element sends first indication information to an SPF network element, wherein the first indication information is used for indicating the second network element to generate the network security abnormal event; and/or determining N third network elements having an association relation with the second network element according to the first indication information; for a third network element of the N third network elements, the third network element has a capability of processing a service of the second network element; for one of the N third network elements.
The communication interface 903 may be any device, such as a transceiver, for communicating with other devices or communication networks, such as an ethernet, a Radio Access Network (RAN), a Wireless Local Area Network (WLAN), a wired access network, and the like.
A communication interface 903, configured to obtain message interaction behavior information of K first network elements, where, for a first network element in the K first network elements, the message interaction behavior information of the first network element includes attribute information used to indicate a message transmitted by the first network element; k is a positive integer; or, the first indication information is used to receive first indication information sent by a network element with a network data analysis function, where the first indication information is used to indicate that a network security abnormal event occurs in the second network element; the SPF network element sends, to the third network element, a first security policy corresponding to the third network element, where the first security policy corresponding to the third network element includes indication information for indicating the third network element to isolate a service corresponding to the second network element.
The specific implementation of the above scheme will be described in detail in the following method embodiments, which are not described herein again.
The memory 901 may be, but is not limited to, a ROM or other type of static storage device that can store static information and instructions, a RAM or other type of dynamic storage device that can store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disk read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory may be separate and coupled to the processor via a communication line 904. The memory may also be integral to the processor.
The memory 901 is used for storing computer-executable instructions for executing the embodiments of the present application, and is controlled by the processor 902 to execute the instructions. The processor 902 is configured to execute the computer executable instructions stored in the memory 901, so as to implement the network event processing method provided by the foregoing embodiments of the present application.
Optionally, the computer-executable instructions in the embodiments of the present application may also be referred to as application program codes, which are not specifically limited in the embodiments of the present application.
In the description of the present application, "/" indicates a relationship in which the objects linked before and after are "or", for example, a/B may indicate a or B; in the present application, "and/or" is only an association relationship describing an associated object, and means that there may be three relationships, for example, a and/or B, and may mean: a exists singly, A and B exist simultaneously, and B exists singly, wherein A and B can be singular or plural. Also, in the description of the present application, "a plurality" means two or more than two unless otherwise specified. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or multiple. In addition, in order to facilitate clear description of technical solutions of the embodiments of the present application, in the embodiments of the present application, terms such as "first" and "second" are used to distinguish the same items or similar items having substantially the same functions and actions. Those skilled in the art will appreciate that the terms "first," "second," etc. do not denote any order or quantity, nor do the terms "first," "second," etc. denote any order or importance. Also, in the embodiments of the present application, words such as "exemplary" or "for example" are used to mean serving as examples, illustrations or illustrations. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present relevant concepts in a concrete fashion for ease of understanding.
In addition, the network architecture and the service scenario described in the embodiment of the present application are for more clearly illustrating the technical solution of the embodiment of the present application, and do not constitute a limitation to the technical solution provided in the embodiment of the present application, and it can be known by a person skilled in the art that the technical solution provided in the embodiment of the present application is also applicable to similar technical problems along with the evolution of the network architecture and the appearance of a new service scenario.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device including one or more available media integrated servers, data centers, and the like. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), among others.
The various illustrative logical units and circuits described in this application may be implemented or operated upon by design of a general purpose processor, a digital signal processor, an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof. A general-purpose processor may be a microprocessor, but, in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other similar configuration.
The steps of a method or algorithm described in the embodiments herein may be embodied directly in hardware, in a software element executed by a processor, or in a combination of the two. The software cells may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. For example, a storage medium may be coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Although the present application has been described in conjunction with specific features and embodiments thereof, it will be evident that various modifications and combinations may be made thereto without departing from the spirit and scope of the application. Accordingly, the specification and drawings are merely illustrative of the present application as defined in the appended claims and are intended to cover any and all modifications, variations, combinations, or equivalents within the scope of the application. It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to include such modifications and variations.

Claims (22)

1. A method for processing network events, comprising:
a security event processing function network element receives first indication information sent by a network data analysis function network element, wherein the first indication information is used for indicating a second core network element to generate a network security abnormal event;
the safety event processing function network element determines N third core network elements related to the service of the second core network element according to the first indication information; the third core network element has the capability of processing the service of the second core network element; n is a positive integer;
the security event processing function network element sends a first security policy corresponding to each of the N third core network elements to the third core network element, where the first security policy is used for the third core network element to isolate a service corresponding to the second core network element;
wherein the N third core network elements include one or more of:
the network comprises an access and mobility management function network element, a message forwarding network element, a network element discovery function network element, a network routing management network element, a virtualized resource management network element and a policy control function network element.
2. The method of claim 1, wherein the first security policy is used for isolating traffic corresponding to the second core network element and comprises one or more of:
the first security policy corresponding to the access and mobility management function network element is used for releasing the user session in the second core network element;
the first security policy corresponding to the message forwarding network element is used to stop message forwarding of the second core network element;
the first security policy corresponding to the network element discovery function network element is used for stopping or revoking the authorization of the user of the second core network element;
the first security policy corresponding to the network routing management network element is used for stopping routing forwarding of messages of a network segment of the second core network element;
the first security policy corresponding to the virtualized resource management network element is used to release the virtual machine corresponding to the second core network element.
3. The method of claim 1, wherein the first indication information is further used for indicating an abnormal service corresponding to the network security abnormal event;
the method further comprises the following steps:
the safety event processing function network element determines M fourth core network elements related to the second core network element according to the first indication information; the fourth core network element has the capability of processing the abnormal service; m is a positive integer;
the security event processing function network element sends a second security policy corresponding to each fourth core network element in the M fourth core network elements, where the second security policy is used for the fourth core network element to stop processing the abnormal service;
wherein the M fourth core network elements include one or more of:
the network comprises an access and mobility management function network element, a message forwarding network element, a network element discovery function network element, a network routing management network element, a virtualized resource management network element and a policy control function network element.
4. The method of claim 3, wherein the second security policy is for the fourth core network element to stop processing the abnormal traffic, and comprises one or more of:
the second security policy corresponding to the access and mobility management function network element is used for ignoring the request of the abnormal service or releasing the user session corresponding to the abnormal service;
the second security policy corresponding to the policy control function network element is used for releasing the user session corresponding to the abnormal service;
the second security policy corresponding to the message forwarding network element is used for ignoring message forwarding corresponding to the abnormal service;
the second security policy corresponding to the network element discovery function network element is used for stopping or revoking the authorization of the user of the abnormal service;
and the second security policy corresponding to the network routing management network element is used for ignoring routing forwarding of the message of the network segment of the abnormal service.
5. A method for processing network events, comprising:
a network data analysis function network element acquires message interaction behavior information of K first core network elements, wherein the message interaction behavior information comprises attribute information used for indicating messages transmitted by the first core network elements, and the messages transmitted by the first core network elements comprise messages transmitted between the first core network elements and a second core network element; k is a positive integer;
the network data analysis function network element determines that the second core network element has a network security abnormal event according to the message interaction behavior information of the K first core network elements;
the network data analysis function network element sends first indication information to a security event processing function network element, wherein the first indication information is used for indicating the second core network element to generate the network security abnormal event;
the first indication information indicates that the security event processing function network element sends a first security policy corresponding to each of N third core network elements to the third core network element, where the first security policy is used for isolating a service corresponding to the second core network element by the third core network element;
wherein the N third core network elements comprise one or more of:
the network comprises an access and mobility management function network element, a message forwarding network element, a network element discovery function network element, a network routing management network element, a virtualized resource management network element and a policy control function network element.
