KR20210056196A - Method for determining a security threat on a radio access network and electronic device - Google Patents

Abstract

According to the present disclosure, provided are an electronic device and a control method thereof. The electronic device of the present disclosure includes: a communication interface; a processor operatively connected with the communication interface; and a memory operatively connected with the processor. The memory can store instructions which, when executed, cause the processor to: receive wireless communication data transmitted through a wireless connection network through the communication interface; enable at least one first virtualization module virtualizing the function of the wireless connection network to process the received wireless communication data based on a wireless connection network protocol; enable the at least one first virtualization module to confirm an abnormal symptom based on the received wireless communication data or a result of processing the wireless communication data; enable the at least one first virtualization module to deliver information related with the wireless communication data to a second virtualization module; and enable the second virtualization module to determine a predicted security threat on the wireless connection network based on the information related with the wireless communication data from which the abnormal symptom has been confirmed. Therefore, the present invention is capable of minimizing latency with respect to the handling of a security threat.

Description

Security threat determination method and electronic device on wireless access network {METHOD FOR DETERMINING A SECURITY THREAT ON A RADIO ACCESS NETWORK AND ELECTRONIC DEVICE}

Various embodiments of the present disclosure relate to a method and an electronic device for determining a security threat on a wireless access network.

^{Efforts are being made to develop an improved 5G (5 th} -Generation) communication system or a pre-5G communication system in order to meet the increasing demand for wireless data traffic since the commercialization of 4G (4 ^{th -Generation) communication systems.} . For this reason, the 5G communication system or the pre-5G communication system is called a communication system beyond 4G network or a system after LTE system (post LTE).

In order to achieve a high data rate, 5G communication systems are considered to be implemented in the mmWave band (for example, 6 to 60 GHz band. In order to mitigate the path loss of radio waves and increase the transmission distance of radio waves in the mmWave band, 5G In a communication system, beamforming, massive MIMO, full dimensional MIMO (FD-MIMO), array antenna, analog beam-forming, and Large scale antenna technologies are being discussed.

In addition, in order to improve the network of the system, in 5G communication systems, evolved small cells, advanced small cells, cloud radio access networks (cloud RAN), and ultra-dense networks. , Device to device communication (D2D), wireless backhaul, moving network, cooperative communication, coordinated multi-points (CoMP), and interference cancellation And other technologies are being developed.

In addition, in the 5G communication system, hybrid FSK and QAM modulation (FQAM) and sliding window superposition coding (SWSC), which are advanced coding modulation (ACM) schemes, and filter bank multi carrier (FBMC), which are advanced access technologies, Non-orthogonal multiple access (NOMA), sparse code multiple access (SCMA), and the like are being developed.

As 4G communication systems and 5G communication systems are commercialized, virtualization-based technologies are being applied to communication network systems. For example, at least some of the functions of the wireless communication protocol processed by the base station are implemented in the form of software modules in a general-purpose device by network virtualization technology.

Although the network virtualization technology has many advantages in terms of flexibility and scalability, security threats may increase and complexity of security management may increase. For example, malicious attacks that bring a security threat to a device to which the network virtualization technology is applied may be possible, and in an environment to which the network virtualization technology is applied, if a network device is abnormally operated due to the malicious attack, the ripple power may increase.

According to various embodiments, a security agent is installed in a device to which virtualization technology is applied to a radio access network (RAN), and the security agent is used to determine the security threat of the device or network virtualization module in real time. It is possible to immediately respond to threats and detect and respond to various attacks using vulnerabilities in wireless communication protocols.

According to various embodiments, an electronic device includes: a communication interface; A processor operatively connected to the communication interface; And a memory operatively connected to the processor, the memory, when executed, the processor receives wireless communication data transmitted through a wireless access network through the communication interface, and at least one first virtualization When the wireless communication data received by the module is processed based on a wireless network protocol, and security information related to the wireless communication data is generated according to an operation of the at least one first virtualization module, the second virtualization module Instructions for determining an expected security threat on a wireless access network by checking wireless communication data corresponding to the generated security information may be stored.

According to various embodiments of the present disclosure, a method of determining a security threat on a wireless access network of an electronic device may include: receiving wireless communication data transmitted through the wireless access network; Processing the received wireless communication data by at least one first virtualization module based on a wireless network protocol; Checking security information related to the wireless communication data generated according to an operation of the at least one first virtualization module; And determining an expected security threat on the wireless access network by checking wireless communication data corresponding to the generated security information by the second virtualization module.

According to various embodiments, security by installing a security agent in an electronic device having a virtualized network function (VNF) module that virtualizes wireless access network equipment, separate from the virtualized network function (VNF) module, and determining security threats in real time. Latency for threat processing can be minimized.

According to various embodiments, a virtual network function (VNF) module that virtualizes a wireless access network device and a security agent for determining security threats to a separate wireless access network are installed in the same device to minimize latency and process it in other devices. If you do, you can reduce the overhead (overhead) that may occur.

According to various embodiments, a separate security agent is installed in an electronic device having a virtualized network function (VNF) module virtualizing a wireless access network device, and a security threat is determined in real time. Immediate response to attacks (e.g., DoS, DDos, spoofing, exploits) is possible, and even if anomalies are found in the data processed by vRAN, it is possible to respond to expected attacks without the need to reboot or update the device. .

According to various embodiments, a separate security agent is installed in an electronic device having a virtualized network function (VNF) module that virtualizes wireless access network equipment, and the security server collects and analyzes the analysis results of each security agent to provide a network topology. It can cope with various types of security attacks based on (network topology) information.

1 is a block diagram of a system in a network environment according to various embodiments.
2A and 2B are diagrams illustrating an example of a configuration of a wireless access network according to various embodiments.
3 is a diagram illustrating data processing between layers of a wireless communication protocol according to various embodiments.
4 is a block diagram illustrating a detailed configuration of an electronic device according to various embodiments of the present disclosure.
5A is a block diagram illustrating a detailed configuration of a security server and an electronic device according to an embodiment of the present disclosure.
5B is a diagram illustrating a log collection operation of an electronic device according to an embodiment of the present disclosure.
5C is a diagram illustrating an operation of transmitting a security report from an electronic device to a security server according to an embodiment of the present disclosure.
5D is a diagram illustrating an operation of creating and applying a security policy in a security server according to an embodiment of the present disclosure.
6 is a diagram for describing an operation of a MAC layer to be operated in a VNF module according to an embodiment of the present disclosure.
7 is a diagram for describing an operation of a MAC layer to be operated in a VNF module according to an embodiment of the present disclosure.
8 is a diagram illustrating a configuration of MAC PDU data processed by a VNF module according to an embodiment of the present disclosure.
9 is a diagram illustrating a PDCP layer protocol processing procedure according to an embodiment of the present disclosure.
10 is a diagram illustrating a configuration of PDCP data processed by a VNF module according to an embodiment of the present disclosure.
11 is a diagram illustrating a configuration of PDCP data processed by a VNF module according to an embodiment of the present disclosure.
12 is a diagram illustrating a configuration of PDCP data processed by a VNF module according to an embodiment of the present disclosure.
13 is a diagram illustrating an embodiment in which a security policy is applied by interworking with a security server according to various embodiments.
14 is a diagram illustrating an embodiment in which a security policy is applied by interworking with a security server according to various embodiments.
15 is a flowchart illustrating an operation procedure of an electronic device according to various embodiments of the present disclosure.
16 is a signal flow diagram illustrating an operation procedure between devices according to various embodiments.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. In addition, in describing the present invention, when it is determined that a detailed description of a related known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted. In addition, terms to be described later are terms defined in consideration of functions in the present invention, which may vary according to the intention or custom of users or operators. Therefore, the definition should be made based on the contents throughout the present specification.

It should be noted that the technical terms used in the present specification are only used to describe specific embodiments, and are not intended to limit the present invention. In addition, the technical terms used in the present specification should be interpreted as generally understood by those of ordinary skill in the technical field to which the present invention belongs, unless otherwise defined in this specification. It should not be construed as a human meaning or an excessively reduced meaning. In addition, when a technical term used in the present specification is an incorrect technical term that does not accurately express the spirit of the present invention, it will be replaced with a technical term that can be correctly understood by those skilled in the art to be understood. In addition, general terms used in the present invention should be interpreted as defined in the dictionary or according to the context before and after, and should not be interpreted as an excessively reduced meaning.

In addition, a singular expression used in the present specification includes a plurality of expressions unless the context clearly indicates otherwise. In the present application, terms such as “consisting of” or “comprising” should not be construed as necessarily including all of the various elements or various steps described in the specification, and some of the elements or some steps It may not be included, or it should be interpreted that it may further include additional components or steps.

In addition, terms including ordinal numbers such as first and second used in the present specification may be used to describe various components, but the components should not be limited by the terms. The above terms are used only for the purpose of distinguishing one component from another component. For example, without departing from the scope of the present invention, a first element may be referred to as a second element, and similarly, a second element may be referred to as a first element.

When a component is referred to as being "connected" or "connected" to another component, it may be directly connected or connected to the other component, but other components may exist in the middle. On the other hand, when a component is referred to as being "directly connected" or "directly connected" to another component, it should be understood that there is no other component in the middle.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings, but identical or similar components are assigned the same reference numerals regardless of the reference numerals, and redundant descriptions thereof will be omitted. In addition, in describing the present invention, when it is determined that a detailed description of a related known technology may obscure the subject matter of the present invention, a detailed description thereof will be omitted. In addition, it should be noted that the accompanying drawings are only intended to facilitate understanding of the spirit of the present invention, and should not be construed as limiting the spirit of the present invention by the accompanying drawings. The spirit of the present invention should be construed as extending to all changes, equivalents, or substitutes in addition to the accompanying drawings.

1 is a diagram illustrating a system configuration according to an embodiment of the present disclosure. Referring to FIG. 1, a system 100 according to an embodiment of the present disclosure may include a security server 110 and at least one electronic device 120. The security server 110 may include a security module 111. The security module 111 may be a virtualization module installed in the security server 110 in the form of a software module. According to various embodiments, the security server 110 is replaced by a security orchestrator (SO), an element management system (EMS), or a remote security agent, or at least each It may be included in some and implemented. According to various embodiments, the security server 110 may be included in a server configured separately from the security orchestrator, the element management system, or the remote security agent. The security server 110 may be a server configured separately for a function related to security to be described later, or may be a server for other purposes or a server including a function related to security to be described later in a general-purpose server.

The electronic device 120 (or server) may include at least one virtualization module. According to various embodiments, the electronic device 120 may include at least one first virtualization module that processes wireless communication data based on a wireless network protocol. In the following description, the at least one first virtualization module For convenience of description, will be referred to as a virtual network function (VNF) module 121. According to various embodiments, the electronic device 120 may include a second virtualization module that interworks with the at least one first virtualization module to process a function related to security for the at least one first virtualization module, and In the following description, the second virtualization module will be referred to as a security module 122 or a security agent (SA) for convenience of description.

According to various embodiments, the VNF module 121 may include at least some functions of functions performed in at least one virtual radio access network (vRAN) device. The VNF module 121 may mean a software module installed in various virtual machines (VMs) to process network traffic, and each VNF module 121 is a set virtualized radio access network service or a part thereof. You can do it. For example, each of the VNF modules 121 may perform at least one radio access network function performed by a base station, and according to a configuration type of a radio network, a radio unit (RU), a digital unit (DU), At least one of a central/cloud unit (CU) and an access unit (AU) may be performed. Various embodiments of the function of the VNF module 121 will be described later in FIGS. 2A and 2B.

The VNF module 121 may provide a dynamic and generally executable network function and service on an electronic device (or server) equipped with a general-purpose processor by separating a specific network function in a network device from basic hardware. When a plurality of VNF modules 121 are disposed in the electronic device 120, the plurality of VNF modules 121 may perform the same or similar network functions, or may perform different network functions. The VNF module 121 may replace at least one of various network devices according to the network functions to be performed, and the arrangement and role thereof may be configured in various forms. Various embodiments of the VNF module 121 will be described in detail with reference to FIGS. 2A and 2B.

According to various embodiments, each electronic device 120 may include a security module 122, and the security module 122 interlocks with each VNF module 121 configured in the electronic device 120 to at least It can perform one security-related function. For example, the security module 122 is installed separately from the VNF module 121 when an abnormality is detected in the wireless communication data processed based on the set wireless network protocol as the specific VNF module 121 operates. Security threats on the wireless access network expected in relation to the wireless communication data for which the abnormality is identified by the security agent (or security module 122) (e.g., denial of service (DoS), distributed DoS (DDoS)), spoofing ( spoofing), or security vulnerability (exploit) attacks.

When it is determined that specific wireless communication data is a security threat, the security module 122 sets various security policies such as instructing to discard the wireless communication data, instructing to process non-response, or instructing to process a warning. Or you can apply. According to various embodiments, when it is determined that specific wireless communication data is data that poses a security threat or it is difficult to determine whether or not it is a security threat by itself, the security module 122 transmits to the security module 111 of the security server 110. Security-related information can be transmitted. The security module 111 of the security server 110 may receive security-related information transmitted from the security module 122 of the electronic device 120 and perform additional analysis on corresponding wireless communication data. The security module 111 of the security server 110 may establish a new security policy according to an additional analysis result of the corresponding wireless communication data, or update an existing security policy, and then provide it to each electronic device 120. have. Various embodiments performed by the security module 111 of the security server 110 and the security module 122 of each electronic device 120 will be described later with reference to FIGS. 5A to 5D.

2A is a diagram illustrating a configuration of a radio access network system according to an embodiment of the present disclosure. Referring to FIG. 2A, a radio access network (RAN) system 200 according to various embodiments is an electronic device including functions of a radio unit (RU) 220 and a digital unit (DU) 240. It may include at least one of the electronic device 120b including the function of 120a and a central/cloud unit (CU) 260. The RU 220 may communicate with the user terminal 210 through a wireless space. The user terminal 210 includes an electronic device, a terminal device, a mobile equipment (ME), a user equipment (UE), a user terminal (UT), a subscriber station (SS), and a wireless device. , May be called a handheld device, or an access terminal (AT). In addition, the user terminal 120 may be a device having a communication function such as a mobile phone, a personal digital assistant (PDA), a smart phone, a wireless modem, and a notebook.

The RU 220 may perform processing corresponding to a lower physical layer (PHY (physical)-L) on transmitted or received wireless communication data. The processing corresponding to the lower physical layer may include at least one of channel coding, antenna mapping, and data modulation. The RU 220 may include a radio frequency (RF) module or an inter frequency (IF) module, and the data processed by the lower physical layer is converted from a digital signal to an analog signal by a digital to analog converter (DAC). After that, it can be converted into an IF signal or an RF signal. The data converted into the RF signal may be transmitted to a wireless space through an antenna.

The electronic device 120a including the function of the DU 240 may communicate with the RU 220 via wired communication through a transport network 230. The distance between the RU 220 and the electronic device 120a including the function of the DU 240 may be referred to as a front haul. The DU 240 may receive data processed by the lower physical layer from the RU 220 and may perform upper physical layer (PHY-H) processing. The upper physical layer processing may be variously defined, and may include processing such as forward error correcting (FEC) or symbol mapping. The DU 240 may perform media access control (MAC) layer processing and radio link control (RLC) layer processing on the upper physical layer-processed data.

The electronic device 120b including the function of the CU 260 may communicate with the electronic device 120a including the function of the DU 240 by wire through the transmission network 250. Between the electronic device 120a including the function of the DU 240 and the electronic device 120b including the function of the CU 260 may be referred to as a mid haul. The CU 260 may receive RLC layer-processed data from the DU 240 and perform packet data convergence protocol (PDCP) layer processing and radio resource control (RRC) layer processing.

According to various embodiments, the processing corresponding to the wireless communication protocol layer processed by the DU 240 or the CU 260 is dynamic and generally executable virtualized software on an electronic device (or server) equipped with a general-purpose processor. It may be configured in the form of a module (eg, the VNF module 121).

According to various embodiments, the electronic device 120a including the function of the DU 240 or the electronic device 120b including the function of the CU 260 may include security modules 241 and 261, respectively. In addition, the security modules 241 and 261 of FIG. 2A may correspond to the security module 122 of FIG. 1. The security module 241 included in the electronic device 120a including the function of the DU 240 includes the security module 261 included in the electronic device 120b including the function of the CU 260 and security-related information Alternatively, security-related messages may be transmitted and received with each other.

The electronic device 120b including the function of the CU 260 may communicate with the security server 110 through a transmission network 270 referred to as a back haul. According to various embodiments, the security server 110 may include a security module 111. The security module 111 included in the security server 110 is the security module 241 included in the electronic device 120a including the function of the DU 240 or the electronic device including the function of the CU 260 ( Security-related information or security-related messages may be transmitted and received with the security module 261 included in 120b). Detailed functions and operations of the security modules 111, 241, and 261 will be described in detail in the description of FIGS. 5A to 5D.

2B is a diagram illustrating an example of a configuration of a wireless communication protocol of an AU and a CU according to an embodiment of the present disclosure. Referring to FIG. 2B, each layer of a wireless communication protocol may be classified into various types and processed according to various embodiments. According to various embodiments, the electronic device 280 including the function of the CU 281 may include a security module 282, and the electronic device 290 including the function of the DU 291 may include a security module ( 292). Each of the security modules 282 and 292 may correspond to the security module 122 of FIG. 1. For example, the wireless communication protocol processing of the RU 220, DU 240, and CU 260 described above in FIG. 2A is in the same form as the AU (access unit) 291 and CU 281 shown in FIG. 2B. It can be composed of. According to various embodiments, as shown in FIG. 2B, a PDCP layer, an RLC layer, a MAC layer, and a PHY layer constituting a wireless communication protocol may be distributed to the CU 281 and the AU 291, respectively.

As an example, the AU 291 may perform RF processing and PHY-L layer processing, and the CU 281 may perform PHY-H layer processing, MAC layer processing, RLC layer processing, and PDCP layer processing. Data transmitted between the CU 281 and the AU 291 may be configured in the form of a symbol or bit. As another example, the AU 291 may perform RF processing and PHY layer processing, and the CU 281 may perform MAC layer processing, RLC layer processing, and PDCP layer processing. At this time, the CU 281 and AU 291 The data transmitted between) may be configured in the form of a MAC protocol data unit (PDU). As another example, the AU 291 may perform RF processing, PHY layer processing, and MAC layer processing, and the CU 281 may perform RLC layer processing and PDCP layer processing. At this time, the CU 281 and AU ( 291) may be configured in the form of an RLC protocol data unit (PDU). As another example, the AU 291 may perform RF processing, PHY layer processing, MAC layer processing, and RLC layer processing, and the CU 281 may perform PDCP layer processing. At this time, the CU 281 and the AU ( 291) may be configured in the form of a PDCP protocol data unit (PDU).

According to various embodiments, processing of each wireless communication protocol layer included in the CU 281 or AU 291 may be processed by a virtualized network function module (eg, the VNF module 121 of FIG. 1 ). .

Hereinafter, processing of each layer constituting the wireless communication protocol will be described in detail with reference to FIG. 3.

3 is a diagram illustrating a detailed structure of a wireless communication protocol stack according to various embodiments. According to various embodiments, the wireless communication protocol stack 300 includes a packet data convergence protocol entity (PDCP entity) 301, a radio link control entity (RLC entity) 302, a medium access control entity (MAC) entity (303), and a PHY entity ( It may be composed of a physical entity; 304).

According to various embodiments, the packet data convergence protocol (PDCP) entity 301 may perform operations such as IP header compression/restore. The main functions of the PDCP entity 301 can be summarized as follows. According to various embodiments, in an E-UTRA NR dual connectivity (EN-DC) environment, NR PDCP may be included in the LTE protocol of the terminal and the base station together to support various functions of the EN-DC function.

-Header compression and decompression (ROHC only)

-Transfer of user data

-In-sequence delivery of upper layer PDUs at PDCP re-establishment procedure for RLC AM (acknowledged mode)

-Order reordering function (for split bearers in DC (only support for RLC AM): PDCP PDU routing for transmission and PDCP PDU reordering for reception)

-Duplicate detection of lower layer service data units (SDUs) at PDCP re-establishment procedure for RLC AM)

-Retransmission of PDCP SDUs at handover and, for split bearers in DC, of PDCP PDUs at PDCP data-recovery procedure, for RLC AM

-Encryption and decryption function (ciphering and deciphering)

-Timer-based SDU discard in uplink.

According to various embodiments, the radio link control (hereinafter referred to as RLC) entity 302 may perform an ARQ operation or the like by reconfiguring a PDCP packet data unit (PDU) to an appropriate size. The main functions of the RLC entity 302 can be summarized as follows.

-Data transfer function (transfer of upper layer PDUs)

-ARQ function (error correction through ARQ (only for AM (acknowledged mode) data transfer))

-Concatenation, segmentation and reassembly of RLC SDUs (only for UM (unacknowledged mode) and AM data transfer)

-Re-segmentation of RLC data PDUs (only for AM data transfer)

-Reordering of RLC data PDUs (only for UM and AM data transfer)

-Duplicate detection (only for UM and AM data transfer)

-Error detection function (protocol error detection (only for AM data transfer))

-RLC SDU discard function (RLC SDU discard (only for UM and AM data transfer))

-RLC re-establishment

According to various embodiments, the MAC entity 303 is connected to several RLC layer devices configured in one terminal, multiplexing RLC PDUs to MAC PDUs, and performing an operation of demultiplexing RLC PDUs from MAC PDUs. The main functions of the MAC entity 303 can be summarized as follows.

-Mapping between logical channels and transport channels

-Multiplexing/demultiplexing of MAC SDUs belonging to one or different logical channels into/from transport blocks (TB) delivered to/from the physical layer on transport channels

-Scheduling information reporting function

-HARQ function (error correction through HARQ)

-Priority handling between logical channels of one UE

-Priority handling between UEs by means of dynamic scheduling

-MBMS service identification

-Transport format selection function

-Padding function

According to various embodiments, the PHY entity 304 channel-codes and modulates upper layer data, converts it into an OFDM symbol, and transmits it through a wireless channel, or demodulates and channel-decodes an OFDM symbol received through a radio channel and delivers it to the upper layer. You can perform the operation that you do.

Referring to FIG. 3, a wireless communication protocol stack 300 according to various embodiments may include a PDCP entity 301, an RLC entity 302, a MAC entity 303, and a PHY entity 304. The PDCP entity 301, the RLC entity 302, the MAC entity 303, and the PHY entity 304 may be entities based on the radio protocol of the LTE system, or may be entities based on the radio protocol of the NR system. For example, when the electronic device transmits and receives data based on LTE, a PDCP entity 301, an RLC entity 302, a MAC entity 303, and a PHY entity 304 based on the radio protocol of the LTE system may be set. have. For example, when an electronic device transmits and receives data based on NR, a PDCP entity 301, an RLC entity 302, a MAC entity 303, and a PHY entity 304 based on the radio protocol of the NR system may be set. have. For example, as shown in FIG. 3, the PDCP entity 301, the RLC entity 302, the MAC entity 303, and the PHY entity 304 are in some logical areas or some physical areas of the memory 310 of the electronic device. Packet data processed based on may be stored at least temporarily. According to various embodiments, the PDCP entity 301 includes PDCP headers 321, 323, in each of the PDCP SDUs 314, 315, 316 based on data 311, 312, 313, which are Internet protocol (IP) packets. 325) may be further included to deliver the PDCP PDUs 322, 324, and 326. The PDCP header information transmitted by the LTE PDCP entity may be different from the PDCP header information transmitted by the NR PDCP entity. According to various embodiments, the PDCP buffer 320 may be implemented in a logical area or a physical area designated inside the memory 310. The PDCP buffer 320 receives the PDCP SDUs 314, 315, 316 based on the PDCP entity 301 and stores at least temporarily, and the PDCP headers 321, 323, in the PDCP SDUs 314, 315, 316, 325) may be further included to deliver the PDCP PDUs 322, 324, and 326 to the RLC layer. According to various embodiments, the RLC entity 302 adds RLC headers 331 and 334 to each of the first data 332 and second data 335 reconstructed from the RLC SDUs 322, 324, and 326. , RLC PDU (333, 336) can be delivered. RLC header information based on LTE may be different from RLC header information based on NR.

According to various embodiments, the MAC entity 302 may transmit the MAC PDU 343 by adding, for example, a MAC header 341 and padding 342 to the MAC SDU 333, which is transmitted It may be processed in the physical layer 304 as a transport block 351. The transport block 351 may be processed as slots 352, 353, 354, 355, and 356.

According to various embodiments, although not illustrated in FIG. 3, the memory 310 may include a buffer corresponding to the RLC layer and the MAC layer, respectively.

4 is a block diagram illustrating a detailed configuration of an electronic device according to an embodiment of the present disclosure. Referring to FIG. 4, the electronic device 400 (eg, the security server 110 or the electronic device 120 (or server) of FIG. 1) is a processor 410, a memory 420, or a communication interface 430. It may include.

The communication interface 430 may refer to hardware capable of transmitting and receiving various information (or data) by performing communication with at least one external electronic device. The communication interface 430 includes Transmission Control Protocol/Internet Protocol (TCP/IP), User Datagram Protocol (UDP), Hyper Text Transfer Protocol (HTTP), Secure Hyper Text Transfer Protocol (HTTPS), File Transfer Protocol (FTP), Data may be transmitted and received using a communication protocol (protocol) such as Secure File Transfer Protocol (SFTP) and Message Queuing Telemetry Transport (MQTT), but is not limited thereto.

To this end, the communication interface 430 may be connected to an external electronic device through a network through wired communication or wireless communication. In this case, the network may be a personal area network (PAN), a local area network (LAN), a wide area network (WAN), etc., depending on the area or scale, and the Intranet ), Extranet, or Internet.

Here, the wireless communication is LTE (LTE Advance), LTE-A (LTE Advance), 5G (5th Generation) mobile communication, CDMA (code division multiple access), WCDMA (wideband CDMA), UMTS (universal mobile telecommunications system). ), WiBro (Wireless Broadband), GSM (Global System for Mobile Communications), DMA (Time Division Multiple Access), WiFi (Wi-Fi), Bluetooth, NFC (near field communication), at least one of the communication methods such as Zigbee. Can include. Wired communication includes Ethernet, optical network, USB (Universal Serial Bus), ThunderBolt, HDMI (High Definition Multimedia Interface), RS-232 (Recommended Standard232), power line communication and POTS (Plain It may include at least one of communication methods such as Old Telephone Service). Here, the communication interface 430 may include a network interface or a network chip according to the wired/wireless communication method described above.

The memory 420 may refer to hardware that stores information such as data in an electrical or magnetic form so that the processor 410 or the like can access it. To this end, the memory 420 may be implemented as at least one of a non-volatile memory, a volatile memory, a flash memory, a hard disk drive (HDD) or a solid state drive (SSD), RAM, and ROM. .

At least one instruction, module, or data necessary for the operation of the electronic device 400 or the processor 410 may be stored in the memory 420. Here, the instruction is a unit of code indicating the operation of the electronic device 400 or the processor 410, and may be written in a machine language, which is a language that can be understood by a computer. A module may be a set of instructions that perform a specific task in a unit of work. The data may be information in units of bits or bytes capable of representing characters, numbers, images, and the like.

In addition, according to various embodiments, the memory 420 corresponds to at least one software module (e.g., VNF module 541, 542, 543, 544 or security agent 550, remote security agent 510) to be described later. Program information can be stored. According to various embodiments, the memory 420 may store various security-related information (eg, abnormal symptom information, security policy information, etc.) to be used in embodiments to be described later. Here, the VNF module may mean a software module installed in a virtual machine (VM) (or implemented in a container method) to perform network traffic processing as described above, and each VNF module is configured with virtualization It can perform the wireless access network service or part of it. The remote security agent 510 may be installed in a virtual machine (VM) like the above-described VNF module (or implemented in a container method) to process security-related functions of each VNF module.

The memory 420 is accessed by the processor 410, and read/write/modify/delete/update instructions, modules, artificial intelligence models, or data by the processor 410 may be performed.

The processor 410 may be composed of one or a plurality of processors, and the processor 410 is a general-purpose processor such as a central processing unit (CPU), an application processor (AP), etc., a graphic processing unit (GPU), a vision processing unit (VPU), etc. ), or the like, or a processor dedicated to artificial intelligence such as a Neural Processing Unit (NPU). The processor 410 may control the overall configuration of the electronic device 400. The processor 410 may operate based on at least one operating system (OS), and is not limited to a specific operating system. For example, in the following description, it is described that the processor 410 operates in a Unix or Linux operating system, but embodiments of the present document are not limited thereto.

According to various embodiments, the processor 410 may load and execute a program code corresponding to each VNF module stored in the memory 420. According to the execution of the VNF module, the processor 410 may perform a set virtualized radio access network service or a part thereof, and may perform at least one radio access network function performed by a base station.

The electronic device 400 performing a radio access network function according to any one of various embodiments operates with a communication interface 430, a processor 410 operatively connected to the communication interface, and the processor. Including a memory 420 that is connected to the enemy, the memory, when executed, the processor receives the wireless communication data transmitted through the wireless access network through the communication interface, and virtualizes the function of the wireless access network. Processes the received wireless communication data based on a wireless access network protocol by at least one first virtualization module, and by the at least one first virtualization module, the received wireless communication data or the wireless communication data Based on the processing result, the abnormal symptom is checked, the information related to the wireless communication data is transmitted to the second virtualization module by the at least one first virtualization module, and the abnormal symptom is displayed by the second virtualization module. Instructions for determining an expected security threat on a wireless access network based on information related to the identified wireless communication data may be stored.

According to various embodiments, the at least one first virtualization module may be a virtual network function (VNF) module that processes wireless communication data based on a wireless network protocol.

According to various embodiments, the second virtualization module is a security agent (SA) that interworks with the at least one first virtualization module to process a function related to security for the at least one first virtualization module. I can.

According to various embodiments, the instructions may be configured such that the processor generates security information related to the wireless communication data by a security monitoring (SM) module executed in the first virtualization module. have.

According to various embodiments, the first virtualization module includes packet data convergence protocol entity (PDCP) layer processing, radio link control entity (RLC) layer processing, medium access control entity (MAC) layer processing, or physical entity (PHY) layer. The received wireless communication data may be processed based on at least one of the processing.

According to various embodiments, the expected security threat on the wireless access network may include at least one of denial of service (DoS), distributed DoS (DDoS), spoofing, or security vulnerability attack. .

According to various embodiments, the second virtualization module, based on the generated security information, checks data of a layer higher than the wireless network layer processed by the at least one first virtualization module to determine a security threat. can do.

According to various embodiments of the present disclosure, when the expected security threat on the wireless access network is determined, the second virtualization module may transmit a countermeasure set to the at least one first virtualization module.

According to various embodiments, the set countermeasure may include at least one of a drop processing, a non-response processing, or an alert processing for corresponding wireless communication data.

According to various embodiments, the second virtualization module generates a security report by checking wireless communication data corresponding to the generated security information, and uses the generated security report to secure security of devices performing a wireless access network function. It can be processed to be sent to a managed security server.

According to various embodiments, the second virtualization module receives a security policy corresponding to the at least one first virtualization module from the security server, and transmits the received security policy to the one of the at least one first virtualization module. It can be applied to the first virtualization module corresponding to the security policy.

According to various embodiments, the first virtualization module receives data exceeding a specified number of bytes or a specified number of packets within a specified time, a terminal transmitting wireless communication data exceeds a specified number, or the received wireless communication If a specific wireless communication protocol is checked more than a specified number of times on the data payload, it may be determined as an abnormal symptom.

According to various embodiments, the second virtualization module checks the payload information of the received wireless communication data, and based on at least one of identification information of the terminal, the number of transmissions or receptions of the wireless communication protocol, or whether encryption or not. You can determine the security threats on the wireless access network.

A system performing a radio access network function according to any one of various embodiments, processes wireless communication data through a virtualized radio access network function, checks an anomaly, and provides security information indicating the anomaly. One or more wireless access network servers for transmitting; And one or more security devices that are electrically connected to the one or more wireless access network servers and determine an expected security threat on the wireless access network based on the security information transmitted from the one or more wireless access network servers. .

5A to 5D are block diagrams illustrating detailed configurations of a security server and an electronic device according to an embodiment of the present disclosure. Referring to FIG. 5A, the security server 110 may include a remote security agent (RSA) 510 (eg, the security module 111 of FIG. 1 ). The security server 110 may be a server configured separately for a function related to security to be described later, or may be a server for other purposes or a server including a function related to security to be described later in a general-purpose server.

According to various embodiments, the RSA 510 includes a secure storage 511, a signer 512, a policy generator 513, and a security monitoring (SM). It may be configured to include an agent 514, a packet analyzer 515, and a log collector 516.

According to various embodiments, the electronic device 120 includes a virtual network function (VNF) manager 530, at least one first virtualization module (eg, at least one VNF module (first VNF module 541), A second VNF module 542, a third VNF module 543), and a second virtualization module (eg, a security agent (SA) 550) may be included.

Each of the VNF modules 541, 542, and 543 may include a security monitoring module (SM) 541a, 542a, and 543a. In addition, according to various embodiments, each of the SM modules 541a, 542a, 543a is included in the form of software within the VNF modules 541, 542, 543 to form part of the VNF modules 541, 542, 543. I can. Therefore, when the processor 410 loads the program code corresponding to each VNF module stored in the memory 420, the SM modules 541a, 542a, and 543a may be loaded and executed as part of the program code.

When a specific wireless communication network protocol (e.g., each wireless communication protocol performed in the DU 240, AU 291, CU 260, 281) in the VNF module 541, 542, 543 is performed, The SM modules 541a, 542a, and 543a included in each VNF module 541, 542, and 543 may perform a designated function.

According to various embodiments, the SM modules 541a, 542a, and 543a may be always executed within the VNF modules 541, 542, and 543, or may be implemented as a process that is executed as needed.

According to various embodiments, when an abnormal symptom is identified in the data currently being processed by the VNF modules 541, 542, and 543, the corresponding SM module 541a, 542a, 543a is called to secure information related to the abnormal symptom. It can be delivered to the agent 550. In addition, when an abnormality symptom is identified in the data being processed by the VNF modules 541, 542, 543, information transmitted to the security agent 550 through the SM modules 541a, 542a, 543a may be variously set. I can. For example, the information related to the transmitted anomaly may include anomaly information, identification information (e.g., packet identification number) on the data (or the packet) for which the abnormality is confirmed, or the data (or packet) for which the abnormality is confirmed ) May include at least one of.

According to various embodiments, various methods of transmitting information by the SM modules 541a, 542a, and 543a to the security agent 550 may be implemented. For example, when an abnormality sign is identified for data being processed by the VNF modules 541, 542, and 543, when the SM modules 541a, 542a, 543a are called, the called corresponding SM modules 541a, 542a, 543a ) To secure the identified anomaly information, identification information (e.g., packet identification number), or the data (or packet) for which anomaly is identified according to the operation of It can be delivered to the agent 550. As another method, when the SM modules 541a, 542a, and 543a are always executed processes, the VNF modules 541, 542, and 543 are actively hooking specific wireless communication network protocols to detect abnormalities. And, according to the confirmation result, the abnormal symptom information, identification information (eg, packet identification number) about the data (or the packet) for which the abnormal symptom is confirmed, or the data (or packet) for which the abnormