KR101499022B1 - Apparatus and method for detecting abnormal MMS message in 4G mobile network - Google Patents

Abstract

The present invention relates to an abnormal Multimedia Messaging Service (MMS) message detecting apparatus and method. The abnormal message detecting apparatus includes: a session information storage unit storing a first GTP-U TEID and session information including a first user equipment identification number; a packet information extracting unit extracting a second GTP-U TEID from a header of a GTP-U packet, extracting an MMS message from a payload of the GTP-U packet, and extracting a second user equipment identification number from the MMS message; and a packet processing unit blocking the GTP-U packet when the first and second GTP-U TEIDS are identical but the first and second user equipment identification numbers are not identical, and transmitting the GTP-U packet when there is not the first GTP-U TEID that is identical to the second GTP-U TEID in the session information.

Description

[0001] Apparatus and method for detecting abnormal MMS message in 4G mobile network [0002]

The present invention relates to an apparatus and method for detecting an abnormal MMS message, and more particularly, to an apparatus and method for detecting an abnormal MMS message based on session information in a 4G mobile environment using GTP (GPRS Tunneling Protocol).

The 4G network (or LTE network) includes a 4G Enterprise Radio Access Network (E-RAN) for managing radio resources and a 4G Evolved Packet Core (EPC) for performing data processing / authentication / billing.

The 4G E-RAN includes components such as a user equipment (UE) and an evolved Node B (eNB), and the 4G EPC includes a Mobility Management Entity (MME), a Serving Gateway (S-GW) PDN Gateway), Home Subscriber Server (HSS), Policy & Charging Rule Function (PCRF), and the like.

In the 4G network, data packets can be transmitted / received through the S1-U GTP (GPRS Tunneling Protocol) tunnel generated between the eNB and the S-GW and the generated S5 GTP tunnel generated between the S-GW and the P-GW. The data packet includes a Multimedia Messaging Service (MMS) message attaching various types of data such as still image, music, voice, or moving picture, and the data packet can be encapsulated in the payload of the GTP packet and transmitted and received.

The P-GW conveys the data packet to the external network without considering the values contained in the MMS message. Therefore, even when the manipulated value is included in the MMS message, the data packet can be transmitted to the inside of the external network without restriction.

An object of the present invention is to provide an apparatus for detecting an abnormal MMS message, which can detect an abnormal MMS message manipulated by a user terminal identification number included in an MMS message.

Another problem to be solved by the present invention is to provide an abnormal MMS message detection method capable of detecting an abnormal MMS message manipulating a user terminal identification number included in an MMS message.

The problems to be solved by the present invention are not limited to the above-mentioned problems, and other matters not mentioned can be clearly understood by those skilled in the art from the following description.

According to another aspect of the present invention, there is provided an apparatus for detecting abnormal MMS messages comprising: a session information storage unit for storing session information including a first GTP-U TEID and a first user terminal identification number; Extracting a second GTP-U TEID from the header of the GTP-U packet, extracting a multimedia messaging service (MMS) message from the payload of the GTP-U packet, and extracting a second user terminal identification number from the MMS message , And blocks the GTP-U packet if the first and second GTP-U TEIDs are identical and the first and second user terminal identification numbers are not the same, and wherein the second GTP-U And a packet processor for transmitting the GTP-U packet when the first GTP-U TEID equal to the TEID does not exist.

According to another aspect of the present invention, there is provided an apparatus for detecting abnormal MMS messages, comprising: a GTP-C packet information extracting unit for extracting a first GTP-U TEID and a first user terminal identification number from a GTP-C packet; A session information storage unit for storing session information including the first GTP-U TEID and the first user terminal identification number, a second GTP-U TEID from the header of the GTP-U packet, A GTP-U packet information extractor for extracting an MMS message from the payload and extracting a second user terminal identification number from the MMS message, and a second GTP-U packet information extractor for extracting the first and second GTP-U TEIDs, And a packet processor for blocking or transmitting the GTP-U packet according to the comparison result of the terminal identification number.

According to another aspect of the present invention, there is provided an abnormal MMS message detection system including a GTP-C packet information extracting unit for extracting a first GTP-U TEID and a first user terminal identification number from a GTP-C packet, A session information collecting unit configured to generate session information including the first GTP-U TEID and the first user terminal identification number, and a session information collecting unit configured to extract a second GTP-U TEID from the header of the GTP-U packet A GTP-U packet information extractor for extracting an MMS message from a payload of the GTP-U packet and extracting a second user terminal identification number from the MMS message; And a packet processing unit for blocking or transmitting the GTP-U packet according to a result of the comparison between the first and second GTP-U TEIDs and the first and second user terminal identification numbers using the abnormal MMS message Detection device.

According to another aspect of the present invention, there is provided an abnormal MMS message detection method, comprising: receiving a GTP-U packet; extracting a second GTP-U TEID from a header of the GTP-U packet; Extracting an MMS message from a payload of the U packet and extracting a second user terminal identification number from the MMS message; determining whether the first GTP-U TEID of the session information is identical to the second GTP-U TEID, Comparing the first user terminal identification number of the information with the second user terminal identification number, and determining whether the first and second GTP-U TEIDs are the same and the first and second user terminal identification numbers are the same And blocking the GTP-U packet if not.

Other specific details of the invention are included in the detailed description and drawings.

According to the above apparatus and method for detecting abnormal MMS message according to the present invention, a GTP-U TEID is extracted from the header of a GTP-U packet, an MMS message is extracted from the GTP-U packet, And compares the GTP-U TEID and the user terminal identification number recorded in the session information with each other, thereby detecting an abnormal MMS message manipulated by the user terminal identification number included in the MMS message and blocking the abnormal MMS message.

1 is a block diagram illustrating an apparatus for detecting an abnormal MMS message according to an exemplary embodiment of the present invention.
2 schematically shows an MMS environment including different networks.
Figure 3 schematically shows an MMS interworking protocol.
4 is a table showing interlocking intervals and protocols according to reference points.
5 is a table showing the types of call processing messages of the MMSm reference point.
6 to 10 are views schematically showing the flow of an MMS message for message call processing between different carriers.
11 is a table showing a header field of the M-Send.req message.
12 is a table showing header fields of the M-Send.conf message.
13 is a diagram for explaining a process of transmitting an abnormal MMS message using a 4G network.
14 is a diagram for schematically explaining values included in an MMS message.
15 is a table for explaining session information stored in the session information storage unit of FIG.
16 is a flowchart illustrating an abnormal MMS message detection method according to an embodiment of the present invention.
17 is a table showing a structure of a forgery-and-falsification MMS message detection information.
18 is a block diagram illustrating an apparatus for detecting an abnormal MMS message according to another embodiment of the present invention.
19 is a diagram for explaining a process of generating a GTP tunnel in a 4G network.
20 is a view for schematically explaining values included in a session creation request message.
FIG. 21 is a view for schematically explaining the values included in the session creation response message.
22 is a block diagram illustrating an abnormal MMS message detection system according to an embodiment of the present invention.
23 is a flowchart illustrating a method of collecting session information according to an embodiment of the present invention.
24 is a view for explaining the structure of a 4G network to which an apparatus or system for detecting abnormal MMS messages according to some embodiments of the present invention is applied.

BRIEF DESCRIPTION OF THE DRAWINGS The advantages and features of the present invention and the manner of achieving them will become apparent with reference to the embodiments described in detail below with reference to the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Is provided to fully convey the scope of the invention to those skilled in the art, and the invention is only defined by the scope of the claims. Like reference numerals refer to like elements throughout the specification.

Each block may represent a portion of a module, segment, or code that includes one or more executable instructions for executing the specified logical function (s). It should also be noted that in some alternative implementations the functions mentioned in the blocks may occur out of order. For example, two blocks that are shown one after the other may actually be executed substantially concurrently, or the blocks may sometimes be performed in reverse order according to the corresponding function.

Although the first, second, etc. are used to describe various elements, components and / or sections, it is needless to say that these elements, components and / or sections are not limited by these terms. These terms are only used to distinguish one element, element or section from another element, element or section. Therefore, it goes without saying that the first element, the first element or the first section mentioned below may be the second element, the second element or the second section within the technical spirit of the present invention.

The terminology used herein is for the purpose of illustrating embodiments and is not intended to be limiting of the present invention. In the present specification, the singular form includes plural forms unless otherwise specified in the specification. It is noted that the terms "comprises" and / or "comprising" used in the specification are intended to be inclusive in a manner similar to the components, steps, operations, and / Or additions.

Unless defined otherwise, all terms (including technical and scientific terms) used herein may be used in a sense commonly understood by one of ordinary skill in the art to which this invention belongs. Also, commonly used predefined terms are not ideally or excessively interpreted unless explicitly defined otherwise.

1 is a block diagram illustrating an apparatus for detecting an abnormal MMS message according to an exemplary embodiment of the present invention.

1, an apparatus 100 for detecting abnormal MMS messages according to an exemplary embodiment of the present invention includes a network interface card (NIC) 110a and 110b, a packet information extractor 120, a packet analyzer 130, An information storage unit 140, a packet processing unit 150, a log storage unit 160, and the like.

The NIC 110a receives the GTP-U packet and transmits it to the packet information extracting unit 120. The NIC 110b transmits the GTP-U packet according to the control signal of the packet processing unit 150, drop. NICs 110a and 110b may be conventional network interface cards or hardware accelerated network interface cards. The GTP-U packet is used to transmit the user's data packet within the 4G network.

The packet information extracting unit 120 can extract various packet information from the GTP-U packet. The packet information extracting unit 120 may extract a TEIN (Tunnel Endpoint Identifier) from the header of the GTP-U packet. The TEID extracted from the header of the GTP-U packet may be an uplink (UL) GTP-U TEID. Here, the uplink (UL) indicates a case where a data packet is transmitted from a user terminal to a foreign network, and the downlink (DL) indicates a case where a data packet is transmitted from an external network to a user terminal.

The packet information extracting unit 120 may extract a multimedia messaging service (MMS) message from a payload of the GTP-U packet. The packet information extracting unit 120 may extract the user terminal identification number from the MMS message. For example, the user terminal identification number may be an MSISDN (Mobile Station International ISDN Number), but is not limited thereto.

The packet analyzing unit 130 can analyze whether the GTP-U packet is related to an abnormal MMS message based on the uplink (UL) GTP-U TEID and the user terminal identification number extracted by the packet information extracting unit 120 have. Here, the abnormal MMS message may indicate a GTP-U packet manipulating the user terminal identification number included in the MMS message. The packet analyzer 130 may use the stored session information to analyze the GTP-U packet.

The session information storage unit 140 may previously store session information including an uplink (UL) GTP-U TEID and a user terminal identification number. The uplink (UL) GTP-U TEID and the user terminal identification number may be pre-extracted from the GTP-C packet. The GTP-C packet is used to create / update / delete the GTP tunnel in the 4G network. The GTP-U packet can be transmitted through a GTP tunnel.

Hereinafter, in order to distinguish the uplink (UL) GTP-U TEID and the user terminal identification number from each other, an uplink (UL) GTP-U TEID stored in the session information storage unit 140 and a user terminal identification number (UL) GTP-U TEID and the first user terminal identification number, and outputs the uplink (UL) GTP-U TEID and the user terminal identification number extracted by the packet information extracting unit 120 to the second up Link (UL) GTP-U TEID and a second user terminal identification number.

The packet analyzer 130 may detect an abnormal MMS message by comparing whether the first and second uplink (UL) GTP-U TEIDs are the same and whether the first and second user terminal identification numbers are the same. First, the packet analyzer 130 may determine whether a first uplink (UL) GTP-U TEID equal to the second uplink (UL) GTP-U TEID exists in the session information. If the first and second uplink (UL) GTP-U TEIDs are the same and the first and second user terminal identification numbers are not the same, It can be determined that the GTP-U packet is related to the abnormal MMS message.

The packet processor 150 may control the NIC 110b to transmit or block the GTP-U packet according to the detection result of the abnormal MMS message of the packet analyzer 130. [ The transmission of the GTP-U packet indicates that the GTP-U packet is transmitted to the destination IP address, and the blocking of the GTP-U packet may indicate that the GTP-U packet is not transmitted to the destination IP address.

The log storage unit 160 may record the detection log when the GTP-U packet is blocked according to the detection result of the abnormal MMS message. The detection log may include at least one of a second uplink (UL) GTP-U TEID and a second user terminal identification number extracted from the GTP-U packet. In addition, the detection log may further include information such as a detection time of an abnormal MMS message, whether or not the GTP-U packet is blocked, a destination IP address, and a destination port.

In the abnormal MMS message detection apparatus 100 of FIG. 1, the NICs 110a and 110b, the packet information extraction unit 120, the packet analysis unit 130, the session information storage unit 140, the packet processing unit 150, The packet analyzing unit 130 and the packet processing unit 150 may be integrally configured or the session information storing unit 160 may be configured as a separate storage unit, 140, and the log storage unit 160 may be integrally configured.

2 schematically shows an MMS environment including different networks.

Referring to FIG. 2, a Multimedia Messaging Service Environment (MMSE) includes MMS relays 510a and 510b, an MMS server 520, an MMS user database 530, an MMS user agent 540, a MMS VAS Service application 550, an external server 560, and the like.

The MMS relays 510a and 510b and the MMS server 520 generally refer to a Multimedia Messaging Service Center (MMSC). The MMS relays / servers 510a, 510b, and 520 store and process the transmitted and received messages, and transmit messages between the various messaging systems. It should be able to generate billing data when receiving multimedia messages from other elements of Multimedia Messaging Service Network Architecture (MMSNA) or transmitting them to other elements, and be able to generate billing data for VASP (Value Added Service Provider) related operations do. Depending on the business model, the MMS relays / servers 510a, 510b, and 520 may be one logical element or may be divided into MMS relays 510a and 510b and MMS server 520 elements. Also, the MMS relays 510a and 510b and the MMS server 520 may be distributed in different domains.

The MMS user database 530 may be comprised of one or more entities including subscriber information or configuration, e.g., user profile, user related information such as a Home Location Register (HLR). The MMS user database 530 is slightly different for each service provider. In some cases, the MMS user database 530 directly accesses the entire subscriber database for the service, or may have a dedicated user database only for the MMS service.

The MMS user agent 540 is provided to a UE (User Equipmemt), an MS (Mobile Station), or an external device connected to the UE / MS. Generally, the MMS user agent 540 provides a function of sending, receiving, and deleting a multimedia message to a user using an MMS client in a mobile station such as a terminal or a PDA.

The MMS VAS application 550 means an MMS external application for providing value-added services to MMS users. In order to provide various functions related to this, active development activities of SO (Service Operator) or CP (Contents Provider) are required as well as business operators. The MMS VAS application 550 may be included directly in the MMSE and interworked. The MMS VAS application 550 may also generate billing data (CDR) itself.

The external server 560 refers to service servers having different network environments and server types such as an e-mail server, an SMS server (SMSC), a facsimile server, and an UMS server. They may be interlocked or included within the MMSC. The integration functions of different services can be provided through interworking with the external servers 560.

Figure 3 schematically shows an MMS interworking protocol. 4 is a table showing interlocking intervals and protocols according to reference points. 5 is a table showing the types of call processing messages of the MMSm reference point.

Referring to FIG. 3, the interworking of the multimedia messages between the elements constituting the MMSE can be known. FIG. 3 shows reference points between the respective components in order to conceptually show the interworking specifications between the elements constituting the MMSE. The interworking interval and the protocol for each reference point are shown in FIG. 4, and the call processing message type of the MMSm reference point is shown in FIG.

6 to 10 are views schematically showing the flow of an MMS message for message call processing between different carriers. 11 is a table showing a header field of the M-Send.req message. 12 is a table showing header fields of the M-Send.conf message.

Referring to FIGS. 6 to 10, a message flow required for exchanging messages between end-to-end is shown. Hereinafter, the MMS WAP (Wireless Application Protocol) standard will be described.

In WAP, all protocols between terminal and MMSC use HTTP, and MMS message (MM and MMS header) are transmitted in the data area of HTTP. The message used to send the message is M-Send.req, and the message used to download the message is M-Retrieve.conf. The M-Send.req message uses the HTTP Post, but the M-Rerieve.conf message uses the HTTP Get. The header fields of the M-Send.req message sent and the M-Send.conf sent as a response in the MMSC are shown in FIGS. 11 and 12, respectively. A more detailed description thereof will be omitted because it can be easily understood by those skilled in the art.

13 is a diagram for explaining a process of transmitting an abnormal MMS message using a 4G network.

13, a user equipment (UE) 1100 transmits a data packet to an S-GW (Serving Gateway) 1400, and the S-GW 1400 transmits a data packet transmitted from the user equipment to a P- Gateway 1500). 13, when the user terminal 1100 transmits a data packet to the evolved Node B (eNB) and the eNB transmits the data packet to the S-GW 1400, the S-GW 1400 transmits the data packet to the E- To the P-GW 1500, a data packet transmitted by the user terminal. For example, the data packet transmitted by the user terminal 1100 may be an IP packet.

GTP tunnels are generated between the eNB and the S-GW 1400 and between the S-GW 1400 and the P-GW 1500. The data packets transmitted by the user terminal 1100 are transmitted to the respective GTP tunnels To the P-GW 1500 via the Internet. The data packet transmitted by the user terminal 1100 may be transmitted using the GTP protocol within the 4G network. As such, the GTP-U packet transmitted by the user terminal 1100 and transmitted to the P-GW 1500 may be referred to as an outbound GTP-U packet. The IP header for the GTP tunnel, the UDP header and the GTP-U header are added to the header of the GTP-U packet, and the data packet transmitted by the user terminal 1100 can be encapsulated in the payload of the GTP-U packet. The GTP-U header may include a TEID. The data packet transmitted by the user terminal 1100 may be transmitted from the P-GW 1500 to the MMS server 2100 in the core network.

The data packet transmitted by the user terminal 1100 may include an MMS message for setting up a message call. The user terminal identification number may be included in the MMS message.

Here, the P-GW 1500 in the 4G network transmits the data packet transmitted by the user terminal 1100 to the MMS server 2100 in the core network without considering the values included in the MMS message. Therefore, even if the MMS message includes an operated value other than the uplink (UL) GTP-U TEID and the user terminal identification number allocated in the GTP tunnel creation / update, the data packet transmitted by the user terminal 1100 May be transmitted to the P-GW 1500 without restriction, and may be transmitted to the MMS server 2100 in the Core network. In FIG. 13, reference numerals 10 and 30 denote cases where a normal MMS message is transmitted, and reference numerals 20 and 40 denote cases where an abnormal MMS message is transmitted.

The apparatus 100 for detecting an abnormal MMS message according to an embodiment of the present invention stores the first uplink (UL) GTP-U TEID and the first user terminal identification number assigned in the generation / update of the GTP tunnel in advance as session information And compares the session information with the second uplink (UL) GTP-U TEID and the second user terminal identification number extracted from the GTP-U packet, so that the abnormal MMS message can be detected.

14 is a diagram for schematically explaining values included in an MMS message.

Referring to FIG. 14, a message header of an MMS message may include a Type field, an ID field, a From field, a To field, and the like. When the message type is m-send-req, referring to FIG. 11, a field name and a field value are described. The From field may contain the terminal identification number of the sender (for example, MSISDN), and the To field may include the terminal identification number of the receiver.

The packet information extracting unit 120 may extract the second user terminal identification number from the From field of the MMS message.

14, other fields in which the user terminal identification number is recorded may be further included in a message header or a message body of the MMS message.

According to an embodiment, the packet information extractor 120 may be modified to extract a second user terminal identification number from these fields.

15 is a table for explaining session information stored in the session information storage unit of FIG.

15, the session information storage unit 140 stores the uplink UL GTP-C TEID, the uplink UL GTP-U TEID, the user terminal identification number (e.g., MSISDN) ) GTP-C TEID, and a response flag.

The uplink (UL) GTP-C TEID is the TEID of the GTP-C packet transmitted from the MME (Mobility Management Entity) to the S-GW 1400 in the S11 GTP tunnel or the TEID of the GTP- -The TEID of the GTP-C packet transmitted to the GW 1500. The downlink (DL) GTP-C TEID is the TEID of the GTP-C packet transmitted from the S-GW 1400 to the MME 1400 in the S11 GTP tunnel, or the TEID of the G- And the TEID of the GTP-C packet transmitted to the BS 1400.

The session information storage unit 140 manages the GTP tunnel information (e.g., TEID) together with the session information, while the GTP-C packet transmits a Modify Bearer Request message or a Modify Bearer Response message The session information corresponding to the TEID of the GTP-C packet can be updated and stored. Alternatively, if the GTP-C packet includes a Delete Session Request message or a Delete Session Response message, the session information storage unit 140 stores the session corresponding to the TEID of the GTP-C packet Information may also be deleted.

16 is a flowchart illustrating an abnormal MMS message detection method according to an embodiment of the present invention. 17 is a table showing a structure of a forgery-and-falsification MMS message detection information. For the sake of convenience of description, the description overlapping with the above description will be omitted.

Referring to FIG. 16, an abnormal MMS message detection method according to an embodiment of the present invention receives a GTP-U packet (S201).

Next, the packet information extracting unit 120 extracts the GTP-U packet information (S202) and determines whether there is an MMS message in the payload of the GTP-U packet (S203).

If there is an MMS message in the payload of the GTP-U packet, the packet information extractor 120 determines whether the MMS message existing in the payload of the GTP-U packet is an m-send-req message (S204) .

Then, if the MMS message existing in the payload of the GTP-U packet is an m-send-req message, the packet information extractor 120 extracts the second uplink (UL) GTP-U TEID And extracts a second user terminal identification number from the MMS message (S205). For example, the user terminal identification number may be MSISDN, but the present invention is not limited thereto.

Next, the packet analyzer 130 determines whether the session information (e.g., MSISDN) corresponding to the second uplink (UL) GTP-U TEID exists in the session information storage unit 140 (S207). The packet analyzer 130 may determine whether a first uplink (UL) GTP-U TEID equal to the second uplink (UL) GTP-U TEID exists in the session information. Then, if the session information (e.g., MSISDN) exists, the extracted second uplink (UL) GTP-U TEID and the second user terminal identification number are stored in the packet analyzer 130 as the session information (MSISDN)) (S208). The packet analyzer 130 can compare whether the first and second uplink (UL) GTP-U TEIDs are the same and the first and second user terminal identification numbers are the same.

Subsequently, if it matches the session information (for example, MSISDN), the packet processing unit 150 transfers the GTP-U packet (S209). Also, even if the MMS message does not exist in the GTP-U packet, the MMS message existing in the GTP-U packet is not the m-send-req message, or the session information does not exist, And processes the GTP-U packet.

If it does not match the session information (for example, MSISDN), the abnormal MMS message detection information is generated (S210), the abnormal MMS message is processed (S211), and the process ends. FIG. 17 shows the structure of the forgery-and-falsification MMS message detection information.

18 is a block diagram illustrating an apparatus for detecting an abnormal MMS message according to another embodiment of the present invention. For convenience of explanation, the differences from FIG. 1 will be mainly described.

Referring to FIG. 18, an apparatus 300 for detecting abnormal MMS messages according to another exemplary embodiment of the present invention includes NICs 310a and 310b, a GTP-U packet information extractor 320, a packet analyzer 330, A GTP-C packet information extraction unit 380, and a session information generation unit 390. The storage unit 340, the packet processing unit 350, the log storage unit 360, the packet classification unit 370, the GTP-C packet information extraction unit 380,

The NIC 310a receives the GTP packet and transmits it to the packet classifying unit 370 and the NIC 310b may forward or drop the GTP packet according to the control signal of the packet processing unit 350 .

The GTP-U packet information extracting unit 120 may extract the second uplink (UL) GTP-U TEID from the header of the GTP-U packet. The GTP-U packet information extracting unit 120 extracts the MMS message from the payload of the GTP-U packet and extracts the second user terminal identification number from the MMS message.

The packet analyzer 330 can detect an abnormal MMS message by comparing whether the first and second uplink (UL) GTP-U TEIDs are the same and whether the first and second user terminal identification numbers are the same.

The session information storage unit 340 may previously store the session information including the first uplink (UL) GTP-U TEID and the first user terminal identification number.

The packet processor 350 may control the NIC 310b to transmit or block the GTP packet according to the detection result of the abnormal MMS message of the packet analyzer 330. [

The log storage unit 360 can record a detection log when the GTP-U packet is blocked according to the detection result of the abnormal MMS message

The packet classifier 370 classifies GTP packets. The packet classifier 370 can classify GTP packets into GTP-C packets and GTP-U packets. The packet classifying unit 370 may transmit the GTP-C packet to the GTP-C packet information extracting unit 380 and the GTP-U packet to the GTP-U packet information extracting unit 320 according to the classification result.

The GTP-C packet information extracting unit 380 may extract the first uplink (UL) GTP-U TEID and the first user terminal identification number from the GTP-C packet. The GTP-C packet information extractor 380 may further extract an uplink (UL) GTP-C TEID and a downlink (DL) GTP-C TEID from the GTP-C packet.

The session information generating unit 390 can generate session information including the first uplink (UL) GTP-U TEID and the first user terminal identification number extracted by the GTP-C packet information extracting unit 380 .

19 is a diagram for explaining a process of generating a GTP tunnel in a 4G network.

Referring to FIG. 19, a session creation request message (Create Session Request) and a session creation response message (Create Session Response) may be transmitted to create a GTP tunnel in the 4G network. The session creation request message and the session creation response message are transmitted in the GTP-C packet.

The MME 1300 may send a session creation request message to the S-GW 1400 and the S-GW 1400 may send a session creation request message to the P-GW 1500. In response, the P-GW 1500 can generate a S5 GTP tunnel between the S-GW 1400 and the P-GW 1500 by sending a session creation response message to the S-GW 1400. The S-GW 1400 transmits a session creation response message to the MMME 1300 to create an S11 GTP tunnel between the MME 1300 and the S-GW 1400, 1400) S1-U GTP tunnel. Subsequent session update messages or session deletion messages may be transmitted via the S11 GTP tunnel or the S5 GTP tunnel.

19, additional messages may be further transmitted and received between the eNB 1200 and the MME 1300, the MME 1300, and the S-GW 1400 before the creation of the S1-U GTP tunnel .

In the process of generating the GTP tunnel, the GTP-C packet information extracting unit 380 can extract the first user terminal identification number and the first uplink (UL) GTP-U TEID from the session creation request message and the session creation response message have.

FIG. 20 is a view for schematically explaining values included in a session creation request message, and FIG. 21 is a view for schematically explaining values included in a session creation response message.

20 and 21, the header of the session creation request message includes a sequence number field, an MSISDN field, an F-TEID field, and the like. The header of the session creation response message includes a Tunnel Endpoint Identifier field, a Sequence Number field, A TEID field, a Bearer Context field, and the like. A user terminal identification number may be recorded in the MSISDN field of the session creation request message and an uplink (UL) GTP-U TEID may be recorded in the Bearer Context field of the session creation response message. The value recorded in the Sequence Number field can be used for matching the request message and the response message.

The GTP-C packet information extracting unit 380 extracts the user terminal identification number from the MSISDN field of the session creation request message and extracts the uplink (UL) GTP-U TEID from the Bearer Context field of the session creation response message . The GTP-C packet information extractor 380 extracts the downlink (DL) GTP-C TEID from the F-TEID field of the session creation request message and extracts the uplink (UL) GTP- -C You can also extract more TEIDs. The uplink (UL) GTP-C TEID and the downlink (DL) GTP-C TEID may be used for updating and deleting session information.

22 is a block diagram illustrating an abnormal MMS message detection system according to an embodiment of the present invention. For convenience of description, differences from FIG. 18 will be mainly described.

Referring to FIG. 22, an abnormal MMS message detection system 400 according to an exemplary embodiment of the present invention includes a session information collection apparatus 410 and an abnormal MMS message detection apparatus 420.

The session information collection device 410 may include NICs 411a and 411b, a GTP-C packet information extraction unit 408, a session information generation unit 409, and a packet processing unit 405. [

The abnormal MMS message detection apparatus 420 includes NICs 421a and 421b, a GTP-U packet information extraction unit 422, a packet analysis unit 423, a session information storage unit 424, a packet processing unit 425, (426). ≪ / RTI >

The abnormal MMS message detection system 400 of FIG. 22 includes a component for extracting a first uplink (UL) GTP-U TEID and a first user terminal identification number from a GTP-C packet and generating session information including the first uplink , Extracts the second uplink (UL) GTP-U TEID and the second user terminal identification number from the GTP-U packet, and if the component that detects the abnormal MMS message is physically separated according to the result of the comparison with the session information FIG.

The GTP-C packet information extracting unit 408 can extract the first uplink (UL) GTP-U TEID and the first user terminal identification number from the GTP-C packet.

The session information generation unit 409 can generate session information including the first uplink (UL) GTP-U TEID and the first user terminal identification number extracted by the GTP-C packet information extraction unit 408 .

The GTP-U packet information extracting unit 422 extracts the uplink (UL) GTP-U TEID from the header of the GTP-U packet, extracts the MMS message from the payload of the GTP-U packet, The user terminal identification number can be extracted.

The packet analyzing unit 423 analyzes the first and second uplink (UL) GTP-U TEIDs and the comparison results of the first and second user terminal identification numbers using the session information stored in the session information storage unit 424 Lt; RTI ID = 0.0 > MMS < / RTI >

The session information storage unit 424 may store the session information received from the session information collection device 410. [

The packet processing unit 425 may control the NIC 421b to transmit or block the GTP-U packet according to the detection result of the abnormal MMS message of the packet analysis unit 423. [

23 is a flowchart illustrating a method of collecting session information according to an embodiment of the present invention.

Referring to FIG. 23, a session information collection method according to an embodiment of the present invention first receives a GTP-C packet (S501).

Next, the GTP-C packet information extracting units 380 and 408 extract information of the GTP-C packet (S502) and determine whether the GTP-C packet includes a session creation message (S503).

If the GTP-C packet includes a session creation message, the GTP-C packet information extraction units 380 and 408 determine whether the session creation message included in the GTP-C packet is a session creation request message (S504).

Then, if the session creation message included in the GTP-C packet is a session creation request message, the GTP-C packet information extraction units 380 and 408 extract the downlink (DL) GTP-C TEID and the user terminal identification number , And sets the response flag to " 0 " (S505). For example, the user terminal identification number may be MSISDN, but the present invention is not limited thereto.

If the session creation message is not a session creation request message, i.e., the session creation message is a session creation response message, the GTP-C packet information extraction units 380 and 408 extract the uplink (UL) GTP-C TEID and uplink (UL) GTP-U TEID, and sets the response flag to "1" (S506).

On the other hand, if the GTP-C packet does not include a session creation message, upon receiving the Modify Bearer Req / Res message, the uplink (UL) and downlink (DL) GTP-U TEIDs are changed (S507). Subsequently, an uplink (UL) GTP-U TEID is extracted (S508). Then, the packet processing units 350 and 405 transfer the GTP-C packet (S509).

24 is a view for explaining the structure of a 4G network to which an apparatus or system for detecting abnormal MMS messages according to some embodiments of the present invention is applied.

Referring to FIG. 24, the 4G network 1000 includes a 4G Enterprise Radio Access Network (E-RAN) for managing radio resources and a 4G Evolved Packet Core (EPC) for performing data processing / authentication / billing .

The 4G E-RAN may include a user terminal 1100 and an eNB 1200. For example, the user terminal 1100 may be a mobile terminal subscribed to a 4G network. The eNB 1200 may provide a wireless connection between the user terminal 1100 and the 4G network as a base station.

The 4G EPC may include an MME 1300, an S-GW 1400, a P-GW 1500, a Home Subscriber Server 1600, and a Policy & Charging Rule Function 1700. The MME 1300 can send and receive GTP packets through the S1-MME GTP tunnel with the eNB 1200. [ The S-GW 1400 can send and receive GTP packets through the S1-U GTP tunnel with the eNB 1200. [ The MME 1300 can transmit and receive GTP packets through the S-GW 1400 and the S11 GTP tunnel. The P-GW 1500 can be connected to the MMS server 2100 of the Core network and the Internet.

In a 4G network, the S1-U GTP tunnel is a path for data traffic, the S11 GTP tunnel is a path for signaling, and the S5 GTP tunnel is a path for data traffic and signaling.

The abnormal MMS message detection apparatuses 100 and 300 described with reference to FIGS. 1 and 18 are connected to the eNB 1200 and between the MME 1300 and the S-GW 1400 (P1 and P2) or the S-GW 1400, And the P-GW 1500 (P3). In addition, the abnormal MMS message detection apparatuses 100 and 300 described with reference to FIGS. 1 and 18 may be provided as an internal component of the S-GW 1400 or the P-GW 1500. The session information collection apparatus 410 of the abnormal MMS message detection system 400 described with reference to FIG. 22 is provided between the MME 1300 and the S-GW 1400 and is connected to the abnormal MMS message detection apparatus 420, May be provided between the eNB 1200 and the S-GW 1400 (P1).

24, the 4G network can be interworked with the 3G network, the femtocell network, and the like through the S-GW 1400. [

The steps of a method or algorithm described in connection with the embodiments of the invention may be embodied directly in hardware, software modules, or a combination of the two, executed by a processor. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any form of computer readable recording medium known in the art Lt; / RTI > An exemplary recording medium is coupled to a processor, which is capable of reading information from, and writing information to, the recording medium. Alternatively, the recording medium may be integral with the processor. The processor and the recording medium may reside in an application specific integrated circuit (ASIC). The ASIC may reside within the user terminal. Alternatively, the processor and the recording medium may reside as discrete components in a user terminal.

While the present invention has been described in connection with what is presently considered to be practical exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, You will understand. It is therefore to be understood that the above-described embodiments are illustrative in all aspects and not restrictive.

100: abnormal MMS message detection device 110a, 110b: NIC
120: Packet information extracting unit 130: Packet analyzing unit
140: a session information storage unit 150; The packet processor
160: log storage unit

Claims (29)

A session information storage for storing session information including a first GTP-U TEID and a first user terminal identification number;
Extracts a second GTP-U TEID from the header of the GTP-U packet, extracts a Multimedia Messaging Service (MMS) message from the payload of the GTP-U packet, and extracts a second user terminal identification number from the MMS message A packet information extracting unit; And
Wherein the GTP-U packet is blocked if the first and second GTP-U TEIDs are the same and the first and second user terminal identification numbers are not the same, And a packet processor for transmitting the GTP-U packet when the same first GTP-U TEID does not exist,
Wherein the MMS message comprises an m-send-req message. delete The method according to claim 1,
Wherein the packet processing unit transmits the GTP-U packet without blocking if the MMS message is not the m-send-req message. The method according to claim 1,
Wherein the packet information extractor extracts the second user terminal identification number from the From field of the MMS message. The method according to claim 1,
Further comprising a packet analyzer for comparing the first and second GTP-U TEIDs to determine whether the first and second user terminal identification numbers are the same. The method according to claim 1,
And a log storage unit for recording at least one of the second GTP-U TEID and the second user terminal identification number when the GTP-U packet is blocked. The method according to claim 1,
Wherein the first and second user terminal identification numbers comprise Mobile Station International Subscriber Directory Numbers (MSISDN). The method according to claim 1,
Wherein the GTP-U packet comprises an outbound GTP-U packet. The method according to claim 1,
Wherein the GTP-U packet is transmitted in at least one of an S1-U GTP tunnel generated between the eNB and the S-GW, or an S5 GTP tunnel generated between the S-GW and the P-GW. A GTP-C packet information extracting unit for extracting a first GTP-U TEID and a first user terminal identification number from a GTP-C packet;
A session information storage unit for storing session information including the first GTP-U TEID and the first user terminal identification number;
Extracting a second GTP-U TEID from the header of the GTP-U packet, extracting an MMS message from the payload of the GTP-U packet, extracting a second user terminal identification number from the MMS message, An extraction unit; And
And a packet processor for blocking or transmitting the GTP-U packet according to a result of the comparison between the first and second GTP-U TEIDs and the first and second user terminal identification numbers,
The GTP-C packet information extracting unit extracts the first user terminal identification number from the first GTP-C packet, extracts the first GTP-C TE packet from the second GTP-C packet different from the first GTP- And extracting the abnormal MMS message. delete 11. The method of claim 10,
Wherein the first GTP-C packet includes a Create Session Request message and the second GTP-C packet includes a Create Session Response message. 11. The method of claim 10,
The GTP-C packet information extracting unit further extracts a GTP-C TEID from the GTP-C packet,
The session information storage unit updates the session information corresponding to the GTP-C TEID when the GTP-C packet includes a Modify Bearer Request message or a Modify Bearer Response message Storing an abnormal MMS message detection device. 11. The method of claim 10,
The GTP-C packet information extracting unit further extracts a GTP-C TEID from the GTP-C packet,
The session information storage unit deletes the session information corresponding to the GTP-C TEID when the GTP-C packet includes a Delete Session Request message or a Delete Session Response message Abnormal MMS message detection device. 11. The method of claim 10,
Further comprising a packet analyzer for comparing the first and second GTP-U TEIDs to determine whether the first and second user terminal identification numbers are the same. 11. The method of claim 10,
Wherein the GTP-U packet information extracting unit extracts the second user terminal identification number from the From field of the MMS message. 11. The method of claim 10,
Wherein the first and second user terminal identification numbers comprise an MSISDN. 11. The method of claim 10,
Wherein the GTP-U packet comprises an outbound GTP-U packet. 11. The method of claim 10,
Wherein the GTP-U packet is transmitted in at least one of an S1-U GTP tunnel generated between the eNB and the S-GW, or an S5 GTP tunnel generated between the S-GW and the P-GW. A GTP-C packet information extracting unit for extracting a first GTP-U TEID and a first user terminal identification number from a GTP-C packet;
A session information collecting unit configured to generate session information including the first GTP-U TEID and the first user terminal identification number; And
Extracting a second GTP-U TEID from the header of the GTP-U packet, extracting an MMS message from the payload of the GTP-U packet, extracting a second user terminal identification number from the MMS message, An extracting unit,
Using the session information received from the session information collection device, blocks the GTP-U packet according to the comparison result of the first and second GTP-U TEIDs and the first and second user terminal identification numbers And an abnormal MMS message detection unit configured to transmit the packet to the mobile station,
Wherein the GTP-C packet is transmitted in an S11 tunnel generated between an MME and an S-GW, and the GTP-U packet is transmitted in an S1-U tunnel generated between an eNB and the S-GW. delete Receiving a GTP-U packet;
Extracting a second GTP-U TEID from the header of the GTP-U packet, extracting an MMS message from the payload of the GTP-U packet, and extracting a second user terminal identification number from the MMS message;
Comparing whether the first GTP-U TEID of the session information is identical to the second GTP-U TEID, whether the first user terminal identification number of the session information is the same as the second user terminal identification number; And
Blocking the GTP-U packet if the first and second GTP-U TEIDs are the same and the first and second user terminal identification numbers are not the same,
Transmitting the GTP-U packet when the first GTP-U TEID equal to the second GTP-U TEID does not exist in the session information. delete 23. The method of claim 22,
Wherein the MMS message includes an m-send-req message. 25. The method of claim 24,
And transmitting the GTP-U packet without blocking if the MMS message is not the m-send-req message. 23. The method of claim 22,
Wherein the extracting of the second user terminal identification number extracts the second user terminal identification number from the From field of the MMS message. 23. The method of claim 22,
Wherein the first and second user terminal identification numbers comprise an MSISDN. 23. The method of claim 22,
Wherein the GTP-U packet comprises an outbound GTP-U packet. 23. The method of claim 22,
Wherein the GTP-U packet is transmitted in at least one of the S1-U GTP tunnel generated between the eNB and the S-GW or the S5 GTP tunnel generated between the S-GW and the P-GW.

Images