6. The method of claim 5, wherein the attribute information of the message transmitted by the first core network element comprises one or more of:
the type of the message, the message content of the message, an interface for transmitting the message on the first core network element, and an interface for transmitting the message by an opposite terminal corresponding to the message.
7. The method of claim 5, wherein the determining, by the network data analysis function network element, that the network security exception event occurs in the second core network element according to the message interaction behavior information of the K first core network elements includes:
if the network data analysis function network element determines that the number of messages received by the first core network element from the second core network element is greater than a first threshold value, determining that a distributed denial of service attack event of the second core network element to the first core network element exists; the first threshold is determined based on historical message frequency.
8. The method of claim 5, wherein the message interaction behavior information of the K first core network elements comprises: a first message and a second message;
the network data analysis function network element determines that the second core network element has a network security abnormal event according to the message interaction behavior information of the K first core network elements, and the method comprises the following steps:
and if the network data analysis function network element determines that the first identity identifier of the second core network element in the first message is inconsistent with the second identity identifier of the second core network element in the second message, determining that a network security abnormal event exists in the second core network element.
9. The method of claim 5, wherein the message interaction behavior information of the K first core network elements comprises: the interactive behavior messages of the first terminal equipment from the K first core network elements;
the network data analysis function network element determines that the second core network element has a network security abnormal event according to the message interaction behavior information of the K first core network elements, and the method comprises the following steps:
and if the network data analysis function network element determines that the interactive behavior messages of the first terminal equipment are inconsistent, determining that the first terminal equipment has a network security abnormal event.
10. The method of claim 5, wherein the message interaction behavior information of the K first core network elements comprises: interactive behavior messages of second terminal equipment from the K first core network elements and user information query requests of the second terminal equipment from the second core network elements;
the network data analysis function network element determines that the second core network element has a network security abnormal event according to the message interaction behavior information of the K first core network elements, and the method comprises the following steps:
if the network data analysis function network element determines that the network element identifiers of the second core network elements in the user information query request of the second terminal equipment from the second core network elements are not consistent, it is determined that network security abnormal events occur in at least two core network elements corresponding to the network element identifiers which are not consistent.
11. A network event processing apparatus, comprising:
the transceiver is used for receiving first indication information sent by a network data analysis function network element; the first indication information is used for indicating a second core network element to generate a network security abnormal event;
the processor is used for determining N third core network elements related to the service of the second core network element according to the first indication information; the third core network element has the capability of processing the service of the second core network element; n is a positive integer;
the transceiver is further configured to send a first security policy corresponding to each of N third core network elements, where the first security policy is used for the third core network element to isolate a service of the second core network element;
wherein the N third core network elements comprise one or more of:
the network comprises an access and mobility management function network element, a message forwarding network element, a network element discovery function network element, a network routing management network element, a virtualized resource management network element and a policy control function network element.
12. The apparatus of claim 11, wherein the first security policy is for isolating traffic of the second core network element and comprises one or more of:
the first security policy corresponding to the access and mobility management function network element is used for releasing the user session of the second core network element;
the first security policy corresponding to the message forwarding network element is used to stop message forwarding of the second core network element;
the first security policy corresponding to the network element discovery function network element is used for stopping or revoking the authorization of the user of the second core network element;
the first security policy corresponding to the network routing management network element is used for stopping routing forwarding of messages of a network segment of the second core network element;
the first security policy corresponding to the virtualized resource management network element is used to release the virtual machine corresponding to the second core network element.
13. The apparatus of claim 11, wherein the first indication information is further used for indicating an abnormal service corresponding to the network security abnormal event;
the processor is specifically configured to determine, according to the first indication information, M fourth core network elements related to the second core network element; the fourth core network element has the capability of processing the abnormal service;
the transceiver is configured to send a second security policy corresponding to each of the M fourth core network elements, where the second security policy is used to stop processing the abnormal service.
14. The apparatus of claim 13, wherein the second security policy is for the fourth core network element to stop processing the abnormal traffic, and comprises one or more of:
the second security policy corresponding to the access and mobility management function network element is used for ignoring the request of the abnormal service or releasing the user session corresponding to the abnormal service;
the second security policy corresponding to the policy control function network element is used for releasing the user session corresponding to the abnormal service;
the second security policy corresponding to the message forwarding network element is used for ignoring message forwarding corresponding to the abnormal service;
the second security policy corresponding to the network element discovery function network element is used for stopping or revoking the authorization of the user of the abnormal service;
and the second security policy corresponding to the network routing management network element is used for ignoring routing forwarding of the message of the network segment of the abnormal service.
15. A network event processing apparatus, comprising:
the transceiver is used for acquiring message interaction behavior information of K first core network elements, wherein the message interaction behavior information comprises attribute information used for indicating messages transmitted by the first core network elements; the message transmitted by the first core network element comprises a message transmitted between the first core network element and a second core network element, and K is a positive integer;
the processor is used for determining that a network security abnormal event occurs in the second core network element according to the message interaction behavior information of the K first core network elements;
the transceiver sends first indication information to a security event processing function network element, wherein the first indication information is used for indicating the second core network element to generate the network security abnormal event;
the first indication information indicates that the security event processing function network element sends a first security policy corresponding to each of N third core network elements to the third core network element, where the first security policy is used for isolating a service corresponding to the second core network element by the third core network element;
wherein the N third core network elements include one or more of:
the network comprises an access and mobility management function network element, a message forwarding network element, a network element discovery function network element, a network routing management network element, a virtualized resource management network element and a policy control function network element.
16. The apparatus of claim 15, wherein the attribute information of the message transmitted by the first core network element comprises one or more of:
the type of the message, the message content of the message, an interface for transmitting the message on the first core network element, and an interface for transmitting the message by an opposite terminal corresponding to the message.
17. The apparatus as recited in claim 15, wherein said processor is specifically configured to:
if the number of the messages received by the first core network element from the second core network element is larger than a first threshold value, determining that a distributed denial of service attack event of the second core network element to the first core network element exists; the first threshold is determined based on historical message frequency.
18. The apparatus of claim 15, wherein the message interaction behavior information of the K first core network elements comprises: a first message and a second message;
the processor is specifically configured to: and if the first identity identifier of the second core network element in the first message is determined to be inconsistent with the second identity identifier of the second core network element in the second message, determining that a network security abnormal event exists in the second core network element.
19. The apparatus of claim 15, wherein the message interaction behavior information for the K first core network elements comprises: the interactive behavior messages from the first terminal equipment of the K first core network elements;
the processor is specifically configured to:
and if the interactive behavior message of the first terminal equipment is determined to be inconsistent, determining that the first terminal equipment has a network security abnormal event.
20. The apparatus of claim 15, wherein the message interaction behavior information of the K first core network elements comprises: interactive behavior messages of second terminal equipment from the K first core network elements and user information query requests of the second terminal equipment from the second core network elements;
the processor is specifically configured to:
and if the network element identification of the second core network element in the user information query request of the second terminal equipment from the second core network element is determined to be inconsistent, determining that the network security abnormal event occurs in at least two core network elements corresponding to the inconsistent network element identifications.
21. A communication apparatus, the apparatus comprising a processor and a communication interface,
the communication interface is used for inputting and/or outputting information;
the processor for executing a computer program or instructions to cause the method of any of claims 1-10 to be performed.
22. A computer-readable storage medium having stored thereon computer-executable instructions which, when invoked by a computer, cause the computer to perform the method of any of claims 1 to 10.
CN202010077699.7A 2020-01-31 2020-01-31 Network event processing method and device and readable storage medium Active CN113206814B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010077699.7A CN113206814B (en) 2020-01-31 2020-01-31 Network event processing method and device and readable storage medium
PCT/CN2020/124932 WO2021151335A1 (en) 2020-01-31 2020-10-29 Network event processing method and apparatus, and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010077699.7A CN113206814B (en) 2020-01-31 2020-01-31 Network event processing method and device and readable storage medium

