CN116866921A - 5G signaling storm vulnerability analysis method based on Petri network - Google Patents
5G signaling storm vulnerability analysis method based on Petri network Download PDFInfo
- Publication number
- CN116866921A CN116866921A CN202310805863.5A CN202310805863A CN116866921A CN 116866921 A CN116866921 A CN 116866921A CN 202310805863 A CN202310805863 A CN 202310805863A CN 116866921 A CN116866921 A CN 116866921A
- Authority
- CN
- China
- Prior art keywords
- network
- attack
- signaling
- model
- petri
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000011664 signaling Effects 0.000 title claims abstract description 104
- 238000000034 method Methods 0.000 title claims abstract description 81
- 238000012038 vulnerability analysis Methods 0.000 title claims abstract description 12
- 230000008569 process Effects 0.000 claims abstract description 55
- 238000004458 analytical method Methods 0.000 claims abstract description 13
- 230000003993 interaction Effects 0.000 claims abstract description 11
- 238000004088 simulation Methods 0.000 claims abstract description 6
- 238000005206 flow analysis Methods 0.000 claims abstract description 4
- 230000007123 defense Effects 0.000 claims description 20
- 230000006399 behavior Effects 0.000 claims description 17
- 230000007704 transition Effects 0.000 claims description 16
- 238000001914 filtration Methods 0.000 claims description 12
- 238000007726 management method Methods 0.000 claims description 11
- 230000000694 effects Effects 0.000 claims description 9
- 238000010276 construction Methods 0.000 claims description 8
- 230000000977 initiatory effect Effects 0.000 claims description 8
- 230000007246 mechanism Effects 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 6
- 238000013507 mapping Methods 0.000 claims description 5
- 230000004044 response Effects 0.000 claims description 5
- 238000012360 testing method Methods 0.000 claims description 5
- 230000001364 causal effect Effects 0.000 claims description 4
- 238000009960 carding Methods 0.000 claims description 3
- 238000012423 maintenance Methods 0.000 claims description 3
- 238000007670 refining Methods 0.000 claims description 3
- 238000013523 data management Methods 0.000 claims description 2
- 238000013500 data storage Methods 0.000 claims description 2
- GVVPGTZRZFNKDS-JXMROGBWSA-N geranyl diphosphate Chemical compound CC(C)=CCC\C(C)=C\CO[P@](O)(=O)OP(O)(O)=O GVVPGTZRZFNKDS-JXMROGBWSA-N 0.000 abstract 1
- 238000004891 communication Methods 0.000 description 8
- 238000011161 development Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000116 mitigating effect Effects 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 241000209202 Bromus secalinus Species 0.000 description 1
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a 5G signaling storm vulnerability analysis method based on a Petri network, which is implemented according to the following steps: step 1, setting up a Free5GC simulation environment based on a third generation partnership project (3 GPP) standard; step 2, realizing network functions in a virtualization mode, running standard services of a 5G core network, and simulating 5G signaling storm attack; step 3, capturing a data stream in the network attack process by using packet capturing software, and storing and analyzing signaling interaction information in the data stream; step 4, combing the data flow analysis result of the step 3, thereby constructing a 5G signaling storm attack model based on the Petri network; step 5, on the basis of the 5G signaling storm attack model in step 4, the method is used as a defending scheme, and modeling analysis is carried out on the defending scheme; the vulnerable points existing in the 5G signaling network can be intuitively reflected according to the attack model. And analyzing an attack principle through an attack model.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a 5G signaling storm vulnerability analysis method based on a Petri network.
Background
With the continuous development of social economy and scientific technology, mobile communication networks gradually transition from the 4G age to the 5G age. The rapid development and wide application of 5G has become a hotspot in the fields of global communication and science and technology, which not only brings about better mobile communication experience, but also promotes the development of the fields of smart cities, smart factories, autopilot and the like. The 5G network is an important engine for global economy and social development, and its security is a focus of attention, while the signaling network is the basis of 5G network communication, and the security of the 5G signaling network is a very important issue at present.
The vulnerability of the 5G signaling network refers to a vulnerability or vulnerability that may be attacked or exploited by the signaling network in the 5G network. Hackers or malicious users access the 5G network using these vulnerable points, causing signaling plane services to function abnormally, thereby compromising the network and communications or threatening the privacy and security of the users. The existence of weak points may be due to security flaws, misconfigurations, software vulnerabilities, unsafe protocols, etc. in source code design or implementation, and corresponding security measures and safeguards need to be taken to mitigate risks and protect the security of the signaling network.
Traditional network vulnerabilities are weak points existing on specific implementation of hardware, software and protocols or system security policies, and an attacker can execute malicious codes under unauthorized conditions by using the weak points to realize system intrusion. While 5G signaling network vulnerabilities are typically related to the design and implementation of communication protocols, an attacker attacks by tampering with signaling messages, spoofing the communication system, exploiting protocol vulnerabilities, etc. The vulnerability of the 5G signaling network includes the following aspects: (1) security vulnerabilities: the 5G signaling network has security holes, and hackers or malicious users use the weak points to perform unauthorized access, data tampering, denial of service attacks and the like. (2) pseudo base station attack: an attacker sets a pseudo base station, cheats the user equipment to connect, and steals personal information of the user or performs other malicious activities through signaling communication. (3) malware and malicious applications: malware or applications propagate through the 5G signaling network, affecting the normal operation of the device. (4) access denial of service attack: hackers overload the 5G signaling network by sending large numbers of requests or malicious data packets, resulting in network unavailability or degradation of quality of service, thereby affecting the user's normal communications. (5) network topology exposure: after obtaining the topology information of the signaling network, the attacker can better understand the relationship between the network structure and the components, thereby carrying out targeted attack.
For the attack of the 5G signaling network, the damage is relatively large, especially the signaling storm attack can cause paralysis of the 5G signaling network and interruption of service, and brings great loss and risk to communication operators and users. Therefore, the security technology of the 5G signaling network needs to be comprehensively analyzed, the potential security risk of the 5G signaling network is mined, the anti-attack capability of the 5G signaling network is enhanced, and the security of the 5G signaling network is improved.
However, in the field of 5G signaling network security, there is still a great shortage in the vulnerability discovery and anti-attack capability for 5G signaling storm attacks, and there are few methods for vulnerability analysis and effective pairing and mitigation for 5G signaling storm attacks. Thus, it is very interesting to study the vulnerability discovery for 5G signaling storm attacks and the proposition of effective pairing and mitigation schemes.
Disclosure of Invention
The invention aims at providing a weak point analysis method based on a Petri network aiming at a signaling storm in a DoS attack, mapping the state in the attack process with the library of the Petri network, and establishing a Petri network model, thereby solving the problems that signaling resource consumption in the signaling network is difficult to describe and weak points lack of defending measures.
In order to achieve the above purpose, the present invention provides the following technical solutions: A5G signaling storm vulnerability analysis method based on a Petri network is implemented according to the following steps:
step 1, based on the 3GPP standard of the third generation partnership project, following the SBA framework based on the service architecture, and building a Free5GC simulation environment;
step 2, realizing network functions in a virtualization mode, running standard services of a 5G core network, and simulating 5G signaling storm attack;
step 3, capturing a data stream in the network attack process by using packet capturing software, and storing and analyzing signaling interaction information in the data stream;
step 4, combing the data flow analysis result of the step 3, thereby constructing a 5G signaling storm attack model based on the Petri network;
step 5, analyzing vulnerable points of the attack on the basis of the 5G signaling storm attack model in step 4, designing a scheme for effectively aiming at and relieving the attack, taking the scheme as a defending scheme, and carrying out modeling analysis on the defending scheme;
the step 1 is specifically implemented according to the following steps:
step 1.1, installing virtual machine software and creating two different Linux virtual machine instances, namely a 5GC virtual machine and a UERAMSIM virtual machine;
step 1.2, a Free5GC core network module is built on a virtual machine named 5GC, and an Ng base station and a UE user equipment module are built on a virtual machine named UERAMSIM;
step 1.3, registering UE information on a virtual machine named 5GC, and configuring and constructing access information of an Ng base station and a UE user equipment module on the virtual machine named UERAMSIM;
step 1.4, testing connectivity of Free5GC environment after configuration is completed;
the step 2 is specifically implemented according to the following steps:
step 2.1, running a main starting file of a core network module of Free5GC on a 5GC virtual machine, and calling each network function module of the core network in sequence by the main starting file to jointly construct a standardized service of the 5G core network based on a service architecture;
step 2.2, starting the configuration file of the Ng base station on the virtual machine named UERAMSIM, connecting the Ng base station with the core network,
step 2.3, starting a UE configuration file on a UERAMSIM virtual machine, wherein a UE user equipment module is locally connected with an Ng base station and is remotely connected with a core network through the Ng base station;
step 2.4, simulating a large number of UE accesses on a UERAMSIM virtual machine, and initiating a 5G signaling storm attack to a core network on the 5GC virtual machine;
the step 3 is specifically implemented according to the following steps:
step 3.1, capturing a data stream in the network attack process by using packet capturing software, and storing the data stream as a flow data file of a pcap type;
step 3.2, filtering the signaling flow of constructing the data packet by using the SCTP protocol by using the filtering function of the packet capturing software in step 3.1, and carrying out statistics and analysis on the connection process of the UE user equipment module and the Ng base station, the NG interface establishment process, the NAS registration process and the session establishment process in the signaling flow;
step 3.3, analyzing the occupation condition of the signaling storm attack to the signaling resources of each network element of the core network through the signaling interaction process statistics result of the step 3.2;
the step 4 is specifically implemented according to the following steps:
step 4.1, analyzing the signaling interaction process counted in the step 3, so as to comb the attack flow, and determining the entity, the behavior, the state and the triggering conditions of each state involved in the attack flow;
step 4.2, mapping the state and behavior of the entity to the library and transition of the Petri network;
step 4.3, analyzing the library and the transition in the step 4.2, determining the causal relationship between the library and the transition, and constructing a Petri network model;
step 4.4, checking and abstracting the Petri net model in the step 4.3, deleting unnecessary processes, and refining key links;
step 4.5, carding and abstracting the signaling resource consumption process in the Petri network model obtained in the step 4.4;
step 4.6, checking the Petri network model attack process obtained in the step 4.5, and determining a Petri network attack model;
step 4.7, setting the value of the token as x, representing the upper limit of system resources, running a model on a Petri network construction tool, and verifying the correctness and the effectiveness of the model;
and 4.8, iterating the steps 4.1 to 4.7, and determining the final effective attack model of the Petri network.
Preferably, the step 5 is specifically implemented according to the following steps:
step 5.1, analyzing the Petri net attack model constructed in the step 4, and determining weak points so as to obtain attack quality points;
and 5.2, analyzing the attack quality and effect points, and designing a repairing scheme for the fragile points: the method comprises the steps that an IP filtering and flow control mechanism based on short time is added in the message processing process after a UE user equipment module is accessed to a base station, so that the attack is handled and relieved;
step 5.3, analyzing the newly added states and behaviors in the response scheme, determining the positions of the newly added states and behaviors in the Petri network attack model, determining the relation between each library and the transition and other elements, and describing the Petri network defense model;
step 5.4, verifying the Petri network defense model of step 5.3, setting the weight reaching the unsafe line as x, and indicating that the upper limit of the system requestable resources is x;
step 5.5, setting the value of the token as x, representing the number of malicious requests, and setting operation steps and time delay;
step 5.6, an attack model and a defense model are operated on the Petri network construction tool, and when all tokens reach an unsafe state at the same time, system resources are occupied by all malicious requests at the moment and cannot respond to normal request connection, so that the attack is successful;
step 5.7, counting the running time of the model, and comparing and verifying the correctness and effectiveness of the defense model;
and 5.8, iterating the steps 5.1 to 5.7, and determining a final effective Petri network defense model.
Preferably, the step 2.1 specifically includes:
(1) The AMF network element is responsible for the functions of UE identity verification, authentication, registration, mobility management, connection management and the like;
(2) The authentication service function AUSF network element is used for receiving the request of the AMF network element for carrying out the identity verification on the UE, requesting a key from the unified data management UDM network element, and forwarding the key issued by the UDM network element to the AMF network element for carrying out the authentication processing;
(3) The NSSF network element determines a network slice instance which the UE is allowed to access according to the slice selection auxiliary information, subscription information and the like of the UE;
(4) The network function registration function NRF network elements can enable Network Functions (NF) to discover each other and communicate through an API interface;
(5) The session management function SMF network element is responsible for tunnel maintenance, IP address allocation and management, UP function selection, policy implementation, charging data acquisition and roaming;
(6) The PCF network element of the policy control function provides policy rules of the control plane function;
(7) The unified data storage UDR network element network function is used for storing subscription data and policy data of the UDM network element and the PCF network element;
(8) The user plane function UPF network element is responsible for packet routing forwarding, policy enforcement and traffic reporting;
the step 2.2 specifically comprises the following steps:
(1) Entering a main directory named as a UERANSIM virtual machine, executing a free5gc-gnb.yaml configuration file under a config folder, and starting a base station;
(2) The base station initiates a connection request to the core network through configuration information;
(3) Establishing an NG interface, wherein the base station is successfully connected with a core network;
the step 2.3 specifically comprises the following steps:
(1) Using the administrator authority to execute the free5gc-ue.yaml configuration file under the config folder, and starting the UE to initiate a local connection request to the base station;
(2) After the UE user equipment module and the Ng base station are successfully connected, initiating a connection request to an AMF network element of a core network through the Ng base station;
(3) After the connection is successful, initiating a registration process;
(4) After registration is completed, a protocol data unit PDU session is established.
Preferably, the Petri network is used for modeling and analyzing the 5G signaling storm attack process, the resource consumption condition in the 5G signaling storm attack process is simulated in super real time, and the vulnerable points of attack implementation are analyzed according to the Petri network attack model.
Compared with the prior art, the invention has the following beneficial effects:
(1) The 5G signaling storm vulnerability analysis method based on the Petri network can simulate the resource consumption condition in the 5G signaling storm attack process in super real time, objectively analyze the vulnerability of attack implementation according to the Petri network attack model, and provide a reliable solution for the effective mechanism analysis of the 5G signaling storm attack vulnerability.
(2) The invention aims to model and analyze the 5G signaling storm attack process by utilizing the Petri network, and can intuitively reflect the vulnerable points of the 5G signaling network according to an attack model. According to the method, an attack principle is analyzed through an attack model, an effective response and release scheme based on IP filtering and flow control is provided for the vulnerable point according to the attack principle, and a thought is provided for repairing the vulnerable point of the 5G signaling storm attack.
Drawings
FIG. 1 is a flow chart of a 5G signaling storm vulnerability analysis method based on a Petri network;
FIG. 2 is a schematic diagram of a 5G core virtual network environment conforming to the 3GPP standard constructed with Free5GC in accordance with the present invention;
fig. 3 is a signaling interaction flow diagram of the UE access 5G core network of the present invention;
FIG. 4 is a Petri network attack model constructed for 5G signaling storm attack of the present invention;
FIG. 5 is a Petri network defense model designed for weak points of 5G signaling storm attacks of the present invention;
fig. 6 is a comparison of attack and defense model runtimes for 5G signaling storm attacks of the present invention.
Fig. 7 is a graph comparing the defending ability of the defending model of the present invention against 5G signaling storm attacks under different degrees of attack.
Detailed Description
The technical solutions of the present invention in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1-7, the 5G signaling storm vulnerability analysis method based on Petri network of the present invention comprises:
step 1, based on the 3GPP standard, following the SBA framework, a Free5GC simulation environment is built. The method is implemented according to the following steps:
step 1.1, installing virtual machine software and creating two different Linux virtual machine instances, named 5GC and UERAMSIM respectively;
step 1.2, a Free5GC core network module is built on a virtual machine named 5GC, and an Ng (base station) and UE (user equipment) module are built on a virtual machine named UERAMSIM;
step 1.3, registering UE information on a virtual machine named 5GC, and configuring access information of an Ng base station and a UE user equipment module on the virtual machine named UERAMSIM;
and step 1.4, testing connectivity of the Free5GC environment after configuration is completed.
And 2, realizing a network function in a virtualization mode, running standard service of the 5G core network and simulating 5G signaling storm attack. The method is implemented according to the following steps:
step 2.1, running a main starting file of a core network module of Free5GC on a 5GC virtual machine, and calling each network function module of the core network in sequence by the main starting file to jointly construct a standardized service of the 5G core network based on a service architecture, as shown in fig. 2;
the step 2.1 specifically comprises the following steps:
(1) The AMF network element is responsible for the functions of UE identity verification, authentication, registration, mobility management, connection management and the like;
(2) The AUSF network element is used for receiving the request of the AMF network element for carrying out the identity verification on the UE, requesting a key from the UDM network element, and forwarding the key issued by the UDM network element to the AMF network element for carrying out authentication processing;
(3) The NSSF network element determines a network slice instance which the UE is allowed to access according to slice selection auxiliary information, subscription information and the like of the UE;
(4) The NRF network element can enable network functions to discover each other and communicate through an API interface;
(5) The SMF network element is responsible for tunnel maintenance, IP address allocation and management, policy implementation and control in QoS, charging data acquisition, roaming and the like;
(6) The PCF network element provides policy rules of control plane functions;
(7) The UDR network element is used for storing subscription data and policy data of the UDM network element and the PCF network element;
(8) The UPF network element is responsible for packet routing forwarding, policy enforcement, traffic reporting, etc.
Step 2.2, starting the configuration file of the Ng base station on the virtual machine named UERAMSIM, connecting the Ng base station with the core network,
step 2.2 is specifically:
(1) Entering a main directory named as a UERANSIM virtual machine, executing a free5gc-gnb.yaml configuration file under a config folder, and starting a base station;
(2) The base station initiates a connection request to the core network through configuration information;
(3) Establishing an NG interface, wherein the base station is successfully connected with a core network;
step 2.3, starting a UE configuration file on a UERAMSIM virtual machine, wherein a UE user equipment module is locally connected with an Ng base station and is remotely connected with a core network through the Ng base station;
the step 2.3 is specifically as follows:
(1) Using the administrator authority to execute the free5gc-ue.yaml configuration file under the config folder, and starting the UE to initiate a local connection request to the base station;
(2) After the UE and the base station are successfully connected, a connection request is initiated to an AMF network element of a core network through an Ng base station;
(3) After the connection is successful, initiating a registration process;
(4) After registration is completed, establishing PDU session;
and 2.4, simulating a large number of UE accesses on a virtual machine named UERAMSIM, and initiating a 5G signaling storm attack to a core network on the virtual machine named 5 GC.
And step 3, capturing a data stream in the network attack process by using packet capturing software, and storing and analyzing signaling interaction information in the data stream. The method is implemented according to the following steps:
step 3.1, capturing a data stream in the network attack process by using packet capturing software, and storing the data stream as a flow data file of a pcap type;
step 3.2, filtering the signaling flow of the data packet constructed by using the SCTP protocol by using the filtering function of the packet grabbing software in step 3.1, and counting and analyzing the connection process of the Ng base station and the UE user equipment module, the NG interface establishment process, the NAS registration process and the session establishment process in the signaling flow, as shown in figure 3;
and 3.3, analyzing the occupation condition of the signaling storm attack on signaling resources of each network element of the core network through the signaling interaction process statistical result in the step 3.2.
And 4, combing the data flow analysis result of the step 3, thereby constructing a 5G signaling storm attack model based on the Petri network. The method is implemented according to the following steps:
step 4.1, analyzing the signaling interaction process counted in the step 3, so as to comb the attack flow, and determining the entity, the behavior, the state and the triggering conditions of each state involved in the attack flow;
step 4.2, mapping the states and behaviors of the entities into the libraries and transitions of the Petri net, as shown in tables 1 and 2;
step 4.3, analyzing the library and the transition in the step 4.2, determining the causal relationship between the library and the transition, and constructing a Petri network model;
step 4.4, checking and abstracting the Petri net model in the step 4.3, deleting unnecessary processes, and refining key links;
step 4.5, carding and abstracting the signaling resource consumption process in the Petri network model obtained in the step 4.4;
step 4.6, checking the Petri network model attack process obtained in the step 4.5, and determining a Petri network attack model;
step 4.7, setting the value of the token as x, representing the upper limit of system resources, running a model on a Petri network construction tool, and verifying the correctness and the effectiveness of the model;
step 4.8, iterating step 4.1 to step 4.7, and determining the final effective attack model of the Petri net, as shown in fig. 4.
And 5, analyzing vulnerable points of the attack on the basis of the network attack model in the step 4, designing a scheme for effectively aiming at and relieving the attack, and carrying out modeling analysis on the defending scheme. The method is implemented according to the following steps:
step 5.1, analyzing the Petri net attack model constructed in the step 4, and determining weak points so as to obtain attack quality points;
and 5.2, analyzing the attack quality and effect points, and designing a repairing scheme for the fragile points: the method comprises the steps that an IP filtering and flow control mechanism based on short time is added in the message processing process after UE is accessed to a base station to cope and alleviate the attack;
step 5.3, analyzing the newly added states and behaviors in the response scheme, determining the positions of the newly added states and behaviors in the Petri network attack model, determining the relation between each library and the transition and other elements, and describing the Petri network defense model;
step 5.4, verifying the Petri network defense model of step 5.3, setting the weight reaching the unsafe line as x, and indicating that the upper limit of the system requestable resources is x;
step 5.5, setting the value of the token as x, representing the number of malicious requests, and setting operation steps and time delay;
step 5.6, an attack model and a defense model are operated on the Petri network construction tool, and when all tokens reach an unsafe state at the same time, system resources are occupied by all malicious requests at the moment and cannot respond to normal request connection, so that the attack is successful;
step 5.7, counting the running time of the model, and comparing and verifying the correctness and effectiveness of the defense model;
and 5.8, iterating the steps 5.1 to 5.7, and determining a final effective Petri network defense model, wherein the library and the transition represented by the patching mechanism are shown in a dotted line frame in the figure as shown in the figure 5.
Table 1 meanings of the library
TABLE 2 meanings of transitions
Examples
First, corresponding to step 1, two virtual machines are built using Linux images, named 5GC and UERAMSIM, respectively. And (3) setting up a Free5GC core network environment on the 5GC virtual machine, testing the functions of each network element after setting up, and configuring core network access configuration information. And building an Ng base station and UE user equipment module simulation environment on the UERAMSIM virtual machine, and changing configuration information of the Ng base station and the UE user equipment module according to the core network information after building. And registering the information to be accessed to the UE on a 5GC virtual machine, starting a core network, sequentially starting configuration files of an Ng base station and a UE user equipment module on the UERAMSIM virtual machine, and testing whether connection is successful or not.
Secondly, corresponding to the step 2, running run.sh files under Free5GC main directory on the 5GC virtual machine, and starting each network service function of the core network in sequence to construct 5G core network service. And establishing 1000 UE configuration files, starting 1000 UEs to initiate a connection request to a core network on a 5GC virtual machine, and simulating an abnormal access request.
And thirdly, according to the step 3, the packet capturing software is used for capturing the flow in the attack process, storing the flow as a data packet file of the pcap type, filtering the signaling flow by using a filter of the packet capturing software, and carrying out statistics and analysis on the connection process of the UE user equipment module and the Ng base station, the NG interface establishment process, the NAS registration process and the session establishment process in the signaling flow.
Corresponding to step 4, according to the analysis result of step 3, determining the entity state, behavior and causal relationship between the entity state and behavior in the attack flow. Mapping states and behaviors into a library and transitions of the Petri network respectively, constructing an initial model of the Petri network, performing processes of checking, abstract, simplifying and the like on the initial model, and describing an attack model of the Petri network. And running the model on a Petri net construction tool, verifying the correctness and effectiveness of the model, and continuously iterating to obtain a final correct attack model.
Finally, for step 5, analyzing the attack model obtained in step 4 to obtain weak points, and designing a defense scheme based on instantaneous I P filtering and flow control mechanisms. Modeling analysis is carried out on the scheme, the correctness and the effectiveness of the model are verified, iteration is carried out continuously, and the final effective defense model is obtained. The upper limit of the system requestable resource is set to 3. The token is set to a value of 3, representing the number of malicious requests, the running step is set to 2000, and the delay is set to 50ms. And (3) operating the model on the Petri network construction tool, when all 3 tokens reach an unsafe state, at the moment, all system resources are occupied by malicious requests, normal request connection cannot be responded, the attack is successful, the correctness and the effectiveness of the defense model are verified, and the final model operation time comparison result is shown in fig. 6. The defending strength of the defending model is tested, the upper limit of system resources is set to be 3, the attack effect of the malicious requests is tested within 5 seconds when the number of the malicious requests is 6, 9, 12, 15 and 18, 10 experiments are carried out on each group, and the defending success probability of the model is counted, and the result is shown in figure 7. The defending effect of the defending model is obvious, and particularly when the number of malicious requests is within 3 times of the upper limit of signaling resources, the defending model can realize complete defending, and has good defending capability on a large number of malicious requests.
According to the method, the fine-grained model description of the attack quality and effect point can be carried out for the 5G signaling storm attack behavior, so that the observation of the attack quality and effect process of the 5G signaling network vulnerability is facilitated, and therefore effective coping strategies can be carried out for the signaling storm attack behavior more systematically and comprehensively, and the method has a certain research value for researching the mining and analysis of the 5G signaling network security vulnerability.
The 5G signaling storm attack vulnerability analysis method based on the Petri network provided by the invention carries out formal modeling analysis on the related signaling process, can more accurately observe the quality effect mechanism and the existing vulnerability in the attack process, provides effective response and relief schemes for the vulnerability, and has important research significance for repairing the 5G signaling network vulnerability.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (4)
1. The 5G signaling storm vulnerability analysis method based on the Petri network is characterized by comprising the following steps of:
step 1, based on the 3GPP standard of the third generation partnership project, following the SBA framework based on the service architecture, and building a Free5GC simulation environment;
step 2, realizing network functions in a virtualization mode, running standard services of a 5G core network, and simulating 5G signaling storm attack;
step 3, capturing a data stream in the network attack process by using packet capturing software, and storing and analyzing signaling interaction information in the data stream;
step 4, combing the data flow analysis result of the step 3, thereby constructing a 5G signaling storm attack model based on the Petri network;
step 5, analyzing vulnerable points of the attack on the basis of the 5G signaling storm attack model in step 4, designing a scheme for effectively aiming at and relieving the attack, taking the scheme as a defending scheme, and carrying out modeling analysis on the defending scheme;
the step 1 is specifically implemented according to the following steps:
step 1.1, installing virtual machine software and creating two different Linux virtual machine instances, namely a 5GC virtual machine and a UERAMSIM virtual machine;
step 1.2, a Free5GC core network module is built on a virtual machine named 5GC, and an Ng base station and a UE user equipment module are built on a virtual machine named UERAMSIM;
step 1.3, registering UE information on a virtual machine named 5GC, and configuring and constructing access information of an Ng base station and a UE user equipment module on the virtual machine named UERAMSIM;
step 1.4, testing connectivity of Free5GC environment after configuration is completed;
the step 2 is specifically implemented according to the following steps:
step 2.1, running a main starting file of a core network module of Free5GC on a 5GC virtual machine, and calling each network function module of the core network in sequence by the main starting file to jointly construct a standardized service of the 5G core network based on a service architecture;
step 2.2, starting the configuration file of the Ng base station on the virtual machine named UERAMSIM, connecting the Ng base station with the core network,
step 2.3, starting a UE configuration file on a UERAMSIM virtual machine, wherein a UE user equipment module is locally connected with an Ng base station and is remotely connected with a core network through the Ng base station;
step 2.4, simulating a large number of UE accesses on a UERAMSIM virtual machine, and initiating a 5G signaling storm attack to a core network on the 5GC virtual machine;
the step 3 is specifically implemented according to the following steps:
step 3.1, capturing a data stream in the network attack process by using packet capturing software, and storing the data stream as a flow data file of a pcap type;
step 3.2, filtering the signaling flow of constructing the data packet by using the SCTP protocol by using the filtering function of the packet capturing software in step 3.1, and carrying out statistics and analysis on the connection process of the UE user equipment module and the Ng base station, the NG interface establishment process, the NAS registration process and the session establishment process in the signaling flow;
step 3.3, analyzing the occupation condition of the signaling storm attack to the signaling resources of each network element of the core network through the signaling interaction process statistics result of the step 3.2;
the step 4 is specifically implemented according to the following steps:
step 4.1, analyzing the signaling interaction process counted in the step 3, so as to comb the attack flow, and determining the entity, the behavior, the state and the triggering conditions of each state involved in the attack flow;
step 4.2, mapping the state and behavior of the entity to the library and transition of the Petri network;
step 4.3, analyzing the library and the transition in the step 4.2, determining the causal relationship between the library and the transition, and constructing a Petri network model;
step 4.4, checking and abstracting the Petri net model in the step 4.3, deleting unnecessary processes, and refining key links;
step 4.5, carding and abstracting the signaling resource consumption process in the Petri network model obtained in the step 4.4;
step 4.6, checking the Petri network model attack process obtained in the step 4.5, and determining a Petri network attack model;
step 4.7, setting the value of the token as x, representing the upper limit of system resources, running a model on a Petri network construction tool, and verifying the correctness and the effectiveness of the model;
and 4.8, iterating the steps 4.1 to 4.7, and determining the final effective attack model of the Petri network.
2. The method for analyzing the vulnerability of 5G signaling storm based on Petri network according to claim 1, wherein said step 5 is specifically implemented according to the following steps:
step 5.1, analyzing the Petri net attack model constructed in the step 4, and determining weak points so as to obtain attack quality points;
and 5.2, analyzing the attack quality and effect points, and designing a repairing scheme for the fragile points: the method comprises the steps that an IP filtering and flow control mechanism based on short time is added in the message processing process after a UE user equipment module is accessed to a base station, so that the attack is handled and relieved;
step 5.3, analyzing the newly added states and behaviors in the response scheme, determining the positions of the newly added states and behaviors in the Petri network attack model, determining the relation between each library and the transition and other elements, and describing the Petri network defense model;
step 5.4, verifying the Petri network defense model of step 5.3, setting the weight reaching the unsafe line as x, and indicating that the upper limit of the system requestable resources is x;
step 5.5, setting the value of the token as x, representing the number of malicious requests, and setting operation steps and time delay;
step 5.6, an attack model and a defense model are operated on the Petri network construction tool, and when all tokens reach an unsafe state at the same time, system resources are occupied by all malicious requests at the moment and cannot respond to normal request connection, so that the attack is successful;
step 5.7, counting the running time of the model, and comparing and verifying the correctness and effectiveness of the defense model;
and 5.8, iterating the steps 5.1 to 5.7, and determining a final effective Petri network defense model.
3. The method for analyzing 5G signaling storm vulnerability based on Petri net according to claim 1, wherein the step 2.1 specifically comprises:
(1) The AMF network element is responsible for the functions of UE identity verification, authentication, registration, mobility management, connection management and the like;
(2) The authentication service function AUSF network element is used for receiving the request of the AMF network element for carrying out the identity verification on the UE, requesting a key from the unified data management UDM network element, and forwarding the key issued by the UDM network element to the AMF network element for carrying out the authentication processing;
(3) The NSSF network element determines a network slice instance which the UE is allowed to access according to the slice selection auxiliary information, subscription information and the like of the UE;
(4) The network function registration function NRF network elements can enable Network Functions (NF) to discover each other and communicate through an API interface;
(5) The session management function SMF network element is responsible for tunnel maintenance, IP address allocation and management, UP function selection, policy implementation, charging data acquisition and roaming;
(6) The PCF network element of the policy control function provides policy rules of the control plane function;
(7) The unified data storage UDR network element network function is used for storing subscription data and policy data of the UDM network element and the PCF network element;
(8) The user plane function UPF network element is responsible for packet routing forwarding, policy enforcement and traffic reporting;
the step 2.2 specifically comprises the following steps:
(1) Entering a main directory named as a UERANSIM virtual machine, executing a free5gc-gnb.yaml configuration file under a config folder, and starting a base station;
(2) The base station initiates a connection request to the core network through configuration information;
(3) Establishing an NG interface, wherein the base station is successfully connected with a core network;
the step 2.3 specifically comprises the following steps:
(1) Using the administrator authority to execute the free5gc-ue.yaml configuration file under the config folder, and starting the UE to initiate a local connection request to the base station;
(2) After the UE user equipment module and the Ng base station are successfully connected, initiating a connection request to an AMF network element of a core network through the Ng base station;
(3) After the connection is successful, initiating a registration process;
(4) After registration is completed, a protocol data unit PDU session is established.
4. The 5G signaling storm vulnerability analysis method based on Petri network according to claim 1, wherein the Petri network is used for modeling and analyzing a 5G signaling storm attack process, super-real-time simulation is carried out on the resource consumption condition in the 5G signaling storm attack process, and the vulnerability of attack implementation is analyzed according to a Petri network attack model.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310805863.5A CN116866921A (en) | 2023-07-03 | 2023-07-03 | 5G signaling storm vulnerability analysis method based on Petri network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310805863.5A CN116866921A (en) | 2023-07-03 | 2023-07-03 | 5G signaling storm vulnerability analysis method based on Petri network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116866921A true CN116866921A (en) | 2023-10-10 |
Family
ID=88228078
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310805863.5A Pending CN116866921A (en) | 2023-07-03 | 2023-07-03 | 5G signaling storm vulnerability analysis method based on Petri network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116866921A (en) |
-
2023
- 2023-07-03 CN CN202310805863.5A patent/CN116866921A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11843950B2 (en) | Protecting a telecommunications network using network components as blockchain nodes | |
| Liu et al. | A survey: Typical security issues of software-defined networking | |
| Hussain et al. | LTEInspector: A systematic approach for adversarial testing of 4G LTE | |
| Hu | Security and privacy in Internet of things (IoTs): Models, Algorithms, and Implementations | |
| Chen et al. | Software-defined mobile networks security | |
| Udd et al. | Exploiting bro for intrusion detection in a SCADA system | |
| WO2019237813A1 (en) | Method and device for scheduling service resource | |
| WO2021151335A1 (en) | Network event processing method and apparatus, and readable storage medium | |
| Ashik et al. | Designing a fog-cloud architecture using blockchain and analyzing security improvements | |
| Shah et al. | Mitigating TCP SYN flooding based EDOS attack in cloud computing environment using binomial distribution in SDN | |
| Huang et al. | Towards trusted and efficient SDN topology discovery: A lightweight topology verification scheme | |
| Seeber et al. | Improving network security through SDN in cloud scenarios | |
| Gobbo et al. | A denial of service attack to GSM networks via attach procedure | |
| Kitana et al. | Towards an Epidemic SMS-based Cellular Botnet. | |
| Feng et al. | A dual-layer zero trust architecture for 5G industry MEC applications access control | |
| Wang et al. | An automated vulnerability detection method for the 5g rrc protocol based on fuzzing | |
| Bose | Propagation, detection and containment of mobile malware | |
| Zhong et al. | Networking cyber-physical systems: System fundamentals of security and privacy for next-generation wireless networks | |
| Brahmi et al. | A Snort-based mobile agent for a distributed intrusion detection system | |
| Yuan et al. | Research of security of 5G-enabled industrial Internet and its application | |
| CN116866921A (en) | 5G signaling storm vulnerability analysis method based on Petri network | |
| CN115633359A (en) | PFCP session security detection method, device, electronic equipment and storage medium | |
| CN115426654A (en) | Method for constructing network element abnormity detection model facing 5G communication system | |
| Ruixuan et al. | Research on the network access authentication technology of SDN based on 802.1 X | |
| Dumitru-Guzu et al. | Analysis of potential threats in nextgen 5g core |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |