CN114885332A - Traffic processing method and device, storage medium and electronic equipment - Google Patents

Abstract

The disclosure provides a traffic processing method, a traffic processing device, an electronic device and a storage medium. The method is applied to a flow detection unit and comprises the following steps: obtaining public network service flow data from a target interface, and detecting the public network service flow data; under the condition that the public network service flow data is detected to be abnormal flow data, acquiring ticket information and flow identification information corresponding to the public network service flow data; and sending the ticket information and the flow identification information to a 5G core network control plane, so that the 5G core network control plane generates a target distribution strategy and issues the target distribution strategy to a distribution UPF network element, and the distribution UPF network element redirects subsequent public network service flow data to an auxiliary anchor point user plane function UPF network element according to the target distribution strategy. The method can issue a new shunting strategy to a shunting UPF network element to redirect the public network service flow data and send the public network service flow data to a security gateway positioned in a private network under the condition that the public network service flow data is abnormal.

Description

Traffic processing method and device, storage medium and electronic equipment

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to a traffic processing method and apparatus, a storage medium, and an electronic device.

Background

The 5G private network refers to a private communication network provided for a specific industry or enterprise user in a specific area by means of a 5G technology. At present, the application and scale of the 5G private network are continuously enlarged, and various security risks introduced by new technology, new networking and new modes are faced. For example, internal production/operation data, working condition data, etc. of the private network may cause problems such as production and operation safety, etc. once they are leaked.

In the related art, for data security protection of an intranet located in a private network, each enterprise is usually maintained based on personalized requirements, and for a scene where a campus (i.e., private network service) and a public network service can be accessed simultaneously, data leakage prevention technical schemes of each enterprise are usually different, so that the overall implementation is complex and the cost is high.

It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.

Disclosure of Invention

The present disclosure is directed to a traffic processing method, a traffic processing apparatus, an electronic device, and a storage medium, which can ensure data security and avoid information leakage by a general and easy-to-implement method.

Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.

According to an aspect of the present disclosure, a traffic processing method is provided, which is applied to a traffic detection unit deployed in an operator infrastructure network, and includes: obtaining public network service flow data from a target interface, and detecting the public network service flow data; the target interface is an interface between a shunting User Plane Function (UPF) network element and a main anchor point UPF network element; the public network service flow data is flow data which is sent by a private network terminal and is used for a target public network service; under the condition that the public network service flow data is detected to be abnormal flow data, acquiring ticket information and flow identification information corresponding to the public network service flow data; the call ticket information and the flow identification information are sent to a 5G core network control plane, so that the 5G core network control plane generates a target distribution strategy and issues the target distribution strategy to a distribution UPF network element, and the distribution UPF network element redirects subsequent public network service flow data to an auxiliary anchor point user plane function UPF network element positioned in a private network according to the target distribution strategy; the subsequent public network service flow data is flow data which is sent by the private network terminal after the public network service flow data is sent and is used for the target public network service; and the auxiliary anchor point UPF network element is used for forwarding the subsequent public network service flow data to the security gateway positioned in the private network.

In an embodiment of the present disclosure, the traffic processing method further includes: and under the condition that the public network service flow data is detected to be abnormal flow data, performing bypass blocking processing on the public network service flow data.

In an embodiment of the present disclosure, the method further includes detecting that the public network service flow data is abnormal flow data according to the following method: analyzing the public network service flow data to obtain message load information; and if the message load information contains service data to be controlled, determining the public network service flow data corresponding to the message load information as abnormal flow data.

In one embodiment of the present disclosure, the service data to be managed is preset type data of an enterprise in a private network; the traffic processing method further comprises the following steps: inserting preset characteristic character strings into the service data to be controlled according to preset rules through a data management component positioned in a private network; and if the message load information contains service data to be controlled, determining the public network service flow data corresponding to the message load information as abnormal flow data, including: and if the message load information has the characteristic character string, determining the public network service flow data corresponding to the message load information as abnormal flow data.

According to another aspect of the present disclosure, there is provided a traffic processing method applied to a 5G core network control plane, including: receiving ticket information and flow identification information sent by a flow detection unit; the traffic detection unit is deployed in an operator basic network; the call ticket information and the flow identification information are obtained by the flow detection unit under the condition that the public network service flow data is detected to be abnormal flow data; the public network service flow data is flow data which is sent by a private network terminal and is used for a target public network service; generating a target distribution strategy according to the ticket information and the flow identification information; issuing the target distribution strategy to a distribution UPF network element so that the distribution UPF network element redirects the subsequent public network service flow data to an auxiliary anchor point UPF network element positioned in a private network according to the target distribution strategy; the subsequent public network service flow data is flow data which is sent by the private network terminal after the public network service flow data is sent and is used for the target public network service; and the auxiliary anchor point UPF network element is used for forwarding the subsequent public network service flow data to the security gateway positioned in the private network.

In one embodiment of the present disclosure, the 5G core network control plane includes: an application function AF network element, a policy control function PCF network element and a session management function SMF network element; receiving the ticket information and the traffic identification information sent by the traffic detection unit, including: receiving call ticket information and flow identification information sent by a flow detection unit through an AF network element; generating a target distribution strategy according to the call ticket information and the traffic identification information, comprising the following steps: generating an AF request based on the ticket information and the flow identification information through the AF network element, and sending the AF request to the PCF network element; creating a PCC rule based on the AF request through the PCF network element, and sending the PCC rule to the SMF network element; generating a target distribution strategy based on a PCC rule through an SMF network element, and issuing the target distribution strategy to a distribution UPF network element, wherein the method comprises the following steps: and issuing the target distribution strategy to a distribution UPF network element through the SMF network element.

According to another aspect of the present disclosure, a traffic processing method is provided, which is applied to a offload UPF network element, and includes: receiving a target distribution strategy issued by a control plane of a 5G core network; the target distribution strategy is generated by a 5G core network control plane according to the ticket information and the flow identification information; the call ticket information and the flow identification information are obtained when a flow detection unit deployed in an operator basic network detects that the public network service flow data is abnormal flow data; the public network service flow data is flow data which is sent by a private network terminal and is used for a target public network service; identifying subsequent public network service flow data sent by a private network terminal based on a target distribution strategy; the subsequent public network service flow data is flow data which is sent by the private network terminal after the public network service flow data is sent and is used for the target public network service; and redirecting the subsequent public network service flow data to an auxiliary anchor point UPF network element positioned in the private network according to the target distribution strategy so that the auxiliary anchor point UPF network element sends the subsequent public network service flow data to a security gateway positioned in the private network, and further, the security gateway carries out secondary detection on the subsequent public network service flow data.

According to another aspect of the present disclosure, there is provided a traffic processing apparatus applied to a traffic detection unit deployed in an operator infrastructure network, including: the traffic detection module is used for acquiring public network service flow data from the target interface and detecting the public network service flow data; the target interface is an interface between a shunting User Plane Function (UPF) network element and a main anchor point UPF network element; the public network service flow data is flow data which is sent by a private network terminal and is used for a target public network service; the information acquisition module is used for acquiring ticket information and flow identification information corresponding to the public network service flow data under the condition that the public network service flow data is detected to be abnormal flow data; the sending information module is used for sending the ticket information and the flow identification information to the 5G core network control plane, so that the 5G core network control plane generates a target distribution strategy and issues the target distribution strategy to the distribution UPF network element, and the distribution UPF network element redirects the subsequent public network service flow data to an auxiliary anchor point user plane function UPF network element positioned in a private network according to the target distribution strategy; the subsequent public network service flow data is the flow data which is used for the target public network service and is sent by the private network terminal after the public network service flow data is sent; and the auxiliary anchor point UPF network element is used for forwarding the subsequent public network service flow data to the security gateway positioned in the private network.

According to another aspect of the present disclosure, there is provided a traffic processing apparatus applied to a 5G core network control plane, including: the receiving information module is used for receiving the ticket information and the flow identification information sent by the flow detection unit; the traffic detection unit is deployed in an operator basic network; the call ticket information and the flow identification information are obtained by the flow detection unit under the condition that the public network service flow data is detected to be abnormal flow data; the public network service flow data is flow data which is sent by a private network terminal and is used for a target public network service; the generation strategy module is used for generating a target distribution strategy according to the ticket information and the flow identification information; the issuing strategy module is used for issuing the target distribution strategy to the distribution UPF network element so that the distribution UPF network element redirects the subsequent public network service flow data to the auxiliary anchor point UPF network element positioned in the private network according to the target distribution strategy; the subsequent public network service flow data is flow data which is sent by the private network terminal after the public network service flow data is sent and is used for the target public network service; and the auxiliary anchor point UPF network element is used for forwarding the subsequent public network service flow data to the security gateway positioned in the private network.

According to another aspect of the present disclosure, there is provided a traffic processing apparatus applied to a offload UPF network element, including: the receiving strategy module is used for receiving a target distribution strategy issued by a control plane of the 5G core network; the target distribution strategy is generated by a 5G core network control plane according to the ticket information and the flow identification information; the call ticket information and the flow identification information are obtained when a flow detection unit deployed in an operator basic network detects that the public network service flow data is abnormal flow data; the public network service flow data is flow data which is sent by a private network terminal and is used for a target public network service; the flow identification module is used for identifying subsequent public network service flow data sent by the private network terminal based on a target distribution strategy; the subsequent public network service flow data is flow data which is sent by the private network terminal after the public network service flow data is sent and is used for the target public network service; and the redirection module is used for redirecting the subsequent public network service flow data to an auxiliary anchor point UPF network element positioned in the private network according to the target distribution strategy so that the auxiliary anchor point UPF network element sends the subsequent public network service flow data to a security gateway positioned in the private network, and the security gateway performs secondary detection on the subsequent public network service flow data.

According to yet another aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the traffic processing method described above.

According to still another aspect of the present disclosure, there is provided an electronic device including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the above-described traffic processing method via execution of the executable instructions.

The traffic processing method provided by the embodiment of the disclosure can detect whether the public network traffic flow data sent by the private network terminal to the public network is abnormal traffic data in real time through the traffic detection unit deployed in the operator basic network, and after detecting that the public network traffic flow data is abnormal traffic data, generate and issue a target distribution strategy to the distribution UPF network element through the 5G core network control plane, so that the distribution UPF network element routes the subsequent public network traffic flow data sent by the private network terminal to the auxiliary anchor point UPF network element located in the private network, and further, the auxiliary anchor point UPF network element forwards the subsequent public network traffic flow data to the security gateway located in the private network for secondary detection, thereby ensuring data security by a universal and easy-to-implement method and avoiding information leakage.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.

Fig. 1 shows a schematic diagram of an exemplary system architecture to which the traffic processing method of the embodiments of the present disclosure may be applied;

FIG. 2 shows a flow diagram of a traffic handling method of one embodiment of the present disclosure;

FIG. 3 shows a flow chart of a traffic handling method of yet another embodiment of the present disclosure;

fig. 4 shows an interaction diagram of generating and issuing a target offloading policy in a traffic processing method according to an embodiment of the present disclosure;

FIG. 5 shows a flow chart of a traffic handling method of yet another embodiment of the present disclosure;

FIG. 6 shows an interaction diagram of a traffic handling method according to an embodiment of the present disclosure;

FIG. 7 shows a block diagram of a traffic handling device of one embodiment of the present disclosure;

FIG. 8 shows a block diagram of a traffic handling device of yet another embodiment of the present disclosure;

FIG. 9 shows a block diagram of a traffic handling device of yet another embodiment of the present disclosure; and

fig. 10 shows a schematic block diagram of a traffic handling communication device in an embodiment of the present disclosure.

Detailed Description

Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.

Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.

Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present disclosure, "a plurality" means at least two, e.g., two, three, etc., unless explicitly specifically limited otherwise.

In view of the above technical problems in the related art, embodiments of the present disclosure provide a traffic processing method for solving at least one or all of the above technical problems.

Fig. 1 shows a schematic diagram of an exemplary system architecture to which the traffic processing method of the embodiments of the present disclosure may be applied.

As shown in fig. 1, the system architecture may include a traffic detection unit 101, a private network terminal 102, a User Plane Function (UPF) network element 103, a primary anchor point (UPF) network element 104, a secondary anchor point (UPF) network element 105, a 5G core network control Plane 106, a security gateway 107, a private network 108, and an internet 109.

In the system architecture shown in fig. 1, the traffic detection unit 101 may be a regulatory compliance system deployed in an operator base network and covering the whole country, such as a unified DPI (Deep Packet Inspection) system, a mobile malicious protection system, and the like; the data acquisition function of the traffic detection unit 101 may cover the traffic of the user plane and the signaling plane of the entire 5G core network, that is, may detect all the traffic. The 5G core network Control plane 106 may be responsible for transmission and bearer of messages such as data signaling of a Control plane, and at least may include an Application function AF (Application function) network element, a Policy Control function PCF (Policy Control function) network element, a Session Management function SMF (Session Management function) network element, and the like.

Private network terminal 102 may be a terminal deployed in private network 108; private network 108 may be a 5G private network, and may be understood as a private communication network provided for specific industry or enterprise users in a particular area, relying on 5G technology. The UPF network element may bear data traffic on a user plane of the 5G core network, and is responsible for related functions such as routing and forwarding of a user plane data packet of the 5G core network, and the UPF network element may serve as a connection anchor point between the 5G network and a Multi-Access Edge Computing (MEC) to provide a forwarding function for core network data, thereby enabling the data to flow to an external network. As shown in fig. 1, the shunting UPF network element 103, the primary anchor UPF network element 104, and the secondary anchor UPF network element 105 are UPF network elements capable of implementing different functions; the offloading UPF network element 103 may be a UPF network element with UL CL (Uplink Classifier), and may offload Uplink traffic sent by a terminal; the primary Anchor point UPF network element 104 and the secondary Anchor point UPF network element 105 may be UPF network elements having PSA (Protocol Data Unit Session Anchor), and the primary Anchor point UPF network element 104 and the secondary Anchor point UPF network element 105 may respectively have respective corresponding Data network outlets. The offloading UPF network element 103 and the auxiliary anchor UPF network element 105 may be located in a private network.

In some practical applications, it is possible to pre-configure a universal/private data network identifier that allows the private network terminal 102 to access, and configure a master anchor UPF network element 104 corresponding to the universal data network identifier and an auxiliary anchor UPF network element 105 corresponding to the private data network identifier, so that the private network terminal 102 can access the local campus service and the internet 109 service in the private network 108; the traffic data sent by the private network terminal 102 can be shunted by the shunting UPF network element 103 by using a private network default flow filtering policy, so that public network service flow data in the traffic data is forwarded to the corresponding general data network (i.e., access to the service of the internet 109) through the primary anchor UPF network element 104, and local service flow data (i.e., private network service flow data) in the traffic data is forwarded to the corresponding private data network (i.e., access to the service of the local campus) through the secondary anchor UPF network element 105. The security gateway 107 may be deployed at the edge of the private network 108 to perform detection (e.g., perform content security audit) on the received public network traffic flow data, and may send the public network traffic flow data to the internet 109 after the detection is passed.

Based on the system architecture shown in fig. 1, the traffic processing method provided by the embodiment of the present disclosure may include:

the traffic detection unit 101 may obtain the public network service flow data from the target interface and detect the public network service flow data; the target interface is an interface N9 between the shunting UPF network element 103 and the master anchor point UPF network element 104; the public network service flow data is flow data for a target public network service sent by the private network terminal 102.

The traffic detection unit 101 may also be configured to, when detecting that the public network service flow data is abnormal traffic data, obtain ticket information and traffic identification information corresponding to the public network service flow data, and send the ticket information and the traffic identification information to the 5G core network control plane 106. The abnormal traffic data may be understood as data that is not allowed to go out of the campus covered by the private network 108, such as production data, financial data, control maintenance data, operation status data, etc. of enterprises in the campus.

After receiving the ticket information and the traffic identification information, the 5G core network control plane 106 may generate a target offloading policy according to the ticket information and the traffic identification information, and issue the target offloading policy to the offloading UPF network element 103. Specifically, the AF network element may receive the ticket information and the traffic identification information sent by the traffic detection unit, and then generate an AF request based on the ticket information and the traffic identification information and send the AF request to the PCF network element; after receiving the AF request, the PCF network element may create a PCC rule based on the AF request, and send the PCC rule to the SMF network element; and the SMF network element generates a target distribution strategy based on the PCC rule sent by the PCF network element, and the SMF network element sends the target distribution strategy to the distribution UPF network element.

The offloading UPF network element 103 may be configured to redirect subsequent public network traffic flow data to the auxiliary anchor UPF network element 105 according to the received target offloading policy; the subsequent public network service flow data may be flow data for the target public network service, which is sent by the private network terminal 102 after the public network service flow data is sent.

The auxiliary anchor UPF network element 105 may be configured to send subsequent public network traffic stream data sent by the offload UPF network element 103 to the security gateway 107.

The security gateway 107 may be configured to perform secondary detection on the subsequent public network service flow data, and forward the subsequent public network service flow data to the internet 109 if a result of the secondary detection is that the subsequent public network service flow data passes.

In an exemplary embodiment, the private network terminal 102 may include, but is not limited to, a smart phone, a desktop computer, a tablet computer, a notebook computer, a smart speaker, a digital assistant, an AR (Augmented Reality) device, a VR (Virtual Reality) device, a smart wearable device, and the like, or the private network terminal 102 may be a personal computer such as a laptop and desktop computer, and the like. Optionally, the operating system running on the electronic device may include, but is not limited to, an android system, an IOS system, linux, windows, and the like.

In addition, it should be noted that fig. 1 shows only one application environment of the traffic processing method provided by the present disclosure. The number of private network terminals, networks (including private networks and the internet), network elements (including UPF network elements and network elements in the 5G core network control plane 106), traffic detection units, and security gateways in fig. 1 are merely illustrative and may be any number according to actual needs.

In order to make those skilled in the art better understand the technical solution of the present disclosure, the following describes each step of the flow processing method in the exemplary embodiment of the present disclosure in more detail with reference to the drawings and the embodiment.

Fig. 2 shows a flow chart of a traffic handling method according to an embodiment of the present disclosure.

As shown in fig. 2, the traffic processing method provided by the embodiment of the present disclosure may be applied to a traffic detection unit deployed in an operator infrastructure network, and may include the following steps.

Step S201, obtaining public network service flow data from a target interface, and detecting the public network service flow data; the target interface is an interface N9 between a shunting user plane function UPF network element and a main anchor point user plane function UPF network element; the public network service flow data is flow data which is sent by the private network terminal and is used for the target public network service.

Before this step, a general data network identifier and a private data network identifier allowing the private network terminal to access may be configured in advance, where the general data network identifier may be associated with a public network service for enabling the private network terminal to access an internet service (i.e., a public network service), and the private data network identifier is an industry data network identifier, may be associated with a local service for enabling the private network terminal to access a service in the private network. Furthermore, a main anchor point UPF network element corresponding to the universal data network identifier can be configured, and an auxiliary anchor point UPF network element corresponding to the special data network identifier can be configured, so that the special network terminal can access the internet service and the local park service in the special network.

In some practical applications, the shunting UPF network element may adopt a default flow filtering policy (including a flow classification policy, a forwarding policy, and the like) of the private network to perform flow shunting, determine flow data for accessing an internet service (i.e., a public network service) sent by a private network terminal as public network service flow data, and determine flow data for accessing a local campus service as local service flow data (which may also be referred to as intranet service flow data or private network service flow data); further, the public network traffic flow data may be shunted to the primary anchor UPF network element to forward the public network traffic flow data to the corresponding general data network through the primary anchor UPF network element, and the local traffic flow data may be shunted to the secondary anchor UPF network element to forward the local traffic flow data to the corresponding private data network through the secondary anchor UPF network element.

The traffic detection unit can be a regulatory compliance system deployed in an operator base network and covering the whole country, such as a unified DPI system, a mobile malicious protection system, and the like. The data acquisition function of the traffic detection unit can cover the traffic of the user plane and the signaling plane of the whole 5G core network, i.e. can detect all the traffic. In this step, the traffic detection unit may perform data acquisition and detection at an N9 interface between the shunting UPF network element and the master anchor point UPF network element to determine whether traffic data to be sent to the public network is abnormal traffic data. In some practical applications, the traffic detection unit may be deployed in a bypass manner, for example, the shunting UPF network element may copy one copy of the public network traffic data and send the copy to the traffic detection unit for detection, so that the traffic may not be affected.

Step S203, under the condition that the public network service flow data is detected to be abnormal flow data, call ticket information and flow identification information corresponding to the public network service flow data are obtained.

In some embodiments, the method further comprises detecting that the public network traffic flow data is abnormal traffic flow data as follows: analyzing the public network service flow data to obtain message load information; and if the message load information contains service data to be controlled, determining the public network service flow data corresponding to the message load information as abnormal flow data.

In this embodiment, the service data to be controlled may be understood as data that is not allowed to go out of the private network, and if the service data to be controlled leaks into the public network, it may be considered that an information leakage event occurs, and therefore, if it is determined that the service data to be controlled exists in the message load information, it may be considered that the public network service flow data corresponding to the message load information is abnormal data, and corresponding processing (such as interception or termination of transmission) needs to be performed, and it may also be considered that the service data to be controlled may exist in the subsequent public network flow data of the same service, and corresponding processing (such as redirection, secondary detection, termination of transmission, or the like) also needs to be performed.

In some embodiments, the service data to be managed may be preset type data of an enterprise within a private network. The preset type data may be, for example, production data, maintenance data, enterprise financial data, control maintenance data, operation state data, and the like of an enterprise in the campus, or may be data of a custom type of the enterprise in the campus, and may be set based on personalized requirements of each enterprise in some practical applications.

Further in some embodiments, the traffic processing method shown in fig. 2 may further include: inserting preset characteristic character strings into the service data to be controlled according to preset rules through a data management component positioned in a private network; and if the message load information contains service data to be controlled, determining the public network service flow data corresponding to the message load information as abnormal flow data, including: and if the message load information has the characteristic character string, determining the public network service flow data corresponding to the message load information as abnormal flow data. The preset rule may be a hierarchical classification rule of the enterprise business data.

In some practical applications, a globally unique characteristic data (such as a password) capable of identifying the own enterprise can be provided in advance by the enterprises in the park; meanwhile, data of the private network can be classified according to preset rules by using a data management component located in the private network, service data to be controlled are determined, a service provider for the traffic processing method generates an information abstract (such as an MD5 value) according to the globally unique feature data, and the information abstract can be inserted into the service data to be controlled as the feature character string; it should also be noted that in this process, it is necessary to ensure that the characteristic string does not affect the normal use of the service data. Meanwhile, the AF network elements in the traffic detection unit and the 5G core network control plane may be configured accordingly based on the characteristic string, so as to associate the characteristic string with the enterprise information. For example, a characteristic character string configuration may be performed in the flow rate detection unit as a detection condition to recognize that the characteristic character string is included in the flow rate.

Through the mode, can insert the characteristic character string and treat in the management and control business data, and can not influence the use of business data, when will treating that management and control business data normally sends to the private network then by other system use, can make this section characteristic character string of other system automatic filtration do not influence the use of business data, and when will treating that management and control business data sends to the public network, then can be discerned by the flow detection unit and treat that management and control business data is being revealed to the public network, just so can in time handle, prevent that data from continuing to reveal.

In some embodiments, the step S203 of obtaining the ticket information and the traffic identification information corresponding to the public network service flow data may further include:

firstly, acquiring signaling data corresponding to abnormal traffic data from an interface N4 between an SMF network element and a UPF network element and an interface N11 between the SMF network element and an AMF (Access and Mobility Management Function) network element; wherein the signaling data may include: the signaling data processing method comprises the following steps that information such as a protocol type, a mobile station international subscriber identity (MSISDN) (namely a mobile phone number of a user), an International Mobile Subscriber Identifier (IMSI), a Mobile Equipment Identity (MEID), a Data Network Name (DNN), a source IP, a destination IP, a source port, a destination port and the like is obtained, and then the signaling data can be summarized and analyzed to generate call bill information; and may determine the traffic identification information from the public network traffic flow data obtained from interface N9. The call ticket information may be understood as an access log record, and the traffic identification information may include a source-destination IP and a source-destination port in the signaling data, so as to generate the PCC rule in the subsequent steps.

Step S205, the ticket information and the flow identification information are sent to a 5G core network control plane, so that the 5G core network control plane generates a target distribution strategy and issues the target distribution strategy to a distribution UPF network element, and the distribution UPF network element redirects the subsequent public network service flow data to an auxiliary anchor point user plane function UPF network element located in a private network according to the target distribution strategy; the subsequent public network service flow data is flow data which is sent by the private network terminal after the public network service flow data is sent and is used for the target public network service; and the auxiliary anchor point UPF network element is used for forwarding the subsequent public network service flow data to the security gateway positioned in the private network.

By the method, after determining that the service data to be controlled leaks to the public network, the traffic detection unit can timely acquire necessary information (including call ticket information and traffic identification information) and send the necessary information to the 5G core network control plane, so that the 5G core network control plane generates a new target distribution strategy and sends the new target distribution strategy to the distribution UPF network element, the flow direction of subsequent public network service flow data is changed, the subsequent public network service flow data possibly carrying the service data to be controlled flows to the security gateway located in the private network through the auxiliary anchor point UPF network element, and the subsequent public network service flow data possibly carrying the service data to be controlled is prevented from being continuously leaked to the public network.

In some embodiments, the traffic processing method as shown in fig. 2 may further include: and under the condition that the public network service flow data is detected to be abnormal flow data, performing bypass blocking processing on the public network service flow data.

In this embodiment, while performing redirection processing on subsequent public network traffic flow data, a bypass blocking treatment (the bypass treatment may be in a chain disconnecting or redirection manner) may also be performed on the public network traffic flow data that is about to flow to the public network, so as to reduce the risk of data leakage.

In some practical applications, the process of bypass plugging treatment may be: through a mode of sending a TCP Reset packet (TCP abnormal termination message), forged TCP Reset packets are sent to two communication ends adopting TCP connection, so that the two communication ends interpret the packets as responses of the opposite ends, and the connection is actively cut off. Alternatively, the procedure of the bypass plugging treatment may be: bypass blocking is achieved by adopting an HTTP redirection mode based on the URL request, for example, when a user accesses an illegal website, an access address can be redirected to an alarm page by adopting the HTTP redirection mode.

Through the embodiment shown in fig. 2, it is possible to detect whether the public network service flow data sent by the private network terminal to the public network is abnormal flow data in real time through the flow detection unit deployed in the operator base network, and after detecting that the public network service flow data is abnormal flow data, generate and issue a target distribution policy to the distribution UPF network element through the 5G core network control plane, so that the distribution UPF network element routes the subsequent public network service flow data sent by the private network terminal to the auxiliary anchor point UPF network element located in the private network, and further, the auxiliary UPF network element forwards the subsequent public network service anchor point flow data to the security gateway located in the private network for secondary detection, thereby ensuring data security in a general and easy-to-implement method and avoiding information leakage.

Fig. 3 shows a flow chart of a traffic handling method according to yet another embodiment of the present disclosure.

As shown in fig. 3, the method provided by the embodiment of the present disclosure may be applied to a 5G core network control plane, and may include the following steps.

Step S301, receiving call ticket information and flow identification information sent by a flow detection unit; the traffic detection unit is deployed in an operator basic network; the call ticket information and the flow identification information are obtained by the flow detection unit under the condition that the public network service flow data is detected to be abnormal flow data; the public network service flow data is flow data which is sent by the private network terminal and is used for the target public network service.

Step S303, generating a target distribution strategy according to the ticket information and the flow identification information.

Step S305, the target distribution strategy is issued to a distribution UPF network element so that the distribution UPF network element redirects the subsequent public network service flow data to an auxiliary anchor point UPF network element positioned in a private network according to the target distribution strategy; the subsequent public network service flow data is flow data which is sent by the private network terminal after the public network service flow data is sent and is used for the target public network service; and the auxiliary anchor point UPF network element is used for forwarding the subsequent public network service flow data to the security gateway positioned in the private network.

In some embodiments, the 5G core network control plane may include: an application function AF network element, a policy control function PCF network element and a session management function SMF network element.

Based on this, step S301 may further include: receiving call ticket information and flow identification information sent by a flow detection unit through an AF network element;

step S303 may further include: generating an AF request based on the ticket information and the flow identification information through the AF network element, and sending the AF request to the PCF network element; creating a PCC rule based on the AF request through the PCF network element, and sending the PCC rule to the SMF network element; and generating a target shunting strategy by the SMF network element based on the PCC rule.

Step S305 may further include: and issuing the target distribution strategy to a distribution UPF network element through the SMF network element.

In the embodiment shown in fig. 3, the AF network element may generate an AF request (AF request) based on the ticket information and the traffic identification information sent by the traffic detection unit, where the AF request may provide traffic description, a terminal identifier, traffic routing information, and the like. When the PCF network element receives the AF request, the flowinfo parameters in the PCC rules may be determined based on the traffic-related information (i.e., traffic description, terminal identifier, traffic routing information, etc.), and then PCC rules including the traffic-related information may be created and provided to the SMF network element.

In this embodiment, the PCC rule may be understood as a parameter set (that is, description information of the service data flow) for one service data flow and a related policy control parameter, so that the service flow data may be detected and classified, and the classified service flow data may be subjected to targeted management and control. In some implementations, the PCC rules may be dynamically created or pre-configured; if the PCC rule is preconfigured in the SMF network element, the PCF only needs to activate the identification information (e.g., ID) of the corresponding PCC rule.

In this embodiment, after receiving the PCC Rule, the SMF network element may generate a specific PDR (Packet Detection Rule) and a specific FAR (Forwarding Action Rule), and generate a target offloading policy according to the PDR and the FAR, and send the target offloading policy to the offloading UPF network element, so that the offloading UPF network element detects, classifies, and forwards the data Packet according to the PDR and the FAR in the target offloading policy (that is, forwards the data Packet to the auxiliary anchor UPF network element). That is, with the traffic processing method in this embodiment, the shunting UPF network element can redirect subsequent public network traffic flow data sent by the private network terminal to the auxiliary anchor UPF network element, and then send the subsequent public network traffic flow data to the security gateway in the private network through the auxiliary anchor UPF network element for secondary detection, thereby avoiding forwarding the subsequent public network traffic flow data that may contain traffic data to be controlled to the main anchor UPF network element, and directly leaking to the public network.

Other aspects of the embodiment of fig. 3 may be found in reference to the description of the other embodiments described above.

Fig. 4 shows an interaction diagram of generating and issuing a target offloading policy in a traffic processing method according to an embodiment of the present disclosure, where fig. 4 includes: a traffic detection unit 401, an AF network element 402, a PCF network element 403, an SMF network element 404, and a offload UPF network element 405. As shown in fig. 4, the method for generating and issuing the target offloading policy in the traffic processing method provided in the embodiment of the present disclosure may include the following steps.

Step S401, the traffic detection unit 401 sends the ticket information and the traffic identification information to the AF network element 402.

In step S403, the AF network element 402 generates an AF request based on the ticket information and the traffic identification information.

At step S405, AF network element 402 sends an AF request to PCF network element 403.

In step S407, PCF network element 403 generates a PCC rule based on the AF request.

At step S409, PCF network element 403 sends the PCC rule to SMF network element 404.

In step S411, SMF network element 404 generates a target offloading policy according to the PCC rule.

In step S413, the SMF network element 404 issues the target offloading policy to the offloading UPF network element 405.

Other aspects of the embodiment of fig. 4 may be found in the description of the other embodiments described above.

Fig. 5 shows a flow chart of a traffic handling method according to yet another embodiment of the present disclosure.

As shown in fig. 5, the method provided by the embodiment of the present disclosure may be applied to a forking UPF network element, and may include the following steps.

Step S501, receives a target offloading policy issued by the 5G core network control plane.

The target distribution strategy is generated by a 5G core network control plane according to the ticket information and the flow identification information; the call ticket information and the flow identification information are obtained when a flow detection unit deployed in an operator basic network detects that the public network service flow data is abnormal flow data; the public network service flow data is flow data which is sent by the private network terminal and is used for the target public network service.

Step S503, the subsequent public network service flow data sent by the private network terminal is identified based on the target distribution strategy. The subsequent public network service flow data is flow data which is sent by the private network terminal after the public network service flow data is sent and is used for the target public network service;

step S505, the follow-up public network service flow data is redirected to an auxiliary anchor point UPF network element positioned in the private network according to the target distribution strategy, so that the auxiliary anchor point UPF network element transmits the follow-up public network service flow data to a security gateway positioned in the private network, and the security gateway performs secondary detection on the follow-up public network service flow data.

The auxiliary anchor point UPF network element has a local shunting function and can send subsequent public network service flow data sent by the private network terminal to the security gateway according to a preset routing strategy.

In some embodiments, the security gateway may perform secondary detection (e.g., comprehensive content security audit) on traffic data entering and exiting the network according to corresponding enterprise-defined rules, recognize transmission of violation data (e.g., carrying service data to be managed) in real time, perform violation blocking in the event of a violation, and trace a problem terminal corresponding to the violation data. Specifically, the audit may be performed as follows: the method can perform detailed protocol analysis and content identification, can accurately identify whether the traffic contains the service data to be controlled through a rich custom strategy, is suitable for being implemented by a security gateway deployed in a private network in the scheme due to strong rule customization, and can also be special equipment deployed inside enterprises in the private network.

Further, in some embodiments, if there is a problem in the data, if the security gateway detects that the subsequent public network traffic flow data passes (for example, it is determined that there is no traffic data to be managed and controlled in the subsequent public network traffic flow data), the security gateway may forward the subsequent public network traffic flow data to the corresponding public network using a proxy forwarding function of its own. In still other embodiments, if the security gateway fails to detect the subsequent public network traffic flow data (e.g., it is confirmed that there is traffic data to be managed and controlled in the subsequent public network traffic flow data), the security gateway may perform preset processing on the subsequent public network traffic flow data, for example, may perform blocking, and may further locate a corresponding problem terminal according to the obtained detailed information, and record the problem terminal to the auditing system for subsequent operations such as forensics. Therefore, the security gateway can perform comprehensive content security audit according to enterprise self-defined rules aiming at the flow entering and exiting the network, recognize illegal data transmission in real-time data monitoring, block illegal data transmission in the process, and trace the problem terminal.

Other aspects of the embodiment of fig. 5 may be found in the description of other embodiments described above.

Fig. 6 shows an interaction diagram of a traffic processing method according to an embodiment of the present disclosure, where fig. 6 includes: a traffic detection unit 601, a 5G core network control plane 602, a offload UPF network element 603, an auxiliary anchor UPF network element 604, and a security gateway 605. As shown in fig. 6, a traffic processing method provided by the embodiment of the present disclosure may include the following steps.

Step S601, when the traffic detection unit 601 detects that the public network service flow data is the abnormal traffic data, the traffic detection unit 601 obtains the ticket information and the traffic identification information corresponding to the public network service flow data.

In step S603, the traffic detection unit 601 sends the ticket information and the traffic identification information to the 5G core network control plane 602.

Step S605, the 5G core network control plane 602 generates a target offloading policy based on the ticket information and the traffic identification information.

In step S607, the 5G core network control plane 602 issues the target offloading policy to the offloading UPF network element 603.

In step S609, the offloading UPF network element 603 redirects the subsequent public network traffic flow data to the auxiliary anchor UPF network element 604 located in the private network according to the target offloading policy.

In step S611, the auxiliary anchor point UPF network element 604 forwards the subsequent public network traffic flow data to the security gateway 605 located in the private network.

In step S613, the security gateway 605 performs secondary detection on the subsequent public network service flow data.

Other aspects of the embodiment of fig. 6 may be found in the description of the other embodiments described above.

The traffic processing method provided by the embodiment of the disclosure can detect whether the public network traffic flow data sent by the private network terminal to the public network is abnormal traffic data (for example, whether traffic data to be controlled and associated with an enterprise exists in the public network traffic flow data) in real time through a traffic detection unit deployed in the operator's large network (i.e., the operator's basic network), and after detecting that the public network traffic flow data is abnormal traffic data, the traffic processing method is linked with an AF network element, and a target distribution policy is issued to a distribution UPF network element through an SMF network element by a PCF network element, so that the distribution UPF network element routes the subsequent public network traffic flow data sent by the private network terminal to an auxiliary anchor point UPF network element located in the private network, and further the auxiliary anchor point UPF network element forwards the subsequent public network traffic flow data to a security gateway located in the private network for secondary detection, thereby ensuring data security in a universal and easy-to-implement method, information leakage is avoided.

It is to be noted that the above-mentioned figures are only schematic illustrations of the processes involved in the method according to an exemplary embodiment of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of these processes; in addition, it is also readily understood that these processes may be performed, for example, synchronously or asynchronously in multiple modules; for example, certain steps of the above-described methods may not be necessary, or certain steps may be newly added, etc., or a combination of any two or any of the various embodiments described above may be possible. Such modifications, variations, or combinations are also within the scope of the embodiments of the present disclosure.

It should also be understood that the foregoing descriptions of the embodiments of the present disclosure have been provided with an emphasis on differences between the various embodiments, and the same or similar components that are not mentioned may be referenced with each other and will not be repeated here for the sake of brevity.

It should also be understood that the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation on the implementation process of the embodiment of the present disclosure.

It should also be understood that, in the embodiment of the present disclosure, the "preset" or "predefined" may be implemented by pre-saving a corresponding code, table, or other manner that may be used to indicate the relevant information in the device (for example, including a terminal and a network element device), and the present disclosure is not limited to the specific implementation manner thereof.

It is also to be understood that the terminology and/or the description of the various embodiments are consistent and mutually exclusive, and that the technical features of the various embodiments may be combined to form a new embodiment according to their inherent logical relationships, unless otherwise specified or logically conflicting, in the various embodiments of the present disclosure.

Examples of traffic handling methods provided by the present disclosure are described in detail above. It is understood that, in order to implement the above functions, the traffic detection unit, the 5G core network control plane and the offload UPF network element include hardware structures and/or software modules corresponding to the respective functions. Those of skill in the art will readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.

Fig. 7 shows a block diagram of a traffic processing apparatus 700 according to an embodiment of the present disclosure, which can be applied to a traffic detection unit deployed in an operator infrastructure network; as shown in fig. 7, includes:

a traffic detection module 701, configured to obtain public network traffic flow data from a target interface and detect the public network traffic flow data; the target interface is an interface between a shunting User Plane Function (UPF) network element and a main anchor point UPF network element; the public network service flow data is flow data which is sent by a private network terminal and is used for a target public network service;

an obtaining information module 702, configured to obtain ticket information and traffic identification information corresponding to the public network traffic flow data when it is detected that the public network traffic flow data is abnormal traffic flow data;

the sending information module 703 is configured to send the ticket information and the traffic identification information to the 5G core network control plane, so that the 5G core network control plane generates a target splitting policy and issues the target splitting policy to the splitting UPF network element, and then the splitting UPF network element redirects subsequent public network traffic flow data to an auxiliary anchor point user plane function UPF network element located in the private network according to the target splitting policy; the subsequent public network service flow data is flow data which is sent by the private network terminal after the public network service flow data is sent and is used for the target public network service; and the auxiliary anchor point UPF network element is used for forwarding the subsequent public network service flow data to the security gateway positioned in the private network.

Through the embodiment, whether public network service flow data sent to a public network by a private network terminal is abnormal flow data can be detected in real time through a flow detection unit deployed in an operator basic network, and after the public network service flow data is detected to be the abnormal flow data, a target distribution strategy is generated and issued to a distribution UPF network element through a 5G core network control plane, so that the distribution UPF network element routes subsequent public network service flow data sent by the private network terminal to an auxiliary anchor point UPF network element located in the private network, and the auxiliary anchor point UPF network element forwards the subsequent public network service flow data to a security gateway located in the private network for secondary detection, thereby ensuring data safety by a universal and easy-to-implement method and avoiding information leakage.

Other aspects of the embodiment of fig. 7 may be found in relation to other embodiments described above.

Fig. 8 shows a block diagram of a traffic processing apparatus 800 according to yet another embodiment of the present disclosure, which can be applied to a 5G core network control plane; as shown in fig. 8, includes:

a receive information module 801, configured to receive ticket information and traffic identification information sent by a traffic detection unit; the traffic detection unit is deployed in an operator basic network; the call ticket information and the flow identification information are obtained by the flow detection unit under the condition that the public network service flow data is detected to be abnormal flow data; the public network service flow data is flow data which is sent by a private network terminal and is used for a target public network service;

a policy generation module 802, configured to generate a target offloading policy according to the ticket information and the traffic identification information;

the issuing policy module 803 is configured to issue the target offloading policy to an offloading UPF network element, so that the offloading UPF network element redirects subsequent public network service flow data to an auxiliary anchor point UPF network element located in the private network according to the target offloading policy; the subsequent public network service flow data is flow data which is sent by the private network terminal after the public network service flow data is sent and is used for the target public network service; and the auxiliary anchor point UPF network element is used for forwarding the subsequent public network service flow data to the security gateway positioned in the private network.

Other aspects of the embodiment of fig. 8 may be found in relation to other embodiments described above.

Fig. 9 shows a block diagram of a traffic processing apparatus 900 according to still another embodiment of the present disclosure, which can be applied to a forking UPF network element; as shown in fig. 9, includes:

a policy receiving module 901, configured to receive a target offloading policy issued by a control plane of a 5G core network; the target distribution strategy is generated by a 5G core network control plane according to the ticket information and the flow identification information; the call ticket information and the flow identification information are obtained when a flow detection unit deployed in an operator basic network detects that the public network service flow data is abnormal flow data; the public network service flow data is flow data which is sent by a private network terminal and is used for a target public network service;

an identifying flow module 902, configured to identify subsequent public network service flow data sent by the private network terminal based on the target offloading policy; the subsequent public network service flow data is flow data which is sent by the private network terminal after the public network service flow data is sent and is used for the target public network service;

and the redirection module 903 is configured to redirect subsequent public network service flow data to an auxiliary anchor point UPF network element located in the private network according to the target offloading policy, so that the auxiliary anchor point UPF network element sends the subsequent public network service flow data to a security gateway located in the private network, and further, the security gateway performs secondary detection on the subsequent public network service flow data.

Other aspects of the embodiment of fig. 9 may be found in relation to other embodiments described above.

As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.

Fig. 10 shows a block diagram of a flow processing computer device in an embodiment of the present disclosure. It should be noted that the illustrated electronic device is only an example, and should not bring any limitation to the functions and the scope of the embodiments of the present invention.

An electronic device 1000 according to this embodiment of the invention is described below with reference to fig. 10. The electronic device 1000 shown in fig. 10 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.

As shown in fig. 10, the electronic device 1000 is embodied in the form of a general purpose computing device. The components of the electronic device 1000 may include, but are not limited to: the at least one processing unit 1010, the at least one memory unit 1020, and a bus 1030 that couples various system components including the memory unit 1020 and the processing unit 1010.

Wherein the storage unit stores program code that is executable by the processing unit 1010 to cause the processing unit 1010 to perform steps according to various exemplary embodiments of the present invention as described in the "exemplary methods" section above in this specification. For example, the processing unit 1010 may perform the methods as shown in fig. 2, 3, and 5.

The storage unit 1020 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)10201 and/or a cache memory unit 10202, and may further include a read-only memory unit (ROM) 10203.

The memory unit 1020 may also include a program/utility 10204 having a set (at least one) of program modules 10205, such program modules 10205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.

Bus 1030 may be any one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, and a local bus using any of a variety of bus architectures.

The electronic device 1000 may also communicate with one or more external devices 1100 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 1000, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 1000 to communicate with one or more other computing devices. Such communication may occur through input/output (I/O) interfaces 1050. Also, the electronic device 1000 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 1060. As shown, the network adapter 1060 communicates with the other modules of the electronic device 1000 over the bus 1030. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 1000, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.

In an exemplary embodiment of the present disclosure, there is also provided a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above section "exemplary methods" of the present description, when said program product is run on the terminal device.

According to the program product for implementing the method, the portable compact disc read only memory (CD-ROM) can be adopted, the program code is included, and the program product can be operated on terminal equipment, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).

It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.

Moreover, although the steps of the methods of the present disclosure are depicted in the drawings in a particular order, this does not require or imply that the steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc.

Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.

Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

Claims (12)

1. A traffic processing method is applied to a traffic detection unit deployed in an operator base network, and comprises the following steps:

obtaining public network service flow data from a target interface, and detecting the public network service flow data; the target interface is an interface between a shunting User Plane Function (UPF) network element and a main anchor point UPF network element; the public network service flow data is flow data which is sent by a private network terminal and is used for a target public network service;

under the condition that the public network service flow data is detected to be abnormal flow data, acquiring ticket information and flow identification information corresponding to the public network service flow data;

sending the ticket information and the flow identification information to a 5G core network control plane, so that the 5G core network control plane generates a target distribution strategy and issues the target distribution strategy to the distribution UPF network element, and the distribution UPF network element redirects subsequent public network service flow data to an auxiliary anchor point user plane function UPF network element located in a private network according to the target distribution strategy; the subsequent public network service flow data is the flow data used for the target public network service and sent by the private network terminal after the public network service flow data is sent; and the auxiliary anchor point UPF network element is used for forwarding the subsequent public network service flow data to a security gateway positioned in a private network.

2. The method of claim 1, further comprising: and under the condition that the public network service flow data is detected to be abnormal flow data, performing bypass plugging processing on the public network service flow data.

3. The method according to claim 1 or 2, further comprising detecting that the public network traffic flow data is abnormal traffic flow data according to the following method:

analyzing the public network service flow data to obtain message load information;

and if the message load information contains service data to be controlled, determining the public network service flow data corresponding to the message load information as the abnormal flow data.

4. The method according to claim 3, wherein the service data to be managed is preset type data of an enterprise in a private network;

the traffic processing method further comprises the following steps: inserting preset characteristic character strings into the service data to be controlled according to preset rules through a data management component positioned in a private network; and the number of the first and second groups,

if the message load information contains service data to be controlled, determining the public network service flow data corresponding to the message load information as the abnormal flow data, including: and if the characteristic character string exists in the message load information, determining the public network service flow data corresponding to the message load information as the abnormal flow data.

5. A traffic processing method is applied to a 5G core network control plane, and comprises the following steps:

receiving ticket information and flow identification information sent by a flow detection unit; wherein the traffic detection unit is deployed in an operator base network; the ticket information and the flow identification information are obtained by the flow detection unit under the condition that the public network service flow data is detected to be abnormal flow data; the public network service flow data is flow data which is sent by a private network terminal and is used for a target public network service;

generating a target distribution strategy according to the ticket information and the flow identification information;

issuing the target distribution strategy to a distribution UPF network element so that the distribution UPF network element redirects the subsequent public network service flow data to an auxiliary anchor point UPF network element positioned in a private network according to the target distribution strategy; the subsequent public network service flow data is the flow data used for the target public network service and sent by the private network terminal after the public network service flow data is sent; and the auxiliary anchor point UPF network element is used for forwarding the subsequent public network service flow data to a security gateway positioned in a private network.

6. The method of claim 5, wherein the 5G core network control plane comprises: an application function AF network element, a policy control function PCF network element and a session management function SMF network element;

receiving the ticket information and the traffic identification information sent by the traffic detection unit, including: receiving the ticket information and the traffic identification information sent by the traffic detection unit through the AF network element;

generating a target distribution strategy according to the call ticket information and the traffic identification information, comprising: generating an AF request based on the ticket information and the flow identification information through the AF network element, and sending the AF request to the PCF network element; creating a PCC rule based on the AF request through the PCF network element, and sending the PCC rule to the SMF network element; generating, by the SMF network element, the target breakout policy based on the PCC rule, and,

issuing the target distribution strategy to a distribution UPF network element, including: and issuing the target distribution strategy to a distribution UPF network element through the SMF network element.

7. A traffic processing method is applied to a shunting UPF network element, and comprises the following steps:

receiving a target distribution strategy issued by a control plane of a 5G core network; the target distribution strategy is generated by the 5G core network control plane according to ticket information and flow identification information; the ticket information and the flow identification information are obtained when a flow detection unit deployed in an operator basic network detects that the public network service flow data is abnormal flow data; the public network service flow data is flow data which is sent by a private network terminal and is used for a target public network service;

identifying subsequent public network service flow data sent by the private network terminal based on the target distribution strategy; the subsequent public network service flow data is the flow data used for the target public network service and sent by the private network terminal after the public network service flow data is sent;

and redirecting the subsequent public network service flow data to an auxiliary anchor point UPF network element positioned in a private network according to the target distribution strategy so that the auxiliary anchor point UPF network element sends the subsequent public network service flow data to a security gateway positioned in the private network, and further, the security gateway carries out secondary detection on the subsequent public network service flow data.

8. A traffic processing device, which is applied to a traffic detection unit deployed in an operator infrastructure network, includes:

the system comprises a detection flow module, a data acquisition module and a data processing module, wherein the detection flow module is used for acquiring public network service flow data from a target interface and detecting the public network service flow data; the target interface is an interface between a shunting User Plane Function (UPF) network element and a main anchor point UPF network element; the public network service flow data is flow data which is sent by a private network terminal and is used for a target public network service;

the information acquisition module is used for acquiring ticket information and flow identification information corresponding to the public network service flow data under the condition that the public network service flow data is detected to be abnormal flow data;

the sending information module is used for sending the ticket information and the flow identification information to a 5G core network control plane so that the 5G core network control plane generates a target distribution strategy and issues the target distribution strategy to the distribution UPF network element, and the distribution UPF network element redirects subsequent public network service flow data to an auxiliary anchor point user plane function UPF network element located in a private network according to the target distribution strategy; the subsequent public network service flow data is the flow data used for the target public network service and sent by the private network terminal after the public network service flow data is sent; and the auxiliary anchor point UPF network element is used for forwarding the subsequent public network service flow data to a security gateway positioned in a private network.

9. A traffic processing device applied to a 5G core network control plane comprises:

the receiving information module is used for receiving the ticket information and the flow identification information sent by the flow detection unit; wherein the traffic detection unit is deployed in an operator base network; the ticket information and the flow identification information are obtained by the flow detection unit under the condition that the public network service flow data is detected to be abnormal flow data; the public network service flow data is flow data which is sent by a private network terminal and is used for a target public network service;

the generation strategy module is used for generating a target distribution strategy according to the ticket information and the flow identification information;

the issuing strategy module is used for issuing the target distribution strategy to a distribution UPF network element so that the distribution UPF network element redirects the subsequent public network service flow data to an auxiliary anchor point UPF network element positioned in a private network according to the target distribution strategy; the subsequent public network service flow data is the flow data used for the target public network service and sent by the private network terminal after the public network service flow data is sent; and the auxiliary anchor point UPF network element is used for forwarding the subsequent public network service flow data to a security gateway positioned in a private network.

10. A traffic processing device, applied to a offload UPF network element, includes:

the receiving strategy module is used for receiving a target distribution strategy issued by a control plane of the 5G core network; the target distribution strategy is generated by the 5G core network control plane according to ticket information and flow identification information; the ticket information and the flow identification information are obtained when a flow detection unit deployed in an operator basic network detects that the public network service flow data is abnormal flow data; the public network service flow data is flow data which is sent by a private network terminal and is used for a target public network service;

the traffic identification module is used for identifying subsequent public network service flow data sent by the private network terminal based on the target distribution strategy; the subsequent public network service flow data is the flow data used for the target public network service and sent by the private network terminal after the public network service flow data is sent;

and the redirection module is used for redirecting the subsequent public network service flow data to an auxiliary anchor point UPF network element positioned in a private network according to the target distribution strategy so that the auxiliary anchor point UPF network element sends the subsequent public network service flow data to a security gateway positioned in the private network, and the security gateway performs secondary detection on the subsequent public network service flow data.

11. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out a traffic processing method according to any one of claims 1 to 7.

12. An electronic device, comprising:

one or more processors;

storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the traffic processing method according to any one of claims 1 to 7.

Images