Publications (2)

Publication Number Publication Date
CN113206814A CN113206814A (en) 2021-08-03
CN113206814B true CN113206814B (en) 2022-11-18

Family

ID=77024787

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010077699.7A Active CN113206814B (en) 2020-01-31 2020-01-31 Network event processing method and device and readable storage medium

Country Status (2)

Country Link
CN (1) CN113206814B (en)
WO (1) WO2021151335A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113872802B (en) * 2021-09-17 2024-01-19 支付宝(杭州)信息技术有限公司 Method and device for detecting network element
CN113872959B (en) * 2021-09-24 2023-05-16 绿盟科技集团股份有限公司 Method, device and equipment for judging risk asset level and dynamically degrading risk asset level
CN114189885B (en) * 2021-09-27 2024-01-12 阿里巴巴达摩院(杭州)科技有限公司 Network element information processing method, device and storage medium
CN116208306A (en) * 2021-11-30 2023-06-02 中兴通讯股份有限公司 Abnormal signaling management and control method and device, electronic equipment and storage medium
WO2024011430A1 (en) * 2022-07-12 2024-01-18 Telefonaktiebolaget Lm Ericsson (Publ) Methods and apparatuses for network traffic control
CN117675505A (en) * 2022-09-08 2024-03-08 华为技术有限公司 Event processing method, device and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110312279A (en) * 2018-03-27 2019-10-08 电信科学技术研究院有限公司 A kind of monitoring method and device of network data
CN110351229A (en) * 2018-04-04 2019-10-18 电信科学技术研究院有限公司 A kind of terminal UE management-control method and device
CN110602735A (en) * 2018-06-13 2019-12-20 华为技术有限公司 Method for providing limited service and communication equipment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109698760B (en) * 2017-10-23 2021-05-04 华为技术有限公司 Traffic processing method, user plane device and terminal equipment
US11140047B2 (en) * 2018-04-09 2021-10-05 Intel Corporation Network data analytics function (NWDAF) influencing fifth generation (5G) quality of service (QoS) configuration and adjustment
US10892958B2 (en) * 2018-08-03 2021-01-12 Huawei Technologies Co., Ltd. Methods and functions of network performance monitoring and service assurance

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110312279A (en) * 2018-03-27 2019-10-08 电信科学技术研究院有限公司 A kind of monitoring method and device of network data
CN110351229A (en) * 2018-04-04 2019-10-18 电信科学技术研究院有限公司 A kind of terminal UE management-control method and device
CN110602735A (en) * 2018-06-13 2019-12-20 华为技术有限公司 Method for providing limited service and communication equipment

Also Published As

Publication number Publication date
CN113206814A (en) 2021-08-03
WO2021151335A1 (en) 2021-08-05

Similar Documents

Publication Publication Date Title
CN113206814B (en) Network event processing method and device and readable storage medium
Thantharate et al. Secure5G: A deep learning framework towards a secure network slicing in 5G and beyond
US20180375887A1 (en) System, device, and method of adaptive network protection for managed internet-of-things services
US20210250771A1 (en) Method For Determining Class Information And Apparatus
US20220159446A1 (en) Event Report Sending Method, Apparatus, and System
US20200053567A1 (en) Security architecture for machine type communications
CN108605264B (en) Method and apparatus for network management
CN105635084A (en) Apparatus and method for authenticating terminal
EP3687135B1 (en) Device monitoring, and deregistration method and apparatus
US11729863B2 (en) Cloud-based interworking gateway service
US20220256396A1 (en) Congestion control method and apparatus
US11895533B2 (en) Method for controlling connection between terminal and network, and related apparatus
US20240089178A1 (en) Network service processing method, system, and gateway device
JPWO2014049997A1 (en) Information processing apparatus capable of analyzing communication behavior, mobile terminal control method, and computer program
US20220116752A1 (en) Dynamic permit/deny ue/realm list update and cost optimization based on network attach failure incidents
US20220286853A1 (en) Mobility management for aggressive devices
WO2023041054A1 (en) Network verification method and apparatus
Tabiban et al. Signaling Storm in O-RAN: Challenges and Research Opportunities
EP3679698B1 (en) Re-establishing a connection between a user controller device and a wireless device
Vardhan Research on Cybersecurity Threats and Solutions in RATs and C-RAN 5G Network
WO2024069597A1 (en) Suspicious behavior reporting
Lopez Giron Analysis of Machine Learning Techniques to Secure 5G Networks
Assorow Research on 5G core network slicing and its associated security issues
WO2023242800A1 (en) Access security apparatus and method for wireless telecommunications network
CN116471590A (en) Terminal access method, device and authentication service function network element

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant