CN115426654A - Method for constructing network element abnormity detection model facing 5G communication system - Google Patents

Method for constructing network element abnormity detection model facing 5G communication system Download PDF

Info

Publication number
CN115426654A
CN115426654A CN202211047856.5A CN202211047856A CN115426654A CN 115426654 A CN115426654 A CN 115426654A CN 202211047856 A CN202211047856 A CN 202211047856A CN 115426654 A CN115426654 A CN 115426654A
Authority
CN
China
Prior art keywords
network element
signaling
type
sequence
sending
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211047856.5A
Other languages
Chinese (zh)
Inventor
孙茜
田霖
路淼顺
万杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Computing Technology of CAS
Original Assignee
Institute of Computing Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Computing Technology of CAS filed Critical Institute of Computing Technology of CAS
Priority to CN202211047856.5A priority Critical patent/CN115426654A/en
Publication of CN115426654A publication Critical patent/CN115426654A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/20Manipulation of established connections
    • H04W76/27Transitions between radio resource control [RRC] states
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets

Abstract

The invention provides a method for constructing a network element abnormity detection model facing a 5G communication system, which comprises the following steps of training an abnormity detection model corresponding to any type of network element in the 5G communication system: a1, obtaining a signaling sequence set corresponding to the type of network element, wherein the signaling sequence set comprises a plurality of samples, and each sample is a signaling receiving and sending sequence formed by the signaling types of the signaling receiving and sending of the type of network element according to a 5G communication protocol in a normal communication process according to the occurrence time sequence; a2, configuring the number of hidden states in a hidden Markov model according to the total number of signaling types possibly sent by the network element of the type under a 5G communication protocol to obtain an initial hidden Markov model; and A3, carrying out multiple iterative estimation on the parameters of the initial hidden Markov model by using a signaling sequence set until convergence, and obtaining an abnormal detection model corresponding to the type of network element.

Description

Method for constructing network element abnormity detection model facing 5G communication system
Technical Field
The invention relates to the field of mobile communication, in particular to the field of attack detection in mobile communication, and more particularly relates to a method for constructing a network element abnormity detection model for a 5G communication system.
Background
With the development of wireless communication technology, devices related to wireless communication networks have covered various aspects such as smart phones, smart homes, telemedicine, and automatic driving. However, in a wireless communication network, there are various security threats, such as illegal interception signaling, illegal forgery signaling, distributed denial of service (DDoS) attacks, and other attack behaviors.
In order to defend against attack, a wireless attack detection and defense mechanism has become a key point in wireless network technology. A common attack detection system is shown in fig. 1, and mainly includes modules corresponding to information collection, information analysis, a knowledge base, and a controller. The information collection module is mainly responsible for collecting data information of the operation of the target system and transmitting the data information to the information analysis module for data analysis. The knowledge base is a behavior archive base or an attack detection rule set and the like established according to the historical normal operation data information of the target system, and provides judgment basis for the information analysis module. The information analysis module is mainly responsible for comparing and analyzing the collected data information of system operation with the historical normal operation data information of the system so as to detect the attack behavior; once the attack behavior is detected, alarm information is sent to the controller immediately, and the controller generates a control action according to the alarm information and sends the control action to a target system so as to control the influence caused by the attack behavior to be minimum in time.
The information collection module and the information analysis module are described in detail below. Since the construction of the target system, the knowledge base and the controller are greatly different for different research target scenarios and are not the key point of the technical design of the present invention, the detailed description thereof is omitted here.
The main sources of the information collected by the information collection module are as follows: log files, directory files, web service processes, etc. in the target system. The log file is mainly used for checking whether abnormal activities exist in the target system. The directory file is that an attacker modifies, replaces or deletes the log file in the system in order to hide the activity behavior of the attacker many times, and the activity track of the attacker is exposed in the log file, so that the attacker tries to delete or modify the log file, and therefore, the attacker needs to check whether the directory file has abnormal operation. Because the directory file includes the log file, the log file may be found in the directory file if the log file is changed. The above information is from the device host in the target system, and is generally to collect the log file directory file of the important device in the target system. The network service process data is derived from network interaction data in a target system, and the abnormal process characteristics are checked by collecting data packets transmitted and received among nodes in the network and extracting the characteristics of the data packets.
The information analysis module mainly comprises three analysis methods, which are respectively as follows:
1. the analysis method based on model matching is characterized in that a knowledge base established according to known attack behavior characteristics is matched with the information data characteristics collected at present, if the information data characteristics are successfully matched with certain attack behavior characteristics, the target system is subjected to the attack, and otherwise, the target system is regarded as safe. It can be seen that the method is high in accuracy, but the attack detection is limited to the attacks known in the current knowledge base, and the detection capability for the attack behaviors unknown in the knowledge base is unavailable. To cope with unknown attacks, a second analysis method is proposed.
2. The method is provided based on an analysis method of behavior characteristics, and the intention of an attacker is inferred by detecting the behavior characteristics of user equipment. Such as password guessing attacks, the frequency of user initiated authentication increases dramatically. The method provides reference for discovering the abnormal behaviors of the user, and the detection rate of some hidden behaviors of an attacker is not high, such as forged signaling. For this purpose, a third analysis method is proposed.
3. The probability statistics-based analysis method is characterized in that a system normal behavior model is established through a knowledge base, and all behaviors with the occurrence probability smaller than a threshold value under the condition of the model are regarded as attack behaviors. The system behavior model comprises an operation model, a variance, a Markov model, a time series model and the like. The operation model carries out attacks in forms of password guessing and the like aiming at an exhaustion method, and if the difference between the operation times and the normal experience times is large, the attack behavior is judged to occur. The variance is to calculate variance of multiple parameters such as time, frequency and resource consumption value of event occurrence, and if the variance exceeds a confidence threshold, it is determined that an attack behavior occurs. The markov model models an event as a state transition process, and if a certain state transition occurs but the state transition probability is too small, the attack behavior is determined to occur. The time series model is mainly used for predicting the probability of a certain future event according to the existing historical normal data of a knowledge base, and if the probability is too small, the attack behavior is determined to occur.
Therefore, the existing analysis method of the information analysis module still cannot meet the actual requirement, the analysis method based on model matching is easy to realize, and the unknown attack behavior of the knowledge base has no detection capability. Although the analysis method based on the behavior characteristics improves the detection capability of unknown attacks, the detection capability is reduced if the attack behaviors are more concealed. In order to realize attack detection facing the 5G wireless communication protocol, the attack detection can be carried out by utilizing an analysis method based on probability statistics. However, the existing attack detection technology based on probability statistics all needs a state transition process of a modeling network element, and the real-time state transition of the network element in the 5G protocol is not specified clearly, so that the attack detection is difficult to be performed in the state transition process of the modeling network element. Moreover, there are multiple types of network elements (such as UE, AMF, SMF, RAN, etc.) in the 5G communication system, and it is still more comprehensive if the signaling of all types of network elements is collected for analysis, but it is undoubtedly complicated, and it takes a lot of time to collect and process the data of all network elements, resulting in poor timeliness of anomaly detection. Therefore, there is a need for improvements in the prior art.
Disclosure of Invention
Therefore, an object of the present invention is to overcome the above-mentioned drawbacks of the prior art, and to provide a method for constructing a network element anomaly detection model for a 5G communication system.
The purpose of the invention is realized by the following technical scheme:
according to a first aspect of the present invention, a method for constructing a network element anomaly detection model for a 5G communication system is provided, where the method includes training an anomaly detection model corresponding to any type of network element in the 5G communication system according to the following steps: a1, obtaining a signaling sequence set corresponding to the type of network element, wherein the signaling sequence set comprises a plurality of samples, and each sample is a signaling receiving and sending sequence formed by the signaling types of the signaling receiving and sending of the type of network element according to a 5G communication protocol in a normal communication process according to the occurrence time sequence; a2, configuring the number of hidden states in a hidden Markov model according to the total number of signaling sending types of possible signaling sent by the network element of the type under a 5G communication protocol to obtain an initial hidden Markov model; and A3, carrying out repeated iterative estimation on the parameters of the initial hidden Markov model by using the signaling sequence set until convergence, and obtaining an abnormal detection model corresponding to the type of network element.
In some embodiments of the present invention, any one of the signaling types that may be sent and received by the network element of the type under the 5G communication protocol exists in one or more samples in the signaling sequence set.
In some embodiments of the invention, the length of all samples is set to a predetermined sample length.
In some embodiments of the present invention, the step A2 further comprises: and mapping each type of signaling which is possibly transmitted and received by the network element of the type according to the 5G communication protocol into an observable state in a hidden Markov model respectively.
In some embodiments of the present invention, a method for detecting a state of a network element in a 5G communication system, where an anomaly detection model corresponding to the type of network element, which is constructed according to the method in the first aspect, is deployed in each type of network element in the 5G communication system, and the method includes: acquiring a to-be-detected signaling receiving and sending sequence formed by arranging signaling types of a current network element signaling receiving and sending according to a generated time sequence; determining the probability of the occurrence of the signaling receiving and sending sequence to be detected according to the parameters of the abnormal detection model deployed in the current network element; and when the probability of the occurrence of the transceiving order sequence to be detected is smaller than a preset abnormity judgment threshold value, determining the abnormal state of the current network element and/or sending alarm information of the abnormal state of the current network element.
In some embodiments of the present invention, the anomaly discrimination threshold corresponding to each type of network element is determined according to the minimum value of the occurrence probability of each sample in the signaling sequence set corresponding to the type of network element for the anomaly detection model corresponding to the type of network element.
According to a third aspect of the present invention, there is provided a 5G communication system capable of performing attack detection, the system including multiple types of network elements, each type of network element having deployed therein an anomaly detection model corresponding to the type of network element constructed according to the method of the first aspect, wherein each network element includes: a sequence acquiring unit, configured to acquire a to-be-detected signaling receiving and sending sequence, where signaling types of signaling received and sent by a current network element are arranged according to a time sequence of occurrence; a probability calculation unit, configured to determine, according to parameters of an anomaly detection model deployed in a current network element, a probability of occurrence of the signaling receiving and sending sequence to be detected; and the alarm unit is used for determining the state abnormity of the current network element and/or sending alarm information of the state abnormity of the current network element when the probability of the occurrence of the signaling receiving and sending sequence to be detected is smaller than a preset abnormity judgment threshold value.
In some embodiments of the invention, the system comprises: a UE network element, a RAN network element, an AMF network element, a PCF network element, an SMF network element, an AUSF network element, a UDM network element, a UDR network element, a UPF network element, a NEF network element, an NRF network element, an NSSF network element, a UDFS network element, an AF network element, a 5G-EIR network element, and a DN network element, or a combination thereof.
According to a fourth aspect of the present invention, there is provided an electronic apparatus comprising: one or more processors; and a memory, wherein the memory is to store executable instructions; the one or more processors are configured to implement the steps of the methods of the first and/or second aspects via execution of the executable instructions.
Compared with the prior art, the invention has the advantages that:
in order to ensure the timeliness of the anomaly detection in the 5G communication system, each type of network element is taken as a unit, a receiving and sending order sequence which is formed by arranging the signaling types of the receiving and sending orders of the network element of the type according to the 5G communication protocol in the normal communication process in the time sequence of occurrence is obtained and used as a sample to train a hidden Markov model to construct a network element anomaly detection model, so that the timeliness of the anomaly detection in the 5G communication system is improved while the complexity of signaling processing is reduced. Moreover, the problem that the attack detection is difficult to model the state transition process of the network element because the real-time state transition of the network element is not clearly specified in the existing 5G protocol is solved. The invention adopts a skillful alternative mode, namely, the number of the hidden states in the hidden Markov model is configured according to the total number of the signaling types of the possible signaling sent by the network element of the type under the 5G communication protocol, so that under the condition that the real-time state conversion of the network element is not clearly specified, only the total number of the signaling types of the possible signaling sent by the network element of the type in the current 5G communication protocol needs to be analyzed, and the total number of the possible real-time states of the network element is used as the total number of the hidden states in the hidden Markov model for configuring, thereby under the condition that the real-time state conversion of the network element is not clearly specified, the hidden Markov model for detecting the state of the network element can be configured effectively. In addition, the inventor also proves that the technical scheme of the invention has feasibility through experiments, and has better detection rate on various active attack means compared with the prior art.
Drawings
Embodiments of the invention are further described below with reference to the accompanying drawings, in which:
FIG. 1 is a system diagram of an attack detection system in the prior art;
FIG. 2 is a schematic diagram of a Markov chain;
fig. 3 is a schematic overall implementation flow diagram of detecting the status of each type of network element according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a hidden Markov model in accordance with an embodiment of the present invention;
fig. 5 is a schematic diagram of a user registration network access protocol flow specified in the 3GPP protocol;
FIG. 6 is a diagram illustrating a hidden Markov model corresponding to a UE network element according to an embodiment of the present invention;
fig. 7 is a schematic flowchart of a method for constructing a network element anomaly detection model for a 5G communication system according to an embodiment of the present invention;
FIG. 8 is a schematic diagram of the principle of illegal interception of radio resource control by a pseudo base station;
fig. 9 is a schematic diagram illustrating a principle that a malicious UE network element illegally forges an RRC establishment request signaling;
FIG. 10 is a schematic diagram of an access network denial of service attack;
FIG. 11 is a graph comparing the detection rates of various attack detections for various prior art schemes and aspects of the present invention;
fig. 12 is a comparison of false detection rates for various attack detections with the inventive arrangements and various prior art arrangements.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail by embodiments with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As mentioned in the background section, the real-time state transition of the network element in the 5G protocol is not specified, which makes it difficult to model the state transition process of the network element for attack detection, and there are multiple types of network elements (such as UE, AMF, SMF, RAN, etc.) in the 5G communication system, if the signaling of all types of network elements is collected for analysis, although it is more comprehensive, it is also complex undoubtedly, and it takes a lot of time to collect and process the data of all network elements, which results in poor timeliness of anomaly detection. The inventor discovers that the defect in the prior art is caused by the fact that real-time state conversion of a network element which is not specifically specified in a 5G communication protocol cannot be directly suitable for attack detection of the 5G communication protocol when researching a 5G communication protocol attack detection technical method, and the reason which is not considered may be that research on the 5G communication protocol attack detection technology is not related at present.
In order to ensure the timeliness of the anomaly detection in the 5G communication system, each type of network element is taken as a unit, a receiving and sending order sequence which is formed by arranging the signaling types of the receiving and sending orders of the network element of the type according to the 5G communication protocol in the normal communication process in the time sequence of occurrence is obtained and used as a sample to train a hidden Markov model to construct a network element anomaly detection model, so that the timeliness of the anomaly detection in the 5G communication system is improved while the complexity of signaling processing is reduced. Moreover, the problem that the attack detection is difficult to model the state transition process of the network element because the real-time state transition of the network element is not clearly specified in the existing 5G protocol is solved. The invention adopts a skillful alternative mode, namely, the number of hidden states in the hidden Markov model is configured according to the total number of signaling types of possible signaling sent by the network element of the type under the 5G communication protocol, so that under the condition that the real-time state conversion of the network element is not clearly specified, only the total number of the signaling types of the possible signaling sent by the network element of the type in the current 5G communication protocol needs to be analyzed, and the total number of the signaling types is used as the total number of the possible real-time states of the network element to configure the number of the hidden states in the hidden Markov model, thereby under the condition that the real-time state conversion of the network element is not clearly specified, the hidden Markov model for detecting the state of the network element can be configured effectively. In addition, the inventor also proves that the technical scheme of the invention has feasibility through experiments, and has better detection rate on various active attack means compared with the prior art.
Before describing embodiments of the present invention in detail, some of the terms used therein will be explained as follows:
the hidden Markov model is a statistic model in a directed graph form, and is a double random process of a Markov chain and a general random process. The hidden states that cannot be observed are markov chains, and the state transition probability at a certain time depends only on the state at the previous time. The observable state is an observation result sequence in a certain time period, the sequence accords with a certain observation probability, and the observable state is a general random process. Hidden markov models have been widely used in various fields such as recommendation algorithms, speech recognition, image recognition, etc.
Generally, a random process refers to a process in which a variable is said to be subjected to a random process when its value changes over time in some undefined manner. I.e. with the value of the random variable x at different times t being x t When taking an infinite number of times within the time frame T, a set of random variables { x ] is available t T ∈ T }, also known as a general random process. I.e. the random process is a set of random variables that are clued to time.
A markov chain is a special type of stochastic process in which only the current values of variables are relevant to future predictions, while the historical values of variables and the way in which variables evolve from the past to the present are not relevant to future predictions. Markov Chain (Markov Chain, MC) is defined as: provided with a random process { x t T ∈ T }, if for any time T ∈ T and any x 0 ,x 1 ,...,x t+1 E to S, and the conditional probability meets the following conditions:
P{x t+1 |x 0, x 1 ,...,x t }=P{x t+1 |x t } (1)
then it is called { x t T ∈ T } is a Markov chain, where S is a state space. Equation (1) indicates that the state transition probability at a time in a Markov chain depends only on the state at its previous time, a property also known as Markov property or memoryless. An exemplary Markov chain is shown in FIG. 2, where S represents a set of states, a ij =P(x t+1 =s j |x t =s i ) Representing the transition probability of a Markov chain, represented by ij The composed state transition probability matrix a is expressed by equation (2):
Figure BDA0003822815380000071
wherein, a ij Indicating a state s from time t i Is in the state s at the time of transition to t +1 under the condition of (1) j Probability of (a) ij Is not less than 0 ≧ Σ j a ij =1,s i ,s j ∈S。
The hidden Markov model can be mainly used for completing the following three tasks (the invention mainly utilizes the first two items):
1. and (3) observation sequence probability calculation task: and calculating the probability of the occurrence of a given observation sequence according to the established hidden Markov model. Namely the known hidden Markov model lambda and the observation sequence O = { O ] obtained in the observation time period with the length T 1 ,o 2 ,...,o T And calculating the probability P (O | lambda) of the appearance of the observation sequence O under the model lambda.
2. Model parameter learning task: and carrying out estimation learning on the parameters of the hidden Markov model according to the observation sequence. Namely an observation sequence O = { O ] obtained in an observation time period of known length T 1 ,o 2 ,...,o T And under the condition of the observation sequence O, learning a hidden Markov model lambda, and adjusting parameters of the hidden Markov model lambda to enable the probability P (O | lambda) of the appearance of the observation sequence O to be maximum.
3. Prediction (decoding) problem: and predicting the most possible hidden state of the current system according to the built hidden Markov model and the observed sequence. Namely, the known hidden markov model λ = (a, B, Π), and the observation sequence O = { O } obtained in the observation period of length T 1 ,o 2 ,...,o T Solving the hidden state sequence I = { I } for which P (O | λ) is maximum 1 ,i 2 ,...,i T }。
For the sake of understanding, the overall implementation flow of the present invention for detecting the state of each type of network element based on the hidden markov model is briefly described here, and referring to fig. 2, the overall implementation flow mainly includes the following two steps:
k1, establishing a hidden Markov model (HMM model) representing a normal state under the condition that a certain type of network element normally operates according to a 5G communication protocol, wherein the HMM model comprises the following steps:
k11, under the condition that the 5G communication system normally operates, capturing the interactive signaling sequence O of the network element of the type norm (corresponding to the signalling sequence) as a sample for training (corresponding to the signalling sequence O that seizes the 5G system as normal) norm );
K12, normal interactive signaling sequence O based on grabbing norm Setting the hidden state number of hidden Markov model and training the hidden Markov model according to the total number of the signaling types possibly sent by the network element of the type in the 5G communication protocol, and establishing the hidden Markov model lambda of the normal state corresponding to the network element of the type in the 5G communication protocol norm (corresponding to the HMM model λ for establishing the 5G Normal State norm );
K2, establishing the hidden Markov model lambda in the step K1 norm Deployed in each network element of this type for attack detection, which includes:
k21, capturing the transceiving order sequence O of the current network element in the detection time obs (corresponding to the received and transmitted order sequence O of the captured 5G system in the detection time obs );
K22, calculating the hidden Markov model lambda of the normal state corresponding to the current network element norm Under the condition of (2), the probability value of occurrence of the send-receive order sequence to be detected, namely P (O) obsnorm );
K23, when the probability value P (O) obsnorm ) And when the current network element is smaller than the attack discrimination threshold (corresponding to the abnormal discrimination threshold), judging that the current network element is in an abnormal state (attacked), otherwise, considering that the network node is in a normal state.
In order to explain the technical solution of the present invention in more detail, the following description is made in terms of a hidden markov model structure, training samples, training procedures, and application scenarios.
1. Model structure
Since the 3GPP (3 rd Generation Partnership Project) standard does not explicitly specify the real-time status of network elements in the 5G communication protocol, the current probability statistics-based attack detection cannot be directly applied to the 5G communication protocol. While markov chains are sometimes not sufficient to fully describe the problem, because more than not the current state of the network element is known, only the behavior of the network element can be observed. Therefore, the hidden Markov model is introduced to solve the problem, various states of each network element are determined through analysis of the 5G communication protocol, the states are mapped into hidden states of the model, then the types of all receiving and sending signaling related to the network element in the 5G communication protocol are mapped into observable states, the hidden Markov model can be modeled, the probability relation between the behavior of the receiving and sending signaling of the network element and the states of the network element is established through the hidden Markov model, and therefore the state modeling of the unknown network element is achieved through the behavior of the network element.
According to one embodiment of the invention, the hidden Markov model λ is represented in the form of a five-tuple: λ = (N, M, a, B, Π), in order to implement the establishment of hidden markov model, the meaning of each parameter in λ needs to be clarified, and the markov model is described below with reference to fig. 4:
in the invention, the number N of the hidden states in the hidden Markov model is configured by the total number of the types of the sending signaling of the possible sending signaling of the network element of the type under the 5G communication protocol, and the total number of the types of the sending signaling is equal to the sum of the number of the types of the signaling of the possible sending signaling of the network element of the type under each sub-protocol related to the network element of the type in the 5G communication protocol; all hidden states constitute a state space S, i.e. a set of all possible hidden states, S = { S = { S = 1 ,s 2 ,...,s N };
M represents the number of observable states, in the invention, the number of observable states in the hidden Markov model is configured by the total number of types of transceiving orders which can possibly send and receive the signaling by the network element of the type under the 5G communication protocol, and the total number of the types of transceiving orders is equal to the total number of types of transceiving orders which can be sent by the network element of the type under each subprotocol related to the network element of the type in the 5G communication protocolThe sum of the number of types of signaling that can send and receive signaling; all observable states constitute a set of observable states V, V = { V = { c 1 ,v 2 ,...,v M };
A represents a state transition probability matrix of dimension N x N, and is defined as A = [ a = ij ] N*N (see equation 2), wherein the element a ij Indicating the probability of the network element being converted from one hidden state i to another hidden state j; the hidden state transition probability is a because the transition process of the hidden state conforms to the Markov chain model ij =P(i t+1 =s j |i t =s i ),i=1,2,...,N,j=1,2,...,N;
B represents an observed state generation probability matrix (also referred to as a confusion matrix in some documents) in dimension N × M, and is defined as B = [ B ] j (k)] N*M Wherein, b j (k)=P(o t =v k |i t =s j ) K =1,2.., M, j =1,2.., N, where element b is j (k) Indicating the probability of the network element sending or receiving a certain type of signaling under a certain hidden state condition; the observed state corresponds to a generally random process, b j (k) To observe the probability, it is indicated that the network element is in a hidden state s at time t j Under the conditions of (b), an observed state v occurs k Probability of (sending or receiving some type of signaling).
Π represents the 1*N dimensional initial state probability vector (some documents also called initial probability vector), defined as = [ π = $) i ] N Wherein the probability of the initial state of each hidden state is defined as pi i =P(i 1 =s i ) I =1,2,.., N, initial state probability pi i Instructing the network element to detect the initial stage (first value i in the sequence of signalling) 1 ) Probability of being in a hidden state (or at the beginning of a sequence of signalling i) 1 Each hidden state s i Probability of occurrence).
For a certain type of network element, the values of N and M can be set in the manner described above, resulting in a hidden markov model with fixed N and M. For an N and M fixed hidden markov model, its parameters can be represented by λ = (a, B, Π) in the form of triplets,the final parameters A, B, Π need to be obtained by training. The hidden Markov model describes a double stochastic process including a hidden Markov chain and an observable stochastic sequence. The hidden Markov chain is described by two indexes of an initial state probability matrix pi and a state transition probability matrix A; the observable random sequence is described by an observed state generative probability matrix B. Through observation of a sequence length T, the corresponding length T of the hidden-state sequence is represented as I = { I = { I = } 1 ,i 2 ,...,i T Corresponding to a sequence of observed states of length T denoted O = { O } 1 ,o2,...,oT}。
The technical scheme of the embodiment can at least realize the following beneficial technical effects: the invention introduces a hidden Markov model, takes each type of network element as an analysis unit, and takes each type of signaling sending type of the network element under a 5G communication protocol as a hidden state, thereby setting the number of hidden nodes of the model according to the total number of the types of signaling sending; and each signaling receiving and sending type which can be collected by the network element of the type is used as an observable state, so that the number of observable states of the model is set according to the total number of the signaling receiving and sending types, and the establishment of a knowledge base model (namely a hidden Markov model) and the information analysis are efficiently carried out on the network element of each type, so that the attack behavior facing the 5G communication system is more accurately and efficiently detected on the network element of each type.
In order to more intuitively show how to construct a corresponding model for one type of network element, a hidden markov model corresponding to a UE network element established for a 5G communication protocol is described below by taking a 5G user registration network access protocol interaction flow specified by 3GPP as an example. The network access protocol flow of user registration (including initial registration, mobility registration update, periodic registration update, and emergency registration) specified in the 3GPP protocol is shown in fig. 5, and the network elements related to the 5G user registration network access protocol interaction flow mainly include: UE, RAN, new AMF (the new AMF is the AMF which is about to be registered by the UE or is being registered), old AMF (the old AMF is the AMF which is originally registered by the UE), PCF, SMF, AUSF and UDM network elements, wherein the interaction flow among the network elements of each type is as follows:
1. the UE sends a Registration Request (Registration Request) to the RAN. The service request mainly includes parameters such as a registration type, sui or 5G-GUTI user identity Information or a Permanent device Identifier (PEI), a security parameter, requested Network Slice Selection Assistance Information (NSSAI), default configuration NSSAI indication, protocol Data Unit (PDU) session state, and the like.
2. RAN performs AMF selection (AMF selection). If the 5G-GUTI does not indicate a valid AMF, the RAN may make AMF selection based on the requested NSSAI.
3. The RAN forwards the Registration Request (Registration Request) of the UE to the new AMF. Mainly comprising the parameters in step 1.
4. The new AMF requests SUPI of the UE and context of the UE (Namf _ Communication _ UEContextTransfer) from the old AMF.
5. The old AMF returns the requested UESUPI and the context of the UE (Namf _ Communication _ UEContextTransfer response) to the new AMF.
6. If the new AMF does not obtain UESUCI from the old AMF, the new AMF may send an Identity Request message to the UE to initiate an Identity verification procedure (Identity Request).
7. The UE responds to the new AMF with an Identity Response message (Identity Response) including the SUCI.
8. The AMF starts UE authentication by calling AUSF (AUSF selection). The AMF may select an AUSF based on SUPI or SUCI.
9. Once the UE is authenticated, the AUSF provides relevant Security-related information (Authentication/Security) to the AMF. If the AMF provides SUCI to the AUSF, the AUSF returns SUPI to the AMF only after authentication is successful.
10. If the AMF has changed, the new AMF may inform the old AMF that the registration of the UE in the new AMF has been completed (Namf _ Communication _ registration StatusUpdate).
11. If PEI is not provided by the UE and not retrieved from the old AMF, the new AMF initiates an identity request message to the UE to retrieve PEI. PEI should encrypt the transmission unless the UE performs emergency registration and cannot perform Identity authentication (Identity Request/Response).
12. The new AMF initiates an Identity check (N5G-EIR _ Equipment Identity check _ Get) of the Mobile Equipment (ME) to the 5G Equipment Identity registry (5G-Equipment Identity Register, 5G-EIR).
13. The new AMF makes a selection of UDM based on SUPI, which is then followed by UDM to select UDR instance (UDM selection).
14a, the new AMF registers at the UDM side, and the UDM records the relationship between the UE and the AMF providing service for the UE and the ID of the AMF. The service request mainly includes parameters (numm _ UECM _ Registration) such as an ID of a network element, a SUPI of the UE, and a network element type.
14b, when the new AMF does not have the subscription data of the UE, it needs to request to acquire the subscription data from the UDM side for managing the user (numm _ SDM _ Get). The service request mainly includes parameters such as the network element ID of the new AMF, the type of subscription data requested, and the keywords of the query (e.g., SUPI). The UDM will return the subscription data it wants to get to the new AMF.
14c, in case that the subscription data needs to be modified and updated, the AMF notifies the UDM side (Nudm _ SDM _ Subscribe). The UDM also needs to check whether the AMF that originated the request is entitled to update. The service request mainly comprises parameters such as a subscription data type and keywords of the subscription data type.
14d, UDM will Notify old AMF to log off (Nudm _ UECM _ registration notification). The service request mainly includes parameters such as SUPI, access type, PDU session ID, and AMF deregistration reason of the UE.
14e, the old AMF unsubscribes the subscription data (Nudm _ SDM _ Unscubscribe) of the UE from the UDM. The service request mainly comprises parameters such as a subscription data type and a keyword of the subscription data type.
15. The new AMF makes PCF selection to initiate PCF communication (PCF selection).
16. If the new AMF informs the UE that the mobility restriction needs to be adjusted, or the PCF needs to update the mobility restriction itself, the PCF should provide the updated mobility restriction to the AMF (AM Policy Association update/Modification).
17. The AMF initiates a request to an SMF associated with the PDU session to activate the user plane connection of the PDU session (Nsmf pdusesion _ UpdateSMContext/Nsmf pdusesion _ releasesmantext). If the PDU session status indicates that it is released at the UE, the AMF needs to initiate a request to the SMF to release any network resources associated with the PDU session.
18. The new AMF initiates a UE association message to Non-3GPP InterWorking Function (Non-3 GPP InterWorking Function, n3 iwf)/Trusted Non-3GPP Gateway Function (tngf)/wired Access Gateway Function (W-AGF) to indicate the connected UE (UE Context Modification Request).
19. N3IWF/TNGF/W-AGF responds to the new AMF (UE Context Modification Response).
19a, the new AMF, after receiving the response message from the N3IWF, W-AGF or TNGF in step 19, registers (Nudm _ UECM _ Registration) the new AMF with the UDM
19b, when the UDM stores the associated access type (i.e. non-3 GPP) with the serving AMF, it will cause the UDM to initiate a numm UECM deregistration corresponding to the same (i.e. non-3 GPP) access to the old AMF, as shown in step 19 a. The old AMF deletes the UE context for non-3GPP access.
19c, the old AMF unsubscribes subscription data (Nudm _ SDM _ unscubscript) of the UE from the UDM;
21. the new AMF generates a 5G-GUTI from SUPI and stores the mapping for the next registration or PDU session request. The new AMF sends a Registration Accept message to the UE indicating that the Registration request has been accepted (Registration Accept, receive Registration Accept response).
21b, if the UE requests the UE strategy, the AMF needs to execute UE strategy interaction (UE Policy Association Establishment) with the PCF.
22. The UE transmits a Registration Complete message (Registration Complete) to the AMF to confirm whether a new 5G-GUTI is allocated.
According to the signaling interaction process between network elements described above, determining the set of all possible hidden states and the set of observable states is the focus of this discussion. The 3GPP has made a clear specification on the interaction flow of the 5G communication protocol, where different network elements may initiate different signaling flows in various real-time states, for example, in the above 5G user registration protocol, a UE unregistered state may initiate registration signaling, a UE initialized registration state may initiate authentication signaling, a UE registered state may initiate registration completion signaling, and the like. The protocol does not specify the real-time status in each case of the network element. Therefore, the invention takes each signaling type sent by the network element as a hidden state, and takes each interactive signaling (sending signaling or receiving signaling) which is clearly specified with a time sequence relation and can be collected as an observable state. In order to briefly and intuitively show the principle of building the model, it is assumed that the UE network element only relates to a 5G user registration protocol, and in the registration process, the UE network element relates to the send-receive signaling as step 1 (sending a registration request), step 6 (receiving an authentication request), step 7 (sending an authentication response), step 11 (receiving an authentication request, sending an authentication response), step 21 (receiving a response of registration acceptance), and step 22 (sending registration completion), wherein the type of the send-receive signaling in step 11 is repeated with the types of the send-receive signaling in steps 6 and 7, so the involved send-receive signaling types include sending a registration request, receiving an authentication request, sending an authentication response, receiving a response of registration acceptance, and sending registration completion, and 5 send-receive signaling types, and correspondingly configure 5 observable states for the model; the signaling sending type comprises 3 signaling sending types including sending a registration request, sending an identity verification response and sending registration completion, and 3 hidden states are correspondingly configured for the model. The method comprises the steps of sending a registration request signaling which is equivalent to the unregistered state of a UE network element, sending an identity verification signaling response which is equivalent to the registration initialization state of the UE network element, and sending a registration completion signaling which is equivalent to the registration state of the UE network element; therefore, the type of the signaling sent by the network element can better describe the state of the network element. Correspondingly, according to the above-mentioned 5G user registration protocol flow, the hidden markov model corresponding to the modeled UE network element is shown in fig. 6 (it should be understood that, here, for the sake of simplicity, it is assumed that the UE network element only relates to a model constructed by one protocol of the 5G user registration protocol, and actually, there are many protocols related to the UE network element in the 5G communication protocol, and the model is more complex).
2. Training sample
In order to establish a network element anomaly detection model, besides the number of hidden states and the number of observable states in the configured hidden markov model, a plurality of samples O for estimating parameters of the hidden markov model need to be prepared to form a signaling sequence set O. Wherein O = { O ] assuming that there are J samples 1 ,O 2 ,…,O J }; assuming that the length of each sample is T, any one sample O = { O ] in the set of signaling sequences 1 ,o 2 ,…o T }. Since there are multiple types of Network elements in The 5G communication system, including a UE (User Equipment) Network element, a RAN (Radio Access Network) Network element, an AMF (Access and Mobility Management Function) Network element, a PCF (Policy Control Function) Network element, an SMF (Session Management Function), an AUSF (Authentication service Function) Network element, a UDM (Unified Data Management Function) Network element, and a UDR (Unified Data Management Function), unified Data Repository Function) Network elements, UPF Network elements (User Plane Function), NEF Network elements (Network expose Function), NRF Network elements (Network Repository Function), NSSF Network elements (The Network Slice Selection Function), UDFS Network elements (Unstructured Data Storage Function), AF Network elements (Application Function, application layer Function), 5G-EIR Network elements (5G-Equipment Identity Register,5G Equipment Identity Register), DN Network elements (Data Network ). In order to improve the timeliness of the anomaly detection in the 5G communication system while reducing the complexity of signaling processing, a corresponding signaling sequence set is separately collected for each type of network element. According to an embodiment of the present invention, each sample in the signaling sequence set is a signaling sequence in which the signaling types of the signaling to be sent and received by the network element of the type are arranged in the occurrence time sequence in the normal communication process according to the 5G communication protocol. To ensure the structureThe accuracy of the created model, when collecting samples, should pay attention to the diversity and comprehensiveness of the samples, and according to one embodiment of the present invention, any one of the signaling types that may be sent and received by the network element of this type under the 5G communication protocol exists in one or more samples in the signaling sequence set. Since the 5G communication protocol is continuously perfected and revised, the invention does not limit the specific protocol contained in the 5G communication protocol at all, and the implementer can construct a sample according to the 5G communication protocol specifically adopted by the specific scenario.
When the samples are collected, the interaction process of each network element in the normal communication process can be simulated in the simulated 5G communication system, the transceiving command data in each type of network element is captured by a packet capturing tool, and the transceiving command data is processed according to the preset sample length to obtain a transceiving command sequence formed by arranging the signaling types of the transceiving command according to the occurrence time sequence. For a predetermined sample length, i.e.: the length of the signaling and receiving sequence input into the hidden markov model can be set and adjusted according to implementation requirements or implementation experience, such as: set to the maximum of the lengths of the individual protocol flows in all sub-protocols of the 5G communication protocol. The invention sets the sample length as the maximum value of the single protocol flow length in all sub-protocols of the 5G communication protocol, can better count the characteristics in the sequence under the condition of reasonably utilizing the computing resources and ensure the prediction precision. It should be appreciated that the sample length may also be set to at least a multiple (2, 3, etc.) of the maximum of the individual protocol flow lengths in all sub-protocols of the 5G communication protocol, if the computational resources are sufficient. In addition, the sample length may also be set to a specific value, such as 100, 1000, 5000, etc., which is not limited in this respect.
Since the process of acquiring the signaling sequence set corresponding to each type of network element is similar, for the sake of brief description, the following describes the acquisition process of the signaling sequence set corresponding to the UE network element as an example. This process requires the collection of signaling and receiving sequences that may be involved in all sub-protocols in the 5G communication protocol corresponding to the UE network element. Taking a UE network element, i.e. a user network element as an example, the involved sub-protocols include user registration and network entry, user de-registration, network de-registration, user service request, network service request, mobility-triggered user configuration update, policy change-triggered user configuration update, and the like. Since a network element may perform multiple behaviors in a time period, the transceiving signaling sequence collected may include signaling types corresponding to multiple subprotocols, but for simplicity of explanation, the case of capturing the signaling type corresponding to one subprotocol is described here as an example, for example, in the UE network element registration process, the signaling sequence of capturing the UE network element is { send registration request signaling-receive authentication request signaling-send authentication response signaling-receive response signaling of registration acceptance-send registration completion signaling }, and in the de-registration process, the signaling sequence of capturing the UE network element is { send de-registration request signaling-receive de-registration acceptance signaling-send connection release signaling }.
3. Training process
For each type of network element, based on the definition of the first part on the hidden state and the observable state of the model, the signaling sequence set O = { O } for training is formed by a plurality of receiving and sending signaling sequences with normal interaction obtained by the second part 1 ,O 2 ,…,O J And (4) learning the values of all parameters in the hidden Markov model lambda = (A, B, pi), thereby completing the establishment of the hidden Markov model in the normal communication state, and taking the hidden Markov model as an abnormal detection model corresponding to the network element of the type.
According to an embodiment of the present invention, referring to fig. 7, a method for constructing a network element anomaly detection model for a 5G communication system is provided, which includes training an anomaly detection model corresponding to any type of network element in the 5G communication system according to the following steps: a1, obtaining a signaling sequence set corresponding to the type of network element, wherein the signaling sequence set comprises a plurality of samples, and each sample is a signaling receiving and sending sequence formed by the signaling types of the signaling receiving and sending of the type of network element according to a 5G communication protocol in a normal communication process according to the occurrence time sequence; a2, sending the possible signaling sent by the network element of the type under the 5G communication protocolThe total number of the signaling types configures the number of hidden states in a hidden Markov model to obtain an initial hidden Markov model; and A3, carrying out multiple iterative estimation on the parameters of the initial hidden Markov model by using a signaling sequence set until convergence, and obtaining an abnormal detection model corresponding to the type of network element. Preferably, based on the Baum-Welch (Baum-Welch) algorithm, the parameters of the initial hidden markov model are iteratively estimated for multiple times by using the signaling sequence set corresponding to the type of network element until convergence occurs, so as to obtain the anomaly detection model corresponding to the type of network element. The essence of the baum-welch algorithm is the Expectation Maximization (EM) algorithm, i.e. containing hidden variables
Figure BDA0003822815380000161
And (4) maximum likelihood estimation of probability model parameters. How to use the baum-welch algorithm to perform multiple iterative estimation on the parameters of the hidden markov model until convergence is known to those skilled in the art, and will not be described herein.
4. Application scenarios
The anomaly detection models corresponding to the network elements of the respective types, which are constructed based on the foregoing embodiments, are deployed to the network elements of the respective types, so that attack detection (anomaly detection) can be realized. Security attacks against 5G communication protocols can be mainly divided into passive attacks and active attacks. The passive attack is an attack mode of acquiring core information of an attacked party by intercepting and breaking a signaling containing sensitive information or confidential information of the attacked party in a 5G communication system by using technologies such as illegal eavesdropping. An attacker using a passive attack will generally prefer to remain latent in the system for a long period of time, and therefore, the attack does not cause serious damage to the 5G communication system and does not tamper with data transmitted therein. The active attack is an attack mode that malicious tampering or counterfeiting is carried out on a signaling stream interacted by an attacked party by using technologies such as illegal tampering, message counterfeiting, service denial and the like, and even the communication system equipment of the attacked party is tried to be damaged. The attack effect generated by the active attack mode is rapid and remarkable, and can directly influence the normal work of the system and even cause the service paralysis in a large range. It can be seen that passive attacks are generally difficult to detect, and therefore, the security defense measures facing passive attacks usually encrypt and decrypt the interactive data information through an advanced encryption and decryption technology, so as to ensure the confidentiality of the information. The security study for passive attacks focuses on prevention, not attack detection. Unlike passive attack, active attack can easily detect the attack effect, but no technology exists at present for effective prevention and early prevention. Therefore, the safety research facing the active attack focuses more on the attack detection technology, and the active attack behavior in the 5G communication protocol can be effectively prevented only by fast attack discovery and detection and matching with the fault emergency automatic recovery measure and the responsibility tracing of the attack source. The invention aims to detect active attacks which may exist in a 5G communication system, and when an attacker launches the active attacks, the probability of the signaling flow appearing in a 5G communication protocol normal operation model (a constructed abnormal detection model) can be calculated by detecting the signaling flow (to-be-detected receiving and sending signaling sequence) of each network element of the 5G communication system. If the probability value of the occurrence of the signaling flow is smaller than a certain threshold value, it indicates that the more probable probability of the signaling flow sequence is generated under abnormal conditions, that is, it is regarded that an attack behavior is generated.
In the invention, after the corresponding anomaly detection model is deployed in each type of network, the network element state of each network element can be detected in the following way: acquiring a to-be-detected signaling receiving and sending sequence formed by arranging signaling types of a current network element signaling receiving and sending according to a generated time sequence; determining the probability of the occurrence of the signaling receiving and sending sequence to be detected according to the parameters of the abnormal detection model deployed in the current network element; and when the probability of the occurrence of the transceiving order sequence to be detected is smaller than a preset abnormity judgment threshold value, determining the abnormal state of the current network element and/or sending alarm information of the abnormal state of the current network element. Preferably, the anomaly discrimination threshold corresponding to each type of network element is determined according to the minimum value of the occurrence probability of each sample in the signaling sequence set corresponding to the type of network element for the anomaly detection model corresponding to the type of network element. For example, if there are 3 samples, and the minimum value of the probabilities of the 3 samples that the anomaly detection model corresponding to the network element of the type calculates is sample 2; alternatively, a final abnormality determination threshold value may be obtained by subtracting a certain correction value from the minimum value or multiplying the same by a certain correction coefficient.
Based on the above scheme of the present invention, a 5G communication system capable of performing attack detection can be implemented, where the system includes multiple types of network elements, and each type of network element is deployed with an abnormality detection model corresponding to the type of network element, which is constructed according to a method for constructing a 5G communication system-oriented network element abnormality detection model, where each network element includes: a sequence acquiring unit, configured to acquire a to-be-detected signaling receiving and sending sequence, where signaling types of signaling received and sent by a current network element are arranged according to a time sequence of occurrence; a probability calculation unit, configured to determine, according to parameters of an anomaly detection model deployed in a current network element, a probability of occurrence of the signaling receiving and sending sequence to be detected; and the alarm unit is used for determining the abnormal state of the current network element and/or sending alarm information of the abnormal state of the current network element when the probability of the occurrence of the send-receive command sequence to be detected is smaller than a preset abnormal judgment threshold value. According to one embodiment of the invention, the system comprises: a UE network element, a RAN network element, an AMF network element, a PCF network element, an SMF network element, an AUSF network element, a UDM network element, a UDR network element, a UPF network element, a NEF network element, an NRF network element, an NSSF network element, a UDFS network element, an AF network element, a 5G-EIR network element, and a DN network element, or a combination thereof. It should be understood that as 5G technology evolves, some types of network elements may be adjusted or added.
In the following, three active attack means that can be currently implemented for a UE network element in a 5G communication system are taken as examples to describe an implementation process of an attack manner for the UE network element, and an attack effect generated in the 5G mobile communication system and a principle that the present invention can detect an anomaly are specifically exemplified.
Active attack means 1: illegal interception of signaling (sent but not received). The illegal interception of the signaling means that the signaling sent by the network element node of the sending party is intercepted illegally, so that the network element node of the receiving party cannot receive the signalingThe information among network element nodes in the network is unequal, so that the 5G mobile communication system cannot provide network service normally. Schematically, the illegal interception of Radio Resource Control (RRC) release signaling by the pseudo base station is shown in fig. 8. If a malicious RAN (pseudo base station) exists between the UE network element and the legal base station, the pseudo base station can firstly obtain a signaling which is sent to the legal base station by the UE network element, and then automatically determines whether to forward the signaling to the legal base station again. Otherwise, the signaling sent by the legal base station to the UE network element will also be intercepted by the pseudo base station. In general, the pseudo base station transparently transfers signaling between the UE network element and the legal base station. And in the key time, the pseudo base station can release the signaling to the RRC sent by the legal base station to the UE network element through discarding the legal base station, so that the UE network element cannot receive the signaling, and the UE network element cannot execute the corresponding state transition process. Causing the UE network element to consider that no RRC connection is released, the UE network element is in RRC connected mode (i.e. from the perspective of the victim UE network element, which is active, the RRC connection is not released), while the network side (base station, RAN) considers that the effect of the RRC connection with the UE network element has been released, the UE network element is in IDLE (IDLE) mode (i.e. from the perspective of the RAN network element, the victim UE is IDLE). Therefore, when the network side initiates paging to the UE network element again, since the idle mode paging and the RRC connected mode paging of the UE network element are different, the victim UE network element will not accept the paging of the network side, resulting in the UE network element being in a state of being unable to be paged. When an attacker launches an attack of illegally intercepting RRC release signaling by a pseudo base station, a receiving and transmitting signaling sequence acquired on a network element of UE of a victim is set as
Figure BDA0003822815380000191
Because the pseudo base station intercepts RRC release signaling sent by the legal base station to the UE network element, O acquired in the observation period time of the UE network element inter In a collection, elements
Figure BDA0003822815380000192
Will be hardly collected. At the same time, intercepting the signaling results in the effect that the UE network element cannot be paged, and therefore, also causes elements
Figure BDA0003822815380000193
The method is difficult to occur in normal communication under the condition that the acquisition is not available, so that a small occurrence probability value can be obtained by collecting a transceiving signaling sequence as a signaling sequence to be detected in the UE network element and inputting the signaling sequence to be detected into a corresponding abnormal detection model, and the attack can be detected.
Active attack means 2: illegal spurious signaling (not sent but received). The illegal forged signaling means that the signaling itself sent by the sender network element node is forged, and after receiving the forged signaling, the receiver network element node executes the operation required by the forged signaling, so as to cause the misoperation of the receiver network element node, thereby causing some abnormal management and operation of the 5G mobile communication system to users. Fig. 9 shows a schematic diagram of a principle that a malicious UE network element (fake terminal, attacker) illegally forges RRC establishment request signaling. Since the attacker can easily obtain the temporary identity information of the UE transmitted over the air interface, and can create a new UE for imitating the victim UE network element (victim), the attacker initiates a request for establishing the RRC connection to the base station by using the obtained temporary identity information of the victim. At this time, the base station implicitly releases the device of the damaged UE network element and connects to the malicious UE network element. And the RRC security context of the victim UE network element may be deleted, resulting in a network disconnection of the victim UE network element. Therefore, when an attacker launches an attack of forging the RRC establishment request signaling illegally by the terminal, the sequence of the signaling flow collected and transmitted on the damaged UE is set as
Figure BDA0003822815380000194
Figure BDA0003822815380000201
After receiving the RRC connection request signaling sent by the attacker, the base station RAN sends an RRC connection release signaling to the victim UE network element. The damaged UE network element may try to re-establish the RRC connection, but may receive the RRC connection release signaling after a short time. I.e. the signaling sequence on the victim UE network element may then be
Figure BDA0003822815380000202
Figure BDA0003822815380000203
Wherein τ and σ represent a time interval,
Figure BDA0003822815380000204
Figure BDA0003822815380000205
v receive RRC release indicates the signaling type, v, corresponding to the RRC connection release signaling send RRC re-establishment Indicating the signaling type corresponding to the RRC connection request signaling. When a signaling receiving and sending sequence consisting of a large number of RRC connection release signaling and RRC connection request signaling in a short time is used as a signaling sequence to be detected and input into a corresponding abnormal detection model, a smaller occurrence probability value can be obtained so as to detect the attack.
Active attack means 3: denial of service attacks (transmission of abnormal frequencies). The denial-of-service attack means that a large number of network element nodes of a sender are attacked by an attacker and become zombie machines of the attacker. And a large amount of signaling is sent to the attacked receiving party network element node at the same time, so that the receiving party network element node is overloaded, the processing performance of the attacked equipment node in the 5G mobile communication system is reduced, even the attacked equipment node is paralyzed, and a normal user is prevented from using the network service of the node. Schematically, the principle of the access network denial of service attack is shown in fig. 10. Because a scene of massive internet of things needs to be supported in 5G mobile communication, a great amount of terminal sensor equipment which requires low cost and low power consumption and causes the shortage of security protection technology is introduced into a 5G network, so that more breakthrough ports are undoubtedly provided for attackers, and the attackers become zombies of the attackers. A large amount of access request signaling is sent to the base station at the same time by controlling a large-scale zombie machine, so that the base station cannot process and respond the signaling in time because the request signaling is too much and exceeds the uplink capacity of the base station. The excessive operation of hardware and software of the base station equipment can further cause that legal terminals can not be obtainedServices provided by the base station, such as processing and forwarding services of signaling for a legal terminal to request access to a network, request network services and the like. The result caused by the distributed denial of service attack is that the end-to-end time delay on the attacked terminal is increased sharply, the resources of the base station equipment are exhausted on the attacked base station, and even the whole base station is in a paralyzed state to stop providing normal network service. Therefore, when an attacker launches an access network denial of service attack, the sequence of the signaling flow collected and transmitted on the UE is set as
Figure BDA0003822815380000206
Because the UE can send a large amount of access registration request signaling to the base station in a short time, the sequence of the signaling receiving and sending flow on the UE in the attack period tau can be acquired as
Figure BDA0003822815380000211
Wherein v is send Registration Request Indicating the signaling type corresponding to the access registration request signaling. The receiving and sending signaling sequence formed by a large number of access registration request signaling in a short time is used as a signaling sequence to be detected to be input into a corresponding abnormal detection model, so that a smaller occurrence probability value can be obtained, and the attack can be detected.
To verify the feasibility of the inventive solution, the inventors first demonstrated based on a formula. In the invention, the principle of the 5G communication active attack detection method based on the hidden Markov model is as follows: the hidden Markov model of the network element under the condition of normal operation of the known protocol is lambda norm And a network element signaling and receiving sequence O with the length T obs Calculated at model λ norm Lower order sequence O obs Probability of occurrence P (O) obsnorm ). If P (O) obsnorm )>And theta is determined as a normal condition, otherwise, the active attack behavior is generated. Where θ is the threshold for attack determination, P (O) normnorm )>θ>P(O risknorm ),O risk ∈O inter ,O coun ,O ddos . Ensuring that theta is present, i.e. to ensure P (O) normnorm )>P(O risknorm ). This is demonstrated below:
because the network element has various hidden states, under the condition of a normal model, the probability of the occurrence of the currently observed network element interaction signaling flow sequence is calculated. All possible length T network element hidden state sequences I = I are enumerated 1 ,i 2 ,...,i T . And solving the hidden state sequence I of the network element and the observed signaling sequence O of the receiving and sending of the network element obs Joint probability P (O) of obs ,I|λ norm ). Finally, summing the joint probabilities corresponding to all possible hidden state sequences to obtain P (O) obsnorm ) As shown in equation (3):
Figure BDA0003822815380000212
under the given condition of a normal model, the hidden state sequence I = I of the network element 1 ,i 2 ,...,i T The probability of (c) is shown in equation (4):
Figure BDA0003822815380000213
wherein, the first and the second end of the pipe are connected with each other,
Figure BDA0003822815380000214
indicates a hidden state i 1 The probability of the initial state of (c),
Figure BDA0003822815380000215
and the probability of transition from the hidden state at the time t-1 to the hidden state at the time t +1 is represented.
Hidden state sequence fixed to network element I = I 1 ,i 2 ,...,i T Observed network element interaction signaling flow sequence O obs ={o 1 ,o 2 ,...,o T The probability of is as shown in equation (5):
Figure BDA0003822815380000221
wherein the content of the first and second substances,
Figure BDA0003822815380000222
is a hidden state i t Generating an observed State o t The probability of (c). For example,
Figure BDA0003822815380000223
indicating that the network element is in a hidden state i 1 In the case of (2), an observable state o occurs 1 I.e. the probability of sending or receiving some type of signalling.
Hidden state sequence I of network element and observed signaling sequence O of receiving and transmitting network element obs The joint probability of simultaneous occurrence is shown in equation (6):
Figure BDA0003822815380000224
finally, the joint probabilities corresponding to all possible hidden state sequences of the network element are summed to obtain the observed probability P (O) of the occurrence of the network element signaling and receiving sequence obsnorm ) As shown in equation (7):
Figure BDA0003822815380000225
it can be seen that let all possible hidden state sets S = S for the network element 1 ,s 2 ,...,s N Then for any i t (T = 1.. Eta., T) all need to traverse to N hidden states, and therefore, the complexity of this algorithm is (TN) T )。
In order to simplify the calculation, a forward algorithm of the probability of the observed sequence is introduced. Let a given model lambda norm Under the condition, the observation network element cut off to t receives and sends the signaling sequence as { o 1 ,o 2 ,...,o t At time t, the hidden state is at s n Is defined as the forward probability, as shown in equation (8):
α t (i)=P(o 1 ,o 2 ,...,o t ,i t =s nnorm ), α 1 (i)=π i b i (o 1 ),i=1,...,N (8)
then the recursion can result in:
Figure BDA0003822815380000226
finally, the following is obtained:
Figure BDA0003822815380000227
based on the above analysis, it is possible to obtain: let there be max (α) at time t t (i))=(α t (N)), N ∈ N, and max (a) at time t +1 ji )=a ni ,
Figure BDA0003822815380000228
Thus, under normal operating conditions
Figure BDA0003822815380000229
As shown in equation (11):
Figure BDA0003822815380000231
wherein, the content of n,
Figure BDA0003822815380000232
representing two state footers in a state set.
Collected during attack, assuming that the attack occurs at time t
Figure BDA0003822815380000233
Collected under normal conditions
Figure BDA0003822815380000234
Must be different, will result in b i (o t ) Is no longer in state s n The time is maximized, so that the time can be set
Figure BDA0003822815380000235
In a corresponding manner, the first and second optical fibers are,
Figure BDA0003822815380000236
as shown in equation (12):
Figure BDA0003822815380000237
suppose that
Figure BDA0003822815380000238
This is due to the fact that at time t
Figure BDA0003822815380000239
Lower part
Figure BDA00038228153800002310
Will turn into
Figure BDA00038228153800002311
Forward probability alpha of normal state at this time t (i) Will become small, rather than the forward probability a of the normal state t (i) It may increase or decrease, but even alpha t (i) All are abnormal state transitions due to the abnormal transition probability a ji Very small and therefore the final
Figure BDA00038228153800002312
Does not vary much, so overall
Figure BDA00038228153800002313
Figure BDA00038228153800002314
The assumption is reasonable, and is applicable to most scenes.
Therefore, min (a) is shifted due to abnormality of the state ji ) Much less than max (alpha) t (i) Can see
Figure BDA00038228153800002315
Figure BDA00038228153800002316
Can be pushed out
Figure BDA00038228153800002317
Readily available P (O) normnorm )>P(O risknorm ) The invention proved to be feasible.
To further illustrate the effectiveness of the present invention, the inventors have conducted experiments based on the various sub-protocols contained in the 5G communications protocol TS 23.502 document published by the 3GPP organization in 9 months 2020. As shown in fig. 11, the inventors performed simulation detection on five attacks, namely, illegally intercepting an RRC release signaling (interrupt 1) sent by the RAN to the UE, illegally forging an RRC Setup Request signaling (countefect) sent by the UE to the RAN, sending a Registration Request signaling to initiate a DDOS attack (DDOS 1) by the UE to the RAN, illegally intercepting an RRC Setup Request signaling (interrupt 2) sent by the UE to the RAN, and sending a large number of packets to initiate a DDOS attack (DDOS 2) by the UE to the RAN. And a signaling sequence model of only known DDOS1, intercept1 and Counterfeit1 attacks is set in a knowledge base of the attack detection method based on model matching. It can be seen that the attack detection method based on model matching has a good detection rate only for known attacks in the knowledge base, and can be maintained above 90%, but has no detection capability for unknown attack modes. The attack detection method based on the behavior characteristics has good detection capability on the DDOS attack of the signaling and the attack of the illegal intercepted signaling, and the detection rate is maintained to be more than 90 percent, but the detection rate of the attack which has the concealment performance on the attack behavior of the illegal forged signaling can only reach more than 70 percent. The Detection rate of the HMM-based Attack Detection Method (HADM) adopted by the invention can be maintained above 90% for various Attack modes.
In addition, the inventor also constructs a plurality of groups of signaling interaction data under normal conditions to carry out simulation tests, thereby obtaining the false detection rate of each attack detection method. In normal conditions, the method also includes a plurality of aspects such as an influence of the quality of a radio channel, an influence of the operation processing speed of the device, and an influence of the user's own false touch on the power on/off frequency, and the influence of each of the above conditions on the signaling received and transmitted by the network element is shown in table 1.
Table 1 normal case signaling transceiving
Figure BDA0003822815380000241
The attack detection experiments were performed 40 times for each normal case to obtain the experimental results shown in fig. 12. It can be seen that the attack detection method provided by the invention is compared with the attack detection method based on the behavior characteristics, the false detection rate of DDOS1 and Intercept2 attack behaviors by the method is at least 10% lower than that of the attack detection method based on the behavior characteristics, the false detection rate of Intercept1 and Counterfeit attack behaviors is the same as that of the two methods, and the false detection rate of DDOS2 attack behaviors by the method is 5% higher than that of the attack detection method based on the behavior characteristics, so that the average false detection rate of the attack detection method provided by the invention is lower than that of the attack detection method based on the behavior characteristics.
In general, on the premise of not increasing the false detection rate, compared with the prior art, the scheme of the invention can improve the detection rate by 10% -20%, and can detect the attack behavior facing to the 5G protocol more accurately and efficiently.
It should be noted that, although the steps are described in a specific order, the steps are not necessarily executed in the specific order, and in fact, some of the steps may be executed concurrently or even in a changed order as long as the required functions are achieved.
The present invention may be a system, method and/or computer program product. The computer program product may include a computer-readable storage medium having computer-readable program instructions embodied therewith for causing a processor to implement various aspects of the present invention.
The computer readable storage medium may be a tangible device that holds and stores the instructions for use by the instruction execution device. The computer readable storage medium may include, for example, but is not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device, such as punch cards or in-groove projection structures having instructions stored thereon, and any suitable combination of the foregoing.
Having described embodiments of the present invention, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen in order to best explain the principles of the embodiments, the practical application, or improvements made to the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims (10)

1. A method for constructing a network element abnormity detection model for a 5G communication system is characterized by comprising the following steps of training an abnormity detection model corresponding to any type of network element in the 5G communication system:
a1, obtaining a signaling sequence set corresponding to the type of network element, wherein the signaling sequence set comprises a plurality of samples, and each sample is a signaling receiving and sending sequence formed by the signaling types of the signaling receiving and sending of the type of network element according to a 5G communication protocol in a normal communication process according to the occurrence time sequence;
a2, configuring the number of hidden states in a hidden Markov model according to the total number of signaling types possibly sent by the network element of the type under a 5G communication protocol to obtain an initial hidden Markov model;
and A3, carrying out repeated iterative estimation on the parameters of the initial hidden Markov model by using the signaling sequence set until convergence, and obtaining an abnormal detection model corresponding to the type of network element.
2. The method according to claim 1, wherein in step A1, any signaling type that can be sent and received by the network element of the type under the 5G communication protocol exists in one or more samples in the signaling sequence set.
3. The method according to claim 2, wherein in the step A1, the length of all samples is set to a predetermined sample length.
4. The method according to any one of claims 1 to 3, wherein the step A2 further comprises: and mapping each type of signaling which can be sent and received by the network element of the type according to the 5G communication protocol into an observable state in a hidden Markov model respectively.
5. A method for detecting the state of a network element in a 5G communication system, wherein an anomaly detection model corresponding to the type of the network element, which is constructed according to the method of any one of claims 1 to 4, is deployed in each type of the network element in the 5G communication system, and the detection method comprises:
acquiring a to-be-detected signaling receiving and sending sequence formed by arranging signaling types of a current network element signaling receiving and sending according to a generated time sequence;
determining the probability of the occurrence of the signaling receiving and sending sequence to be detected according to the parameters of the abnormal detection model deployed in the current network element;
and when the probability of the occurrence of the transceiving order sequence to be detected is smaller than a preset abnormity judgment threshold value, determining the abnormal state of the current network element and/or sending alarm information of the abnormal state of the current network element.
6. The method of claim 5, wherein the anomaly discrimination threshold corresponding to each type of network element is determined according to a minimum value of occurrence probabilities of samples in the signaling sequence set corresponding to the type of network element for the anomaly detection model corresponding to the type of network element.
7. A5G communication system capable of attack detection, the system comprising a plurality of types of network elements, each type of network element having deployed therein an anomaly detection model corresponding to the type of network element constructed according to the method of any one of claims 1 to 4, wherein each network element comprises:
a sequence acquiring unit, configured to acquire a to-be-detected signaling receiving and sending sequence, where signaling types of signaling received and sent by a current network element are arranged according to a time sequence of occurrence;
a probability calculation unit, configured to determine, according to parameters of an anomaly detection model deployed in a current network element, a probability of occurrence of the signaling receiving and sending sequence to be detected;
and the alarm unit is used for determining the abnormal state of the current network element and/or sending alarm information of the abnormal state of the current network element when the probability of the occurrence of the send-receive command sequence to be detected is smaller than a preset abnormal judgment threshold value.
8. The system of claim 7, wherein the system comprises: a UE network element, a RAN network element, an AMF network element, a PCF network element, an SMF network element, an AUSF network element, a UDM network element, a UDR network element, a UPF network element, a NEF network element, an NRF network element, an NSSF network element, an UDFS network element, an AF network element, a 5G-EIR network element, a DN network element, or a combination thereof.
9. A computer-readable storage medium, having stored thereon a computer program executable by a processor for performing the steps of the method of any one of claims 1-4 and 5-6.
10. An electronic device, comprising:
one or more processors; and
a memory, wherein the memory is to store executable instructions;
the one or more processors are configured to implement the steps of the method of any of claims 1-4 and 5-6 via execution of the executable instructions.
CN202211047856.5A 2022-08-30 2022-08-30 Method for constructing network element abnormity detection model facing 5G communication system Pending CN115426654A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211047856.5A CN115426654A (en) 2022-08-30 2022-08-30 Method for constructing network element abnormity detection model facing 5G communication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211047856.5A CN115426654A (en) 2022-08-30 2022-08-30 Method for constructing network element abnormity detection model facing 5G communication system

Publications (1)

Publication Number Publication Date
CN115426654A true CN115426654A (en) 2022-12-02

Family

ID=84199622

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211047856.5A Pending CN115426654A (en) 2022-08-30 2022-08-30 Method for constructing network element abnormity detection model facing 5G communication system

Country Status (1)

Country Link
CN (1) CN115426654A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116016298A (en) * 2023-01-04 2023-04-25 重庆邮电大学 5G communication protocol anomaly detection method based on hidden semi-Markov model

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116016298A (en) * 2023-01-04 2023-04-25 重庆邮电大学 5G communication protocol anomaly detection method based on hidden semi-Markov model
CN116016298B (en) * 2023-01-04 2024-04-09 重庆邮电大学 5G communication protocol anomaly detection method based on hidden semi-Markov model

Similar Documents

Publication Publication Date Title
Sicari et al. REATO: REActing TO Denial of Service attacks in the Internet of Things
Lohachab et al. Critical analysis of DDoS—An emerging security threat over IoT networks
Ferrag et al. Security for 4G and 5G cellular networks: A survey of existing authentication and privacy-preserving schemes
US10917430B2 (en) Cyberattack prevention system
CN112019574B (en) Abnormal network data detection method and device, computer equipment and storage medium
Kumar et al. DDOS prevention in IoT
CN108605264B (en) Method and apparatus for network management
Farina et al. Understanding ddos attacks from mobile devices
CN111565203B (en) Method, device and system for protecting service request and computer equipment
Damghani et al. Classification of attacks on IoT
Thakur et al. Detection and Prevention of Botnets and malware in an enterprise network
Xiao et al. Accountability using flow‐net: design, implementation, and performance evaluation
Huang et al. An authentication scheme to defend against UDP DrDoS attacks in 5G networks
Dalal et al. A wireless intrusion detection system for 802.11 WPA3 networks
Jain et al. ETGuard: Detecting D2D attacks using wireless evil twins
CN115426654A (en) Method for constructing network element abnormity detection model facing 5G communication system
CN113518042B (en) Data processing method, device, equipment and storage medium
Liu et al. A bayesian rule learning based intrusion detection system for the mqtt communication protocol
CN115633359A (en) PFCP session security detection method, device, electronic equipment and storage medium
Hwa et al. Review of peer-to-peer botnets and detection mechanisms
AT&T
Sahu et al. Leveraging timing side-channel information and machine learning for IoT security
Patel et al. Security Issues, Attacks and Countermeasures in Layered IoT Ecosystem.
Panigrahi et al. A Survey on Opportunity and Challenges of IDS Over IoT
KR102571147B1 (en) Security apparatus and method for smartwork environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination