KR20180046894A - NFV based messaging service security providing method and system for the same - Google Patents

Abstract

A network function virtualization (NFV)-based messaging service security provision system comprises: a messaging service manager (MSM) which sets and manages a security policy with respect to a messaging service; a messaging security controller which generates a predetermined data model from the security policy received through the messaging service manager, and delivers the predetermined data model to a network security function (NSF); and at least one network security function which provides security with respect to the messaging service based on the data model received from the messaging security controller.

Description

[0001] NFV-based messaging service security providing method and system therefor [0002]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method and system for securing a messaging service (e.g. SMS / MMS / messenger service) in 4G / 5G communication and Voice over IP The prevention of malicious malware and APK (Andriod Application Package) installation of IP-based messaging service in a network functional virtualization (NFV) environment, and prevention of spam message transmission.

In recent years, the standardization of technology for efficiently operating the communication system by separating the traffic forwarding function of the switch and the control function of the switch has been carried out by the ONF (Open Networking Foundation), IETF (Internet Engineering Task Force), ETSI ISG NFV ) And ITU-T.

SDN (Software Defined Network) refers to a user-oriented network in which a user has control authority regardless of basic network equipment such as a router or a switch, and a separate software controller controls traffic flow. Of the SDN standardization organizations that are promoting OpenFlow technology standardization, ONF defines the interface between hardware (switch) and controller (network OS). This is a protocol for interacting with the data transfer function (Data Plane) by separating the control plane from the physical network in order to control how to transmit data packets through the network. The IETF defines a working group that defines and implements a standard interface for providing network security services in a network environment using Network Functions Virtualization (NFV) as a basic infrastructure, and reduces the cost of establishing and operating a network service infrastructure NFV research and standardization, which is a virtualization of network functions, is actively underway.

On the other hand, the flexible and centralized security processing method in the SDN / NFV-based environment and the structure of the security service system for the IP-based messaging service have not been specified yet.

In order to solve the above problems, the present invention provides a method for providing security for a messaging service in an NFV environment.

Another object of the present invention is to provide a system for providing security for a messaging service in an NFV environment.

Yet another object of the present invention is to provide a method of operating a messaging security controller that provides security for a messaging service in an NFV environment.

According to an aspect of the present invention, a network functional virtualization (NFV) -based messaging service security system includes a messaging service for setting and managing a security policy for a messaging service, MSM (Messaging Service Manager); A messaging security controller (MSC) for generating a security policy received through the messaging service manager in a predetermined data model and transmitting the security policy to a network security function (NSF); And at least one network security function that provides security for the messaging service based on a data model received from the messaging security controller.

The data model may include an event to determine whether the condition is satisfied and an operation to be performed; A condition for determining whether a specific action is applied to a packet transmitted or received through a network device or a packet belonging to a specific flow; And information defining an action to be performed when the condition is satisfied.

The event may include a time event related to the occurrence time of a predetermined situation and a user action related to a situation caused by the user's action.

The condition may include a packet value condition that can be determined from the contents of a single packet, and a context condition that can be determined through a session or a flow.

The operation may include at least one of a traffic ingress control operation, a traffic output (egress) control operation, a profile or signature based advanced operation, and a statistics operation.

Wherein the network security function is coupled to at least one SDN controller that manages at least one SDN switch and is operable to transmit a data model received from the messaging security controller to at least one SDN controller, To the at least one SDN controller.

Wherein the messaging security controller comprises: a policy manager for generating a security policy received from the messaging service manager in the predetermined data model and delivering the security policy to the network security function; And an event manager for managing events and statistical information to be notified from the network security function based on event related information received from the policy management unit.

The network security function performs an operation on an incoming message based on a data model received from the messaging security controller and transmits a received message to the messaging security controller when a further analysis of the incoming message is required Policy enforcer; An event notifier for performing event monitoring based on event related information received from the policy execution unit and notifying the policy execution unit of the occurrence of an event; And a statistics processor for performing statistics generation / management / notification functions for events that satisfy the conditions requested by the event notification unit.

The network security function may be implemented as an independent hardware server, or may be implemented in a virtual machine (VM) or a virtual machine in a cloud environment.

According to another aspect of the present invention, there is provided a network functional virtualization (NFV) -based messaging service security processing method, which includes a messaging service manager (MSM) Creating a security policy for the messaging service and delivering it to the Messaging Security Controller (MSC); Receiving, by the messaging security controller, the security policy, generating the security policy as a predetermined data model and transmitting the security policy to at least one network security function (NSF); And providing at least one network security function to the messaging service based on the delivered data model.

The data model may include an event to determine whether the condition is satisfied and an operation to be performed; A condition for determining whether a specific action is applied to a packet transmitted or received through a network device or a packet belonging to a specific flow; And information defining an action to be performed when the condition is satisfied.

The event may include a time event related to the occurrence time of a predetermined situation and a user action related to a situation caused by the user's action.

The condition may include a packet value condition that can be determined from the contents of a single packet, and a context condition that can be determined through a session or a flow.

The operation may include at least one of a traffic ingress control operation, a traffic output (egress) control operation, a profile or signature based advanced operation, and a statistics operation.

Wherein the network security function is coupled to at least one SDN controller that manages at least one SDN switch and is operable to transmit a data model received from the messaging security controller to at least one SDN controller, To the at least one SDN controller.

According to another aspect of the present invention, there is provided a network functional virtualization (NFV) -based messaging service security system, comprising: a messaging service manager (MSM) And a method of operating a messaging security controller (MSC) interworking with at least one network security function (NSF) comprises receiving from the messaging service manager establishing and managing a security policy for a messaging service, ; Generating the security policy in a predetermined data model and transmitting the security policy to the at least one network security function; And notifying completion of an operation based on the predetermined data model from the at least one network security function.

The data model may include an event to determine whether the condition is satisfied and an operation to be performed; A condition for determining whether a specific action is applied to a packet transmitted or received through a network device or a packet belonging to a specific flow; And information defining an action to be performed when the condition is satisfied.

The event may include a time event related to the occurrence time of a predetermined situation and a user action related to a situation caused by the user's action.

The condition may include a packet value condition that can be determined from the contents of a single packet, and a context condition that can be determined through a session or a flow.

The operation may include at least one of a traffic ingress control operation, a traffic output (egress) control operation, a profile or signature based advanced operation, and a statistics operation.

The above method and system for providing messaging service security according to the present invention defines an information / data model based on SDN / NFV, and the IP-based messaging service in the 4G / 5G evolved packet network (EPC) / Detects and blocks malicious use.

In addition, the method and system for providing messaging service security according to the present invention provides a service through a data model dynamically configured in a software-based NFV environment rather than existing hardware-based security equipment, It can have the effect of providing a centralized and flexible service.

1 is a block diagram illustrating a configuration of a NFV-based messaging service security system according to an embodiment of the present invention.
2 is a block diagram illustrating a specific configuration of an NFV-based messaging security controller according to an embodiment of the present invention.
3 is a block diagram illustrating a specific configuration of an NFV-based network security function according to an exemplary embodiment of the present invention.
4 is a conceptual diagram illustrating an NFV-based messaging service security policy data model according to an embodiment of the present invention.
FIG. 5 is a conceptual diagram illustrating an example of detailed elements of a data model according to an embodiment of the present invention illustrated in FIG.
6 is a flowchart illustrating a procedure for applying an initial messaging security policy in a messaging service security system according to an exemplary embodiment of the present invention.
7 is a flowchart illustrating a procedure for setting a spam message blocking policy in a messaging service security system according to an embodiment of the present invention.
FIG. 8 is a flow chart for explaining an embodiment of a spam message blocking policy execution procedure in a messaging service security system according to an embodiment of the present invention.
9 is a flowchart for explaining another embodiment of a spam message blocking policy execution procedure in a messaging service security system according to an embodiment of the present invention.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. Like reference numerals are used for like elements in describing each drawing.

The terms first, second, A, B, etc. may be used to describe various elements, but the elements should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component. And / or < / RTI > includes any combination of a plurality of related listed items or any of a plurality of related listed items.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between.

The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprises" or "having" and the like are used to specify that there is a feature, a number, a step, an operation, an element, a component or a combination thereof described in the specification, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.

The term 'controller' as used herein refers to a functional entity that controls related components (eg, switches, routers, etc.) to control the flow of traffic. And the like. For example, a controller may refer to a controller functional entity defined by ONF, IETF, ETSI, and / or ITU-T.

The 'switch' described in the specification means a functional element for substantially forwarding, switching, or routing traffic (or packet). The switch may be a switch, a router, a router, or the like defined by ONF, IETF, ETSI and / or ITU- A switch element, a router element, a forwarding element, and the like.

In addition, the VoIP service described in the specification collectively refers to voice / video call services based on various IP networks such as wired / Wi-Fi / VoLTE.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the contextual meaning of the related art and are to be interpreted as either ideal or overly formal in the sense of the present application Do not.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

1 is a block diagram illustrating a configuration of a NFV-based messaging service security system according to an embodiment of the present invention.

1, a messaging service security system 100 according to an embodiment of the present invention includes a messaging service manager (MSM) 110, a messaging security controller (MSC) 120 ), And at least one network security function (NSF, 130).

1, N (N is a natural number) network security functions 130-1, ..., 130-N are illustrated in FIG. 1, since the messaging service security system 100 includes at least one network security function (NSF) Respectively. A messaging security controller can interact with at least one network security function that is physically, locally, or logically distributed.

At this time, the messaging service security system 100 can be applied to all of the wired / WiFi VoIP service network 210, the core network 220, and the wireless VoLTE service network 230. In addition, each service network may include a plurality of network devices. Also, the wired / Wi-Fi VoIP service network 210 and the wireless VoLTE service network 230 are connected to the core network 220, respectively.

Meanwhile, the 'messaging service' of the present invention includes MME (Mobility Management Entity), PGW (Packet Data Network) -gateway) existing in a 4G / 5G evolved packet core (EPC) or vEPC (virtualized EPC) wired and wireless Short Message Service (SMS), Multimedia Message Service (MMS), and messenger service, all of which are provided through a home gateway (HSS) and a home subscriber server (HSS).

First, the messaging service manager 110 is an operator management program that sets a security policy for a messaging service as a component that provides an operation management function.

For example, the messaging service manager 110 may include a message phrase to be detected and blocked to secure the messaging service, URL information to block access, such as a URL to install malware, a blacklist spam origination number, Messaging security profile information, statistical-related policy information (e.g., designated periodic time and character delivery thresholds, cumulative number of destination numbers sent a message from a specific call number, etc.) for extracting a new blacklisted spam origination number and a suspicious URL, To the controller (120).

The messaging service manager 110 may serve as an application gateway for a user or an administrator to set and manage security service policies and / or control conditions required for a messaging service. For example, a user or an administrator can set a security policy for a messaging service to be used through a user interface screen or a command-line interface (CLI) through the messaging service manager 110 .

Next, the messaging security controller 120 sends a security policy received via the messaging service manager 110 to at least one network security functions 130-1, ..., 130-N via SDN controllers 140 -1, ..., 140-M and SDN controllers and transmits them to at least one network security function .

In this data model, a comparison condition for applying a specific operation to a packet transmitted and received through a network device (a switch or the like) and a packet belonging to the specific flow, and an operation procedure for how to perform the operation when the condition is satisfied Is defined. The data model will be described later with reference to Figs. 4 and 5.

Finally, at least one network security function 130 is a component that provides practical security functionality for 4G / 5G EPC or vEPC messaging services.

That is, the network security function interprets the data model received from the messaging security controller 120 and provides a practical messaging security service. Each of the network security functions transmits a data model received from the messaging security controller 120 to an application programming interface (API) call of the SDN controllers 140-1, ..., 140-M or a message format To the SDN controllers 140-1, ..., 140-M by a method such as conversion to the SDN controller 140-1.

Meanwhile, the network security function 130 may be implemented in an independent hardware server, or may be implemented in a virtual machine (VM) in a cloud environment or on a virtual machine. As illustrated in FIG. 1, one network security function may be coupled to one or more SDN controllers.

The SDN controllers 140-1 to 140-M are functional elements that control related components (e.g., switches, routers, etc.) to control the flow of traffic. A controller functional element defined by ONF, IETF, ETSI and / or ITU-T, and the like.

A network device is a functional element that substantially forwards, switches, or routes traffic (or packet or flow). It may be a switch, router, or switch defined by the ONF, IETF, ETSI and / or ITU- An element, a router element, a forwarding element, and the like.

2 is a block diagram illustrating a specific configuration of an NFV-based messaging security controller according to an embodiment of the present invention.

Referring to FIG. 2, the messaging security controller 120 may include a policy manager 121 and an event manager 122.

The policy management unit 121 divides the policy information received from the messaging service manager 110 into an event, a condition and an action that can be understood by the network security function 130, And transmits the information to the event management unit 122.

In addition, the policy management unit 121 delivers a messaging security policy defined by the operator (i.e., received from the messaging service manager) to the policy execution unit 131 of the network security function, which will be described later, in the form of a data model.

According to the event related information received from the policy management unit 121, the event management unit 122 manages information on the event to be notified from the network security function and statistical information when the set condition is satisfied.

3 is a block diagram illustrating a specific configuration of an NFV-based network security function according to an exemplary embodiment of the present invention.

Referring to FIG. 3, the network security function 130 may include a policy enforcer 131, an event notifier 132, and a statistics processor 133.

The policy execution unit 131 may block an incoming message based on a policy (for example, spam detection, notification, blocking, etc.) received from the messaging security controller 120 in the form of a data model, And delivers the messaging packet to the messaging security controller 120.

Also. (Such as a URL to be blocked, an APK, or a signature to be detected) transmitted from the policy management unit 121 of the messaging security controller 110.

The event notification unit 132 monitors the event according to the event related information received from the policy execution unit 131. If the event condition is satisfied (i.e., an event is generated), the event notification unit 132 performs a policy (132).

Lastly, the statistical processing unit 133 performs a statistical creation / management and notification function for an event that satisfies the condition requested by the event notification unit 132.

4 is a conceptual diagram illustrating an NFV-based messaging service security policy data model according to an embodiment of the present invention.

Referring to FIG. 4, the messaging service security policy data model includes a policy 310, a rule 320, an event 330, a condition 340, and an action 350 And may include branch information.

Basically, the data model can be constructed by including the above five pieces of information, but some information may be omitted depending on the necessity.

Policy 310 defines security functions at the service level. Generally, policies are unit security services such as Intrusion Prevention System (IPS), Intrusion Detection System (IDS), Web filter, IP call security, and messaging security. In one embodiment of the present invention, this is the security policy for wired / wireless messaging services.

The rule 320 defines a processing operation for the corresponding traffic and flow when a target event, comparison / judgment condition and condition for detecting and applying a specific policy are satisfied. In one embodiment of the present invention, the detection and blocking of access to suspicious URLs that cause characters to be sent from a remote place, the downloading of an APK (Android application package) which is highly dangerous to install malware or ransomware, , And message spammer terminal detection and blocking. One policy can define one or more rules.

The rule 320 may consist of an event 330, a condition 340, and an action 350.

The event (330) indicates whether or not the condition is satisfied and the object or situation of performing the operation. For example, it may mean the occurrence of a situation such as sending and receiving a message, downloading an APK, and the like. A specific example of the event 330 according to an embodiment of the present invention will be described later with reference to FIG.

Condition 340 is one or more comparison sets for determining whether to perform an action when a specific event occurs. That is, the condition may mean a criterion for determining whether or not a specific action is applied to a packet transmitted or received through a network device managed by the network security function 130 or a packet belonging to a specific flow. The condition may be classified into a packet value condition, a context condition, and a statistical condition, and a specific example of the condition 340 according to an embodiment of the present invention will be described later with reference to FIG.

Operation 350 may include, as a control operation, a traffic ingress control operation, a traffic output (egress) control operation, an advanced operation other than traffic input / output control, and a statistics operation . A specific example of the operation 350 according to an embodiment of the present invention will also be described later with reference to FIG.

5 is a conceptual diagram illustrating an example of detailed information elements of the data model according to an embodiment of the present invention illustrated in FIG.

5, event 330 may include a time event 331 related to the time of occurrence of a given situation and a user action 332 associated with a situation caused by the user's actions . Examples of the time event 331 include a message origination / termination time. Examples of the user action 332 include an operation for sending / receiving a message at a wired / wireless terminal, access to a specific URL, downloading an APK .

In addition, condition 340 may include packet content values 341 and context values 342. In addition, the condition 340 may further include statistical conditions 343.

The packet value condition 341 indicates a condition that can be determined from the contents of a single packet. For example, the packet value condition 341 includes a Medium Access Control (MAC) address, a VLAN information, a source and a destination ) The conditions from Layer 2 to Layer 7 of TCP / IP that can be extracted and compared in packets such as IP address, source and destination port information, packet header / payload value, . In an embodiment of the present invention, a packet value condition includes a message origination / destination terminal number, an access URL, a downloaded APK name, and a specific phrase in a message.

The context condition 342 is a condition related to an authentication state, a session state, and the like that can be determined in a session or a flow.

The statistical condition 343 is a condition for monitoring a repeated event and controlling an action for an over-threshold occurrence event. In the embodiment of the present invention, statistical conditions such as a message sending or receiving cumulative number statistics, an access attempt to a specific URL, and a specific APK downloading count are used.

Finally, operation 350 includes a traffic ingress control operation 351, a traffic output (egress) control operation 352, an advanced action 353, and statistics (statistics ≪ / RTI > operation 354).

The traffic pull-in control operation 351 may include an operation of allowing, blocking, and mirroring the packet when the condition is satisfied.

The traffic output control operation 352 may include outputting a corresponding packet when the condition is satisfied, copying the packet to the messaging security controller 120, or detouring to a destination other than the original destination have.

The application operation 353 is a policy operation for controlling security services other than traffic input / output control. Messaging security profiles, signatures, and anti-virus files. In the embodiment of the present invention, the policy set in the messaging security profile is a policy that is applied first to all traffic that enters the network security function. Therefore, when attempting to access the access blocking URL registered in the messaging security profile, or downloading the download prohibited APK, the network security function blocks the corresponding function. In addition, when a packet or a flow satisfying the conditions specified in the signature profile is generated, the corresponding packet and the flow are blocked. The messaging security controller 120 and the messaging service manager 110 are notified of events controlled by the profile.

Lastly, the statistics operation 354 is a statistical management function for threshold setting and monitoring for applying a control policy when a specific event occurs repeatedly.

Hereinafter, in the above-described messaging service security system, a general procedure (FIG. 6) for setting an initial messaging service security policy, an embodiment for setting a spam message blocking policy as a specific example (FIG. 7) Thus, two embodiments (Figs. 8 and 9) in which the spam message blocking policy is executed are described.

6 is a flowchart illustrating a procedure for applying an initial messaging security policy in a messaging service security system according to an exemplary embodiment of the present invention.

Referring to FIG. 6, a procedure for applying a security policy for a messaging service may be performed according to the following procedure.

First, the messaging service manager 110 delivers the messaging security policy set by the operator to the messaging security controller 120 (S610). The messaging security policy may include profile information to be blocked or notified and information related to the creation and monitoring of statistics for future addition of new profiles. Table 1 below is an example of a security profile for a messaging service, and is an example of an information profile for a URL to be blocked and a file name of the APK.

division value Remarks URL http://mmsget.org/9560.html hxxp: //mmsrus.ru/9560.html hxxp: //mmscom.ru/9560.html Download APK APK1 APK2 APK3 APK4 ...

Table 2 below is an example of a signature profile for a messaging service, an example of an initial signature profile, such as a message in a message to be blocked, a blocked originator number.

division value Position within a packet In message Adult product name 1 70byte ~ 100byte Adult product name 2 100 byte ~ Gambling site name 1 ~ 100byte Gambling site name 2 100byte ~ 150byte Blocked caller ID 010-1234-5678 From or Calling Party No. 010-2345-6789 From or Calling Party No. ...

Table 3 below is an example of the statistical policy for the messaging service, and is an example of policy information for setting a statistical condition for monitoring the number of times of message transmission by calling number in minutes, hours, and units.

division Threshold Number of messages sent per minute by calling number 30 Number of messages per hour per caller 1000 Number of daily messages sent by calling number 20000

The policy management unit 121 of the messaging security controller 120 generates a messaging security policy received from the messaging service manager 110 in the form of a data model in operation S620 and, if event monitoring is required for policy execution, And sends event information for management to the event management unit 122 to request generation of event information (S630).

The policy management unit 121 of the messaging security controller 120 may transmit the generated data model to the policy execution unit 131 of the network security function 130 so that the established messaging security policy can be actually performed by the network security function 130. [ (S640).

Meanwhile, the event management unit 122 of the messaging security controller 120 generates an event for applying the data model received from the policy management unit 121 of the messaging security controller 120 (S650).

Here, steps S640 and S650 have no priority of execution, and step S650 may be performed concurrently, regardless of step S640, at the request of step S630.

The policy execution unit 131 of the network security function 130 extracts an event condition to be notified from the data model received from the policy management unit 121 of the messaging security controller 120 and transmits the extracted event condition to the event notification unit 132 The corresponding condition is transmitted (S660). In the embodiment of the present invention, conditions such as a message origination / destination IP / port, a terminal telephone number, an access URL, an APK name, a message phrase, and a call /

The event notification unit 132 of the network security function 130 notifies the event management unit 122 of the messaging security controller 120 of the ingress / egress packets and flow in the network security function 130, (S670). When a packet and a flow satisfying a specific condition occur, the policy execution unit 131 is notified of the occurrence of a packet and a flow (S671).

In operation S680, the event notification unit 132 of the network security function 130 requests the statistical processing unit 133 to generate a statistical condition among the event conditions received from the policy execution unit 131. The statistical processing unit 133 generates the statistical information transmitted from the event notification unit 132 at step S690 and makes the statistical information current at every cycle time and informs the event notification unit 132 when the specified condition is satisfied ).

7 is a flowchart illustrating a procedure for setting a spam message blocking policy in a messaging service security system according to an embodiment of the present invention.

As described above, FIG. 7 is a flowchart for explaining a specific procedure for setting a policy for blocking spam messages using the general policy setting procedure described in FIG. That is, the embodiment described with reference to FIG. 7 is a policy that detects a spammer terminal that sends a spam message to an arbitrary terminal, or detects and blocks a text message including a specific phrase (or a phrase combination) As shown in FIG.

Referring to FIG. 7, the messaging service manager 110 sets a spammer control policy including a spammer detection blocking rule set by the operator (S705), and transmits the spammer control policy to the messaging security controller 120 (S710). Here, the spammer detection blocking rule includes (or includes) a specific string that can be determined as a spammer, detects and blocks a terminal that transmits a text message of a threshold value or more during a cycle time (minute / hour / day) And notifies the service manager 110 of the notification. Table 4 below is an example of a security profile included in a spammer control policy, and is an example of an information profile of a URL to be blocked and a file name of APK.

division value Remarks URL http://mmsget.org/9560.html hxxp: //mmsrus.ru/9560.html hxxp: //mmscom.ru/9560.html Download APK APK1 APK2 APK3 APK4 ...

Table 5 below is a signature profile included in the spammer control policy, which is an example of an initial signature profile, such as a message in a message to be blocked, a blocked originator number.

division value In-Pack Inspection Location In message Adult product name 1 && business name && other condition 70byte ~ 100byte Adult Product Name 2 && Quantity && Other Condition 100 byte ~ Gambling site name 1 && Amount && Other conditions ~ 100byte Gambling site name 2 && prize && other terms 100byte ~ 150byte Blocked caller ID 010-1234-5678 From or Calling Party No. 010-2345-6789 From or Calling Party No. ...

Table 6 is an example of the statistical policy included in the spammer control policy, and is an example of policy information for setting a statistical condition for monitoring the number of messages sent by calling number and the number of called numbers by calling number in minutes, to be.

division Threshold Number of messages sent per minute by calling number 30 Number of messages per hour per caller 1000 Number of daily messages sent by calling number 20000 Number of messages per minute by calling number 20 Number of message number per hour per caller 500 Number of daily message call numbers by calling number 10000

The policy management unit 121 of the messaging security controller 120 generates the received spammer detection blocking rule in the form of a data model (S720). If it is necessary to generate an event for policy execution determination, (122) and requests the event generation (S730). The data model for this rule can be generated as follows.

1) Case: User action to send a text message (user action)

2) Condition

   ㅇ Packet value condition: Specific malicious spam phrase (eg, gambling site name, adult product name, illegal loan product name, pornographic name, etc.)

   O Number of sending text messages (eg, more than 30 times per minute, more than 1,000 times per day, more than 20,000 per day, etc.) during the cycle time of each calling terminal, the number of called numbers that receive text messages sent from one calling number More than 500, more than 10,000 per day, etc.)

3) Operation

  Output traffic control: Forwarding the corresponding text sending packet to the messaging security controller 120 (for spammer judgment and for adding a new messaging security profile and signature value in the corresponding packet when judged as a spammer)

  ㅇ Application behavior

- Apply profile: Add URL and APK name to the messaging security profile if the messaging security profile contains the URL and APK name in the dispatch character that is determined to be a spammer

- Signature application: Add a new phrase (or combination of phrases) and a spammer's originator number to the existing Signature file for the spammers to determine the spammers, and then send the text (or combination of phrases) Block messages

ㅇ Statistical operation: Generate the number of outgoing SMS messages per call time and notify when exceeding threshold

The policy management unit 121 of the messaging security controller 120 transmits the data model generated so that the set rule can be actually performed by the network security function 130 to the policy execution unit 131 of the network security function 130 S740).

The event management unit 122 of the network security function 130 generates an event for application of the data model received from the policy management unit 121 of the messaging security controller 120 in operation S750.

Here, steps S740 and S750 have no priority of execution, and step S750 can be performed independently of step S740 according to the request of step S730.

The policy execution unit 131 of the network security function 130 extracts an event condition to be notified from the data model received from the policy management unit 121 of the messaging security controller 120 and transmits the event condition to the event notification unit 132 (S760). In the embodiment of the present invention, the conditions described in the above '2) Condition' are transmitted.

The event notification unit 132 of the network security function 130 notifies the policy execution unit 131 of the event management unit 122 of the messaging security controller 120 of packets and flows flowing in and out of the network security function 130. [ (S770). If a packet or a flow satisfying a specific condition occurs, the policy execution unit 131 is notified (S771).

In step S780, the event notification unit 132 of the network security function 130 requests the statistical processing unit 133 to generate a statistical condition among the event conditions received from the policy execution unit 131. The statistical processing unit 133 generates the statistical information transmitted from the event notification unit 132 in step S790, and updates the statistical information on a periodic basis to notify the event notification unit 132 when the specified condition is satisfied (S791 ).

In the case of the spammer detection blocking rule, the number of times the text message is sent during the cycle time of each calling terminal, the number of the receiving number that receives the text message sent from one calling number (for example, 20 or more per minute, more than 500 per hour, ).

FIG. 8 is a flow chart for explaining an embodiment of a spam message blocking policy execution procedure in a messaging service security system according to an embodiment of the present invention.

8 corresponds to an embodiment of detecting and blocking a text message including a spammer judgment specific phrase (or phrase combination) based on a spam message blocking policy applied according to the procedure described in Fig. 7 .

8, the event notification unit 132 of the network security function 130 detects whether or not the text message origination / incoming packet and the flow of incoming and outgoing texts from the network security function 130 are received from the event management unit 122 (S810). In step S810, it is determined whether a packet or a flow satisfying the condition is generated or not and a packet including a character (or character combination) specified in the condition is transmitted. That is, the step S810 of FIG. 8 corresponds to the step S770 of FIG. For example, a text message containing the phrase " adult product name 1 && business name && other condition " may be detected as a packet for which " 010-1111-2222 " is transmitted as " 010-3333-4444 ".

The event notification unit 132 of the network security function 130 notifies the policy execution unit 131 of the satisfied condition and the packet / flow information (S811). That is, the step S811 of FIG. 8 corresponds to the step S771 of FIG.

The policy executing unit 131 of the network security function 130 refers to the data model and performs an operation to be performed when the condition is satisfied (S820). In an embodiment of this rule, the policy enforcement unit 131 may block the packet / flow and forward the packet / flow information to the MSF. Also. The policy execution unit 131 of the network security function 130 may notify the policy management unit 121 of the messaging security controller 120 of the completion of the event generation and the operation that satisfies the data model condition in operation S821. The policy management unit 121 of the messaging security controller 120 may forward the generated and processed event information to the event management unit 122 (S822). In addition, the policy management unit 121 of the messaging security controller 120 may transmit the generated and processed event information to the messaging service manager 110 (S823).

The messaging service manager 110 notifies the operator (management system) of the event information generated and processed and notifies it (S830).

On the other hand, if the operator confirms that there is information to be added to the messaging security profile and the signature profile based on the notified event information, the information to be newly added to the profile can be extracted if there is a value not existing in the existing profile (S840). For example, in order to change the profile, the information-blocking calling number "010-1111-2222" - to be added as shown in Table 7 below can be extracted.

division value In-Pack Inspection Location In message Adult product name 1 && business name && other condition 70byte ~ 100byte Adult Product Name 2 && Quantity && Other Condition 100 byte ~ Gambling site name 1 && Amount && Other conditions ~ 100byte Gambling site name 2 && prize && other terms 100byte ~ 150byte Blocked caller ID 010-1234-5678 From or Calling Party No. 010-2345-6789 From or Calling Party No. 010-1111-2222 From or Calling Party ...

The messaging service manager 110 may re-deliver the policy including the changed messaging security profile and the signature profile to the policy management unit 121 of the messaging security controller 120 (S850). The policy management unit 121 of the messaging security controller 120 may apply the changed policy through the same procedures as the steps S720 to S740 of FIG.

9 is a flowchart for explaining another embodiment of a spam message blocking policy execution procedure in a messaging service security system according to an embodiment of the present invention.

The embodiment illustrated in FIG. 9 corresponds to an embodiment of detecting and blocking a spammer terminal that spam a spam message to an arbitrary terminal based on a spam message blocking policy set according to the procedure described in FIG.

9, the statistical processing unit 133 of the network security function 130 generates and manages statistics about the information requested by the event notification unit 132 (for example, step S780 of FIG. 7) The occurrence of the statistical event exceeding the threshold value can be detected (S910). For example, if the terminal number of "010-5555-5555" contains the phrase "adult product name 11 && business name 11 && price 11" more than 30 times per minute and the same text message containing "URL11" Events that transmit text messages to more than 20 different called numbers per minute may be detected.

The statistical processing unit 133 of the network security function 130 notifies the event notification unit 132 of the statistical information on the packet / flow satisfying the condition (S911), and the event notification unit 132 transmits the statistical information to the policy execution unit 131) (S912).

The policy execution unit 131 of the network security function 130 may perform an operation to be performed when the condition is satisfied by referring to the data model (S920). In an embodiment of this rule, the policy enforcement unit 131 may block the packet / flow and forward the packet / flow information to the MSF.

The policy execution unit 131 of the network security function 130 may notify the policy management unit 121 of the messaging security controller 120 of the event generation and the completion of the operation that satisfies the data model condition (S921) . In addition, the policy management unit 121 of the messaging security controller 120 may transmit the generated and processed event information to the event management unit 122. [ In addition, the policy management unit 121 may transmit the generated and processed event information to the messaging service manager 110 (S923).

The messaging service manager 110 notifies the operator (management system) of the event information generated and processed and notifies it (S930).

On the other hand, if the operator has information to add to the messaging security profile and signature profile based on the notified event information, the information to be newly added to the profile can be extracted (S940). For example, in order to change the profile, the blocking information of the information-signature file to be added as shown in Table 8 below: "Adult Name 11 && Business Name 11 && Price 11", Block Outgoing Number: "010-5555-5555" Can be extracted.

division value In-Pack Inspection Location In message Adult product name 1 && business name && other condition 70byte ~ 100byte Adult Product Name 2 && Quantity && Other Condition 100 byte ~ Gambling site name 1 && Amount && Other conditions ~ 100byte Gambling site name 2 && prize && other terms 100byte ~ 150byte Adult product name 11 && business name 11 && price 11 100 byte ~ Blocked caller ID 010-1234-5678 From or Calling Party No. 010-2345-6789 From or Calling Party No. 010-1111-2222 From or Calling Party 010-5555-5555 From or Calling Party ...

For example, to change the profile, it is possible to derive "URL11" to be added to the messaging security profile, as shown in Table 9 below.

division value Remarks URL http://mmsget.org/9560.html hxxp: //mmsrus.ru/9560.html hxxp: //mmscom.ru/9560.html URL11 Download APK APK1 APK2 APK3 APK4 ...

The messaging service manager 110 may retransmit the policy including the changed messaging security profile and the signature file to the policy management unit 121 of the messaging security controller 120 in operation S950. The policy management unit 121 of the messaging security controller 120 may apply the changed policy through the same procedures as the steps S720 to S740 of FIG.

The methods according to the present invention can be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer readable medium. The computer readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions recorded on the computer readable medium may be those specially designed and constructed for the present invention or may be available to those skilled in the computer software.

Examples of computer readable media include hardware devices that are specially configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those generated by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate with at least one software module to perform the operations of the present invention, and vice versa.

It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined in the appended claims. It will be possible.

100: NFV-based messaging service security system
110: Messaging Service Manager
120: Messaging Security Controller
121: Policy Management Department
122: Event management unit
130-1, ..., 130-N: Network security function
131:
132: Event notification unit
133:
140-1, ..., 140-M: SDN controller

Claims (20)

As a network functional virtualization (NFV) -based messaging service security system,
A Messaging Service Manager (MSM) to set up and manage security policies for messaging services;
A messaging security controller (MSC) for generating a security policy received through the messaging service manager in a predetermined data model and transmitting the security policy to a network security function (NSF); And
And at least one network security function for providing security for the messaging service based on a data model received from the messaging security controller.
Messaging service security system. The method according to claim 1,
The data model includes:
An event to judge whether the condition is satisfied and to perform the operation;
A condition for determining whether a specific action is applied to a packet transmitted or received through a network device or a packet belonging to a specific flow; And
And information defining an action to be performed when the condition is satisfied.
Messaging service security system. The method of claim 2,
Wherein the event is a time event related to the occurrence time of the predetermined situation; And
Comprising a user action associated with a situation triggered by a user action,
Messaging service security system. The method of claim 2,
Said condition being a packet value condition that can be determined from the contents of a single packet; And
Including a context condition that can be determined through a session or a flow,
Messaging service security system. The method of claim 2,
The operation
Traffic ingress control operation;
A traffic output (egress) control operation;
Advanced action based on profile or signature; And
And at least one of a statistics operation,
Messaging service security system. The method according to claim 1,
Wherein the network security function is coupled to at least one SDN controller that manages at least one SDN switch and is operable to transmit a data model received from the messaging security controller to at least one SDN controller, To the at least one SDN controller,
Messaging service security system. The method according to claim 1,
The messaging security controller comprising:
A policy manager for generating a security policy received from the messaging service manager in the predetermined data model and transmitting the generated security policy to the network security function; And
And an event manager for managing events and statistical information to be notified from the network security function based on event related information received from the policy management unit,
Messaging service security system. The method according to claim 1,
The network security function comprises:
A policy enforcer for performing an operation on an incoming message based on a data model received from the messaging security controller, and for forwarding an incoming message to the messaging security controller when an additional analysis of the incoming message is required;
An event notifier for performing event monitoring based on event related information received from the policy execution unit and notifying the policy execution unit of the occurrence of an event; And
And a statistics processor for performing a statistical generation / management / notification function for an event satisfying a condition requested by the event notification unit.
Messaging service security system. The method according to claim 1,
The network security function may be implemented as an independent hardware server, or may be implemented in a virtual machine (VM) or virtual machine in a cloud environment,
Messaging service security system. A network functional virtualization (NFV) -based messaging service security processing method,
Creating a security policy for the messaging service and forwarding it to the Messaging Security Controller (MSC);
Receiving, by the messaging security controller, the security policy, generating the security policy as a predetermined data model and transmitting the security policy to at least one network security function (NSF); And
Wherein the at least one network security function comprises providing security for the messaging service based on the delivered data model.
How messaging services are handled securely. The method of claim 10,
The data model includes:
An event to judge whether the condition is satisfied and to perform the operation;
A condition for determining whether a specific action is applied to a packet transmitted or received through a network device or a packet belonging to a specific flow; And
And information defining an action to be performed when the condition is satisfied.
How messaging services are handled securely. The method of claim 11,
Wherein the event is a time event related to the occurrence time of the predetermined situation; And
Comprising a user action associated with a situation triggered by a user action,
How messaging services are handled securely. The method of claim 11,
Said condition being a packet value condition that can be determined from the contents of a single packet; And
Including a context condition that can be determined through a session or a flow,
How messaging services are handled securely. The method of claim 11,
The operation
Traffic ingress control operation;
A traffic output (egress) control operation;
Advanced action based on profile or signature; And
And at least one of a statistics operation,
How messaging services are handled securely. The method of claim 10,
Wherein the network security function is coupled to at least one SDN controller that manages at least one SDN switch and is operable to transmit a data model received from the messaging security controller to at least one SDN controller, To the at least one SDN controller,
How messaging services are handled securely. In a network functional virtualization (NFV) -based messaging service security system, messaging security (MSM) interworking with Messaging Service Manager (MSM) and at least one Network Security Function (NSF) A method of operating a Messaging Security Controller (MSC)
Receiving the security policy from the messaging service manager that establishes and manages a security policy for the messaging service;
Generating the security policy in a predetermined data model and transmitting the security policy to the at least one network security function; And
Comprising: receiving from the at least one network security function notification of completion of an operation based on the predetermined data model;
How the messaging security controller works. 18. The method of claim 16,
The data model includes:
An event to judge whether the condition is satisfied and to perform the operation;
A condition for determining whether a specific action is applied to a packet transmitted or received through a network device or a packet belonging to a specific flow; And
And information defining an action to be performed when the condition is satisfied.
How the messaging security controller works. 18. The method of claim 16,
Wherein the event is a time event related to the occurrence time of the predetermined situation; And
Comprising a user action associated with a situation triggered by a user action,
How the messaging security controller works. 18. The method of claim 16,
The condition
A packet value condition that can be determined from the contents of a single packet; And
Including a context condition that can be determined through a session or a flow,
How the messaging security controller works. 18. The method of claim 16,
The operation
Traffic ingress control operation;
A traffic output (egress) control operation;
Advanced action based on profile or signature; And
And at least one of a statistics operation,
How the messaging security controller works.

Images