CN116546545A

CN116546545A - Method and device for detecting signaling storm, electronic equipment and storage medium

Info

Publication number: CN116546545A
Application number: CN202310527986.7A
Authority: CN
Inventors: 余志峰; 张添; 郭志龙; 陈涛; 韩波; 雷彦章
Original assignee: Dawning Network Technology Co ltd
Current assignee: Dawning Network Technology Co ltd
Priority date: 2023-05-10
Filing date: 2023-05-10
Publication date: 2023-08-04

Abstract

The invention discloses a signaling storm detection method, a device, electronic equipment and a storage medium, comprising the following steps: acquiring a plurality of flow messages corresponding to N1, N2 and N12 interfaces in a 5G core network respectively; analyzing the flow messages corresponding to the N1 interface and the N12 interface to obtain decoding parameters corresponding to NAS-PDU in the N1 interface, analyzing the flow messages corresponding to the N2 interface, and generating XDR logs of the N2 interface according to analysis results; decoding the load content of the NAS-PDU in the N1 interface according to the decoding parameters, and generating an XDR log of the N1 interface according to the decoding result; and according to XDR logs corresponding to the N1 interface and the N2 interface respectively, counting interaction information corresponding to the target transaction flow in the core network, and determining a signaling storm detection result corresponding to the core network according to the interaction information. The technical scheme of the embodiment of the invention can ensure the accuracy of the signaling storm detection result.

Description

Method and device for detecting signaling storm, electronic equipment and storage medium

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a method and apparatus for detecting a signaling storm, an electronic device, and a storage medium.

Background

With the development of communication technology, the fifth generation mobile communication technology (5th Generation Mobile Communication Technology,5G) has been primarily developed and applied. Currently, more and more intelligent devices start to access to 5G networks.

Under the scene, if a hacker is hijacked maliciously or equipment fails, a great deal of abnormal interactive signaling exists in the core network, which causes challenges to the security and stability of the 5G network environment.

Therefore, it is necessary to analyze and manage the signaling interactive traffic of the 5G core network and identify signaling storms in the core network. The prior art lacks an efficient way to accurately identify signaling storms within a 5G core network.

Disclosure of Invention

The invention provides a method, a device, electronic equipment and a storage medium for detecting a signaling storm, which can ensure the accuracy of a signaling storm detection result.

According to an aspect of the present invention, there is provided a signaling storm detection method, including:

acquiring a plurality of flow messages corresponding to N1, N2 and N12 interfaces in a 5G core network respectively;

analyzing each flow message corresponding to the N1 interface and the N12 interface to obtain decoding parameters corresponding to a non-access stratum protocol data unit NAS-PDU in the N1 interface, analyzing each flow message corresponding to the N2 interface, and generating an XDR log corresponding to the N2 interface according to analysis results;

Decoding the load content of the NAS-PDU in the N1 interface according to the decoding parameters, and generating an XDR log corresponding to the N1 interface according to the decoding result;

and according to XDR logs corresponding to the N1 interface and the N2 interface respectively, counting interaction information corresponding to a target transaction flow in a core network, and determining a signaling storm detection result corresponding to the core network according to the interaction information.

Optionally, obtaining a plurality of flow messages corresponding to N1 and N2 interfaces in the 5G core network respectively includes:

screening the flow messages meeting the next generation application protocol NGAP from all the original flow messages corresponding to the core network;

judging whether the flow message comprises the load content of NAS-PDU in the N1 interface;

if yes, the flow message is used as a flow message corresponding to an N1 interface;

if not, the flow message is used as the flow message corresponding to the N2 interface.

Optionally, parsing each flow message corresponding to the N1 interface and the N12 interface to obtain decoding parameters corresponding to NAS-PDU in the N1 interface, including:

analyzing the load content of the NAS-PDU in the N1 interface according to each flow message corresponding to the N1 interface to obtain a first decoding deduction parameter and a first authentication verification parameter;

Analyzing the load content of the HTTPv2 protocol data unit in the N12 interface according to each flow message corresponding to the N12 interface to obtain a second decoding deduction parameter and a second authentication verification parameter;

and processing the first decoding deduction parameter and the second decoding deduction parameter according to the first authentication checking parameter and the second authentication checking parameter to obtain decoding parameters corresponding to the NAS-PDU in the N1 interface.

Optionally, analyzing each flow message corresponding to the N2 interface, and generating an XDR log corresponding to the N2 interface according to the analysis result, including:

acquiring a transaction flow dictionary table corresponding to an N2 interface, wherein a plurality of transaction flows monitored by the N2 interface are prestored in the transaction flow dictionary table;

analyzing each flow message corresponding to the N2 interface, and determining a plurality of target flow fields corresponding to the N2 interface in an analysis result according to the transaction flow dictionary table corresponding to the N2 interface;

and generating an XDR log corresponding to the N2 interface according to the target flow fields corresponding to the N2 interface.

Optionally, decoding the payload content of the NAS-PDU in the N1 interface according to the decoding parameter includes:

judging whether a plurality of flow messages corresponding to the N2 interface comprise load contents of NAS-PDU in the N1 interface or not;

If yes, extracting the load content of the NAS-PDU from a plurality of flow messages corresponding to the N2 interface, and decoding the load content according to the decoding parameters.

Optionally, generating the XDR log corresponding to the N1 interface according to the decoding result includes:

acquiring a transaction flow dictionary table corresponding to an N1 interface, wherein a plurality of transaction flows monitored by the N1 interface are prestored in the transaction flow dictionary table;

analyzing the decoding result, and determining a plurality of target flow fields corresponding to the N1 interface in the analysis result according to the transaction flow dictionary table corresponding to the N1 interface;

and generating an XDR log corresponding to the N1 interface according to the target flow fields corresponding to the N1 interface.

According to another aspect of the present invention, there is provided a signaling storm detection apparatus, the apparatus comprising:

the message acquisition module is used for acquiring a plurality of flow messages corresponding to the N1, N2 and N12 interfaces in the 5G core network respectively;

the first log generation module is used for analyzing each flow message corresponding to the N1 interface and the N12 interface to obtain decoding parameters corresponding to a non-access stratum protocol data unit NAS-PDU in the N1 interface, analyzing each flow message corresponding to the N2 interface, and generating an XDR log corresponding to the N2 interface according to analysis results;

The second log generating module is used for decoding the load content of the NAS-PDU in the N1 interface according to the decoding parameters and generating an XDR log corresponding to the N1 interface according to the decoding result;

and the signaling detection module is used for counting interaction information corresponding to the target transaction flow in the core network according to the XDR logs respectively corresponding to the N1 interface and the N2 interface, and determining a signaling storm detection result corresponding to the core network according to the interaction information.

According to another aspect of the present invention, there is provided an electronic apparatus including:

at least one processor; and

a memory communicatively coupled to the at least one processor; wherein, the liquid crystal display device comprises a liquid crystal display device,

the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the signaling storm detection method of any of the embodiments of the invention.

According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the signaling storm detection method according to any of the embodiments of the present invention when executed.

According to another aspect of the present invention, there is provided a computer program product comprising a computer program which, when executed by a processor, implements the signaling storm detection method according to any of the embodiments of the present invention.

According to the technical scheme provided by the embodiment of the invention, a plurality of flow messages respectively corresponding to the N1, N2 and N12 interfaces in the 5G core network are obtained; analyzing each flow message corresponding to the N1 interface and the N12 interface to obtain decoding parameters corresponding to a non-access stratum protocol data unit NAS-PDU in the N1 interface, analyzing each flow message corresponding to the N2 interface, and generating an XDR log corresponding to the N2 interface according to analysis results; decoding the load content of the NAS-PDU in the N1 interface according to the decoding parameters, and generating an XDR log corresponding to the N1 interface according to the decoding result; according to the XDR logs corresponding to the N1 interface and the N2 interface respectively, the interactive information corresponding to the target transaction flow in the core network is counted, and the signaling storm detection result corresponding to the core network is determined according to the interactive information.

It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a flowchart of a signaling storm detection method according to an embodiment of the present invention;

fig. 2 is a flowchart of another signaling storm detection method according to an embodiment of the invention;

fig. 3 is a flowchart of another signaling storm detection method according to an embodiment of the invention;

fig. 4 is a schematic structural diagram of a signaling storm detecting device according to an embodiment of the invention;

fig. 5 is a schematic structural diagram of an electronic device implementing a signaling storm detection method according to an embodiment of the present invention.

Detailed Description

In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

Fig. 1 is a flowchart of a signaling storm detection method provided in an embodiment of the present invention, where the embodiment is applicable to a case of performing signaling storm detection on a 5G core network, the method may be performed by a signaling storm detection device, and the signaling storm detection device may be implemented in a form of hardware and/or software, and the signaling storm detection device may be configured in an electronic device (for example, a terminal or a server) having a data processing function. As shown in fig. 1, the method includes:

step 110, a plurality of flow messages corresponding to the N1, N2 and N12 interfaces in the 5G core network are obtained.

In this embodiment, the N1 interface may be an interface between a User Equipment (UE) in the 5G core network and an access and mobility management function (Access and Mobility Management Function, AMF) unit. The N2 interface may be an interface between a next generation base station (the next Generation Node B, gNB) and an AMF unit within the 5G core network. The N12 interface may be an interface between an AMF within the 5G core network and an authentication server function (Authentication Server Function, AUSF) unit.

In this step, optionally, all the traffic messages generated in the 5G core network in the specific time period may be acquired, and then, according to the message information of each traffic message, the traffic messages corresponding to the N1, N2 and N12 interfaces respectively are determined. Each traffic packet may include a source internet protocol (Internet Protocol, IP) address, a destination IP address, a source media access control (Media Access Control, MAC) address, a destination MAC address, and data content, among others.

In a specific embodiment, before acquiring a plurality of flow messages corresponding to N1, N2, and N12 interfaces, optical splitter devices may be deployed on the N1, N2, and N12 interface links, respectively, so as to acquire flow messages matched with the corresponding interfaces through each optical splitter device.

And 120, analyzing each flow message corresponding to the N1 interface and the N12 interface to obtain decoding parameters corresponding to a Non-access stratum protocol data unit (Non-access stratum Protocol Data Unit, NAS-PDU) in the N1 interface, analyzing each flow message corresponding to the N2 interface, and generating an XDR log corresponding to the N2 interface according to an analysis result.

In this embodiment, optionally, each flow packet corresponding to the N1 interface and the N12 interface may be parsed to obtain a user permanent identifier (Subscription Permanent Identifier, SUPI) included in the core network, and NAS-PDU decoding parameters corresponding to the SUPI identifier. And meanwhile, analyzing each flow message corresponding to the N2 interface to obtain fields related to signaling storm detection in each flow message, and generating a threat detection and response (Extended Detection and Response, XDR) log corresponding to the N2 interface according to each field.

And 130, decoding the load content of the NAS-PDU in the N1 interface according to the decoding parameters, and generating an XDR log corresponding to the N1 interface according to the decoding result.

In this step, optionally, according to the decoding parameters and an encryption algorithm corresponding to the NAS-PDU payload content in the N1 interface, the payload content of the NAS-PDU may be decoded, and according to a decoding result, a field corresponding to the N1 interface and related to signaling storm detection may be obtained, and then an XDR log corresponding to the N1 interface may be generated according to each field.

And 140, counting interaction information corresponding to the target transaction flow in the core network according to XDR logs corresponding to the N1 interface and the N2 interface respectively, and determining a signaling storm detection result corresponding to the core network according to the interaction information.

In this embodiment, optionally, according to the XDR logs corresponding to the N1 interface and the N2 interface respectively, a target transaction flow matched with the XDR log may be determined in each flow packet, then interaction information (such as interaction time, interaction object, interaction success number, and interaction failure number) of each target transaction flow is counted, the interaction information is compared with preset standard information, and a signaling storm detection result corresponding to the core network is determined according to the comparison result. The standard information may be preset normal interaction information corresponding to the target transaction flow.

In a specific embodiment, the number of successful interactions and the number of failed interactions corresponding to the target transaction flow may be compared with a threshold set in the standard information, and a signaling storm detection result corresponding to the core network may be determined according to the comparison result.

In another specific embodiment, after the XDR logs corresponding to the N1 interface and the N2 interface are obtained, interaction information corresponding to the target transaction flow under a specific index in a specific time can be counted, and the interaction information is compared with preset standard information. Optionally, the index may include a specific SUPI identifier, a gNB network element, an AMF network element, a location of a region, and so on.

In this embodiment, by analyzing the flow messages corresponding to the N1 interface and the N12 interface, decoding parameters corresponding to NAS-PDU in the N1 interface are obtained, so that the time consumption of the NAS-PDU load content decoding process can be saved, and the reliability of the decoding result can be improved; and secondly, through generating XDR logs respectively matched with the N1 interface and the N2 interface, the interactive information of the target transaction flow in the core network under a plurality of different dimensions is conveniently counted, so that the signaling storm existing in the core network can be accurately identified according to the interactive information, and the effectiveness of the signaling storm detection result is improved.

According to the technical scheme provided by the embodiment of the invention, a plurality of flow messages respectively corresponding to the N1, N2 and N12 interfaces in the 5G core network are obtained; analyzing each flow message corresponding to the N1 interface and the N12 interface to obtain decoding parameters corresponding to a non-access stratum protocol data unit NAS-PDU in the N1 interface, analyzing each flow message corresponding to the N2 interface, and generating an XDR log corresponding to the N2 interface according to analysis results; decoding the load content of the NAS-PDU in the N1 interface according to the decoding parameters, and generating an XDR log corresponding to the N1 interface according to the decoding result; according to the XDR logs corresponding to the N1 interface and the N2 interface respectively, the interactive information corresponding to the target transaction flow in the core network is counted, and the technical means of determining the signaling storm detection result corresponding to the core network according to the interactive information is provided, so that an effective mode for identifying the signaling storm in the 5G core network is provided, and the accuracy of the signaling storm detection result can be ensured.

Fig. 2 is a flowchart of another signaling storm detection method according to an embodiment of the present invention, as shown in fig. 2, including:

step 210, a plurality of flow messages corresponding to the N1, N2 and N12 interfaces in the 5G core network are obtained.

In one implementation manner of the embodiment of the present invention, obtaining a plurality of flow packets corresponding to N1 and N2 interfaces in a 5G core network includes: screening the flow messages meeting the next generation application protocol (Next Generation Application Protocol, NGAP) from all the original flow messages corresponding to the core network; judging whether the flow message comprises the load content of NAS-PDU in the N1 interface; if yes, the flow message is used as a flow message corresponding to an N1 interface; if not, the flow message is used as the flow message corresponding to the N2 interface.

In this embodiment, optionally, after all original traffic messages corresponding to the 5G core network are obtained, whether each original traffic message meets the NGAP protocol may be judged through a preset port (for example, port 38412), if yes, the original traffic message is parsed, and whether the parsing result includes the load content of the NAS-PDU of the N1 interface is judged; if yes, the original flow message is used as the flow message corresponding to the N1 interface, and if not, the original flow message is used as the flow message corresponding to the N2 interface.

In a specific embodiment, after all the original traffic messages corresponding to the 5G core network are obtained, it may be further determined whether each original traffic message meets an HTTPv2 protocol, if yes, the original traffic message is parsed according to the HTTPv2 protocol, and then it is determined whether the parsing result meets the ue-authentication procedure of the N12 interface, if yes, the original traffic message is used as the traffic message corresponding to the N12 interface.

The advantage of the arrangement is that the flow messages corresponding to the N1, N2 and N12 interfaces can be accurately screened out by judging the protocol supported by each original flow message, so that the accuracy of the follow-up signaling storm detection result can be improved.

And 220, analyzing the load content of the NAS-PDU in the N1 interface according to each flow message corresponding to the N1 interface to obtain a first decoding deduction parameter and a first authentication verification parameter.

In this step, optionally, the load content of the NAS-PDU in the N1 interface may be parsed according to the Authentication procedure according to a protocol specification set by the third generation partnership project (3rd Generation Partnership Project,3GPP), to obtain a first decoding deduction parameter and a first Authentication verification parameter.

In particular, a plurality of authentication and key agreement challenge (Authentication and Key Agreement challenge, ABBA) parameters, and a length (abba_len) of ABBA parameters may be included in the first decoding derivation parameters. Wherein, the ABBA parameter may be used for authentication and authentication of the traffic message. The first authentication verification parameter may comprise a plurality of verification parameters resStar1. The first decoding deduction parameter corresponds to each parameter in the first authentication check parameter one by one.

And 230, analyzing the load content of the HTTPv2 protocol data unit in the N12 interface according to each flow message corresponding to the N12 interface to obtain a second decoding deduction parameter and a second authentication verification parameter.

In this step, optionally, a plurality of SUPI identifiers may be included in the second decoding derivation parameters, as well as the security anchor key Kseaf. The second authentication verification parameter may comprise a plurality of verification parameters resStar2. The second decoding deduction parameter corresponds to each parameter in the second authentication check parameter one by one.

And 240, processing the first decoding deduction parameter and the second decoding deduction parameter according to the first authentication checking parameter and the second authentication checking parameter to obtain decoding parameters corresponding to the NAS-PDU in the N1 interface.

In this step, optionally, the same verification parameters may be obtained from the first authentication verification parameter and the second authentication verification parameter, and according to the verification parameters, the matched target decoding deduction parameters are obtained from the first decoding deduction parameters and the second decoding deduction parameters, then the multiple target decoding deduction parameters are combined to obtain a decoding parameter set, and finally, a deduction function defined by the 3GPP protocol specification is adopted to process the decoding parameter set to obtain the decoding parameters corresponding to the NAS-PDU in the N1 interface.

In a specific embodiment, assuming that the same verification parameter resStar exists in the first authentication verification parameter and the second authentication verification parameter, the matched target decoding deduction parameters "abba and abba_len" can be obtained in the first decoding deduction parameters according to the resStar, and the matched target decoding deduction parameters "SUPI identifier and Kseaf" are obtained in the second decoding deduction parameters, and then decoding parameter groups "abba, abba_len, SUPI identifier and Kseaf" can be generated.

The advantage of the arrangement is that the decoding parameters corresponding to the NAS-PDU in the N1 interface can be accurately calculated by respectively analyzing the load content of the NAS-PDU in the N1 interface and the load content of the HTTPv2 protocol data unit in the N12 interface, so that the reliability of the NAS-PDU decoding result in the N1 interface is improved.

And 250, analyzing each flow message corresponding to the N2 interface, and generating an XDR log corresponding to the N2 interface according to the analysis result.

And 260, decoding the load content of the NAS-PDU in the N1 interface according to the decoding parameters, and generating an XDR log corresponding to the N1 interface according to the decoding result.

In one implementation manner of the embodiment of the present invention, decoding the payload content of the NAS-PDU in the N1 interface according to the decoding parameter includes: judging whether a plurality of flow messages corresponding to the N2 interface comprise load contents of NAS-PDU in the N1 interface or not; if yes, extracting the load content of the NAS-PDU from a plurality of flow messages corresponding to the N2 interface, and decoding the load content according to the decoding parameters.

In practical application, the load content of NAS-PDU in the N1 interface is usually included in the flow information of the N2 interface, and by judging whether the load content of NAS-PDU in the N1 interface exists in the flow message of the N2 interface, the extraction time of the load content of NAS-PDU can be saved, so that the decoding efficiency of NAS-PDU and the detection efficiency of signaling storm in the core network are improved.

In a specific embodiment, optionally, whether the flow message corresponding to the N2 interface includes the load content of the NAS-PDU of the N1 interface may be determined according to a preset identifier, and if yes, the NAS-PDU load content is extracted by using a preset separator; if not, analyzing the flow message corresponding to the N1 interface, and acquiring the load content of the NAS-PDU in the N1 interface according to the analysis result.

And 270, counting interaction information corresponding to the target transaction flow in the core network according to XDR logs corresponding to the N1 interface and the N2 interface respectively, and determining a signaling storm detection result corresponding to the core network according to the interaction information.

According to the technical scheme provided by the embodiment of the invention, through acquiring a plurality of flow messages corresponding to N1, N2 and N12 interfaces in the 5G core network respectively, analyzing the load content of NAS-PDU in the N1 interface according to each flow message corresponding to the N1 interface to obtain a first decoding deduction parameter and a first authentication check parameter, analyzing the load content of HTTPv2 protocol data unit in the N12 interface according to each flow message corresponding to the N12 interface to obtain a second decoding deduction parameter and a second authentication check parameter, processing the first decoding deduction parameter and the second decoding deduction parameter according to the first authentication check parameter and the second authentication check parameter to obtain a decoding parameter corresponding to NAS-PDU in the N1 interface, analyzing each flow message corresponding to the N2 interface to generate an XDR log corresponding to the N2 interface according to the analysis result, decoding the load content of NAS-PDU in the N1 interface according to the decoding parameter, generating the XDR log corresponding to the N1 interface according to the decoding result, counting the corresponding to the corresponding XDR log in the N1 interface and the corresponding to the corresponding XDR interface respectively, and determining the signaling storm interaction information of the core network according to the detection result of the corresponding signaling storm interaction information, and ensuring the accurate signaling interaction information of the core network.

Fig. 3 is a flowchart of another signaling storm detection method according to an embodiment of the present invention, as shown in fig. 3, including:

step 310, a plurality of flow messages corresponding to the N1, N2 and N12 interfaces in the 5G core network are obtained.

And 320, analyzing each flow message corresponding to the N1 interface and the N12 interface to obtain decoding parameters corresponding to the NAS-PDU in the N1 interface.

Step 330, a transaction flow dictionary table corresponding to the N2 interface is obtained, and a plurality of transaction flows monitored by the N2 interface are stored in the transaction flow dictionary table in advance.

In a specific embodiment, the transaction flow dictionary table corresponding to the N2 interface may be as shown in table 1. The transaction flow dictionary table stores a plurality of transaction flows monitored by the N2 interface, and a user can add, modify or delete the transaction flows in the transaction flow dictionary table according to the actual signaling storm detection direction.

TABLE 1

And 340, analyzing each flow message corresponding to the N2 interface, determining a plurality of target flow fields corresponding to the N2 interface in an analysis result according to the transaction flow dictionary table corresponding to the N2 interface, and generating an XDR log corresponding to the N2 interface according to the plurality of target flow fields corresponding to the N2 interface.

In this step, optionally, each flow message corresponding to the N2 interface may be parsed, and according to a plurality of transaction flows stored in the transaction flow dictionary table, a field matched with each transaction flow (i.e., a target flow field) is obtained in the parsing result, and each target flow field is stored in a preset data table, and then an XDR log corresponding to the N2 interface is generated according to the data table and each flow message corresponding to the N2 interface.

In a specific embodiment, the target flow field corresponding to the N2 interface may be as shown in table 2.

TABLE 2

And step 350, decoding the load content of the NAS-PDU in the N1 interface according to the decoding parameters.

Step 360, a transaction flow dictionary table corresponding to the N1 interface is obtained, and a plurality of transaction flows monitored by the N1 interface are stored in the transaction flow dictionary table in advance.

In a specific embodiment, the transaction flow dictionary table corresponding to the N1 interface may be as shown in table 3. The transaction flow dictionary table stores a plurality of transaction flows monitored by the N1 interface, and a user can add, modify or delete the transaction flows in the transaction flow dictionary table according to the actual signaling storm detection direction.

TABLE 3 Table 3

And 370, analyzing the decoding result, determining a plurality of target flow fields corresponding to the N1 interface in the analysis result according to the transaction flow dictionary table corresponding to the N1 interface, and generating an XDR log corresponding to the N1 interface according to the plurality of target flow fields corresponding to the N1 interface.

In this step, optionally, according to the transaction flow dictionary table corresponding to the N1 interface, a field (i.e., a target flow field) matched with each transaction flow is obtained from the analysis result, each target flow field is stored in a preset data table, and then an XDR log corresponding to the N1 interface is generated according to the data table and each flow message corresponding to the N1 interface.

The method has the advantages that through pre-constructing transaction flow dictionary tables corresponding to the N1 interface and the N2 interface respectively, target flow fields corresponding to the N1 interface and the N2 interface can be rapidly determined, and the generation efficiency of XDR logs is improved; secondly, by constructing a transaction flow dictionary table, the richer signaling interaction flow can be identified, and the expansibility of the signaling storm detection method is improved; if the detection direction of the signaling storm changes, only the transaction flow dictionary table and the XDR log are correspondingly updated, so that the universality of the detection method of the signaling storm can be improved.

And 380, counting interaction information corresponding to the target transaction flow in the core network according to XDR logs corresponding to the N1 interface and the N2 interface respectively, and determining a signaling storm detection result corresponding to the core network according to the interaction information.

According to the technical scheme provided by the embodiment of the invention, through acquiring a plurality of flow messages respectively corresponding to N1, N2 and N12 interfaces in the 5G core network, analyzing the flow messages of the N1 interface and the N12 interface to obtain decoding parameters corresponding to NAS-PDU in the N1 interface, acquiring a transaction flow dictionary table of the N2 interface, analyzing the flow messages of the N2 interface, determining a target flow field corresponding to the N2 interface in an analysis result, generating an XDR (X-ray) log corresponding to the N2 interface, decoding the load content of NAS-PDU in the N1 interface according to the decoding parameters, acquiring the transaction flow dictionary table of the N1 interface, analyzing the decoding result, determining a target flow field corresponding to the N1 interface in the analysis result, generating an XDR log corresponding to the N1 interface, counting interaction information corresponding to target transaction flows in the core network according to the XDR logs respectively corresponding to the N1 interface and the N2 interface, and determining a technical means of a signaling storm detection result corresponding to the core network according to the interaction information, so that the accuracy of the signaling storm detection result can be ensured.

Fig. 4 is a schematic structural diagram of a signaling storm detection device according to an embodiment of the present invention, and as shown in fig. 4, the device includes: a message acquisition module 410, a first log generation module 420, a second log generation module 430, and a signaling detection module 440.

The message obtaining module 410 is configured to obtain a plurality of flow messages corresponding to the N1, N2, and N12 interfaces in the 5G core network, respectively;

the first log generating module 420 is configured to parse each flow packet corresponding to the N1 interface and the N12 interface to obtain a decoding parameter corresponding to a non-access stratum protocol data unit NAS-PDU in the N1 interface, parse each flow packet corresponding to the N2 interface, and generate an XDR log corresponding to the N2 interface according to a parsing result;

the second log generating module 430 is configured to decode the payload content of the NAS-PDU in the N1 interface according to the decoding parameter, and generate an XDR log corresponding to the N1 interface according to a decoding result;

the signaling detection module 440 is configured to count interaction information corresponding to a target transaction flow in the core network according to XDR logs corresponding to the N1 interface and the N2 interface, and determine a signaling storm detection result corresponding to the core network according to the interaction information.

Based on the above embodiment, the message obtaining module 410 includes:

the message screening unit is used for screening the flow messages meeting the next generation application protocol NGAP from all the original flow messages corresponding to the core network;

A message judging unit, configured to judge whether the flow message includes load content of NAS-PDU in N1 interface; if yes, the flow message is used as a flow message corresponding to an N1 interface; if not, the flow message is used as the flow message corresponding to the N2 interface.

The first log generation module 420 includes:

the first parameter determining unit is used for analyzing the load content of the NAS-PDU in the N1 interface according to each flow message corresponding to the N1 interface to obtain a first decoding deduction parameter and a first authentication verification parameter;

the second parameter determining unit is used for analyzing the load content of the HTTPv2 protocol data unit in the N12 interface according to each flow message corresponding to the N12 interface to obtain a second decoding deduction parameter and a second authentication verification parameter;

the decoding parameter determining unit is used for processing the first decoding deduction parameter and the second decoding deduction parameter according to the first authentication check parameter and the second authentication check parameter to obtain decoding parameters corresponding to the NAS-PDU in the N1 interface;

the N2 dictionary table acquisition unit is used for acquiring a transaction flow dictionary table corresponding to the N2 interface, wherein a plurality of transaction flows monitored by the N2 interface are stored in the transaction flow dictionary table in advance;

The N2 field determining unit is used for analyzing each flow message corresponding to the N2 interface and determining a plurality of target flow fields corresponding to the N2 interface in an analysis result according to the transaction flow dictionary table corresponding to the N2 interface;

and the N2 log generating unit is used for generating an XDR log corresponding to the N2 interface according to the plurality of target flow fields corresponding to the N2 interface.

The second log generation module 430 includes:

the load judging unit is used for judging whether the load content of the NAS-PDU in the N1 interface is included in a plurality of flow messages corresponding to the N2 interface; if yes, extracting the load content of the NAS-PDU from a plurality of flow messages corresponding to an N2 interface, and decoding the load content according to the decoding parameters;

the N1 dictionary table acquisition unit is used for acquiring a transaction flow dictionary table corresponding to the N1 interface, wherein a plurality of transaction flows monitored by the N1 interface are stored in the transaction flow dictionary table in advance;

the N1 field determining unit is used for analyzing the decoding result and determining a plurality of target flow fields corresponding to the N1 interface in the analysis result according to the transaction flow dictionary table corresponding to the N1 interface;

and the N1 log generating unit is used for generating an XDR log corresponding to the N1 interface according to the plurality of target flow fields corresponding to the N1 interface.

The device can execute the method provided by all the embodiments of the invention, and has the corresponding functional modules and beneficial effects of executing the method. Technical details not described in detail in the embodiments of the present invention can be found in the methods provided in all the foregoing embodiments of the present invention.

Fig. 5 shows a schematic diagram of the structure of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.

As shown in fig. 5, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.

Various components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.

The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the various methods and processes described above, such as signaling storm detection methods.

In some embodiments, the signaling storm detection method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as the storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the signaling storm detection method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the signaling storm detection method in any other suitable way (e.g. by means of firmware).

Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.

A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.

In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.

The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.

The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.

It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.

The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.

Claims

1. A signaling storm detection method, comprising:

2. The method of claim 1, wherein obtaining a plurality of traffic messages corresponding to N1 and N2 interfaces in the 5G core network respectively comprises:

3. The method of claim 1, wherein parsing each flow message corresponding to the N1 interface and the N12 interface to obtain decoding parameters corresponding to NAS-PDUs in the N1 interface comprises:

4. The method of claim 1, wherein parsing each flow message corresponding to the N2 interface, and generating an XDR log corresponding to the N2 interface according to the parsing result, comprises:

5. The method of claim 1, wherein decoding the payload content of the NAS-PDU in the N1 interface according to the decoding parameters comprises:

6. The method of claim 1, wherein generating the XDR log corresponding to the N1 interface according to the decoding result comprises:

7. A signaling storm detection device, comprising:

8. An electronic device, the electronic device comprising:

at least one processor; and

the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the signaling storm detection method of any of claims 1-6.

9. A computer readable storage medium, characterized in that the computer readable storage medium stores computer instructions for causing a processor to implement the signaling storm detection method of any of claims 1-6 when executed.

10. A computer program product, characterized in that the computer program product comprises a computer program which, when executed by a processor, implements the signaling storm detection method according to any of claims 1-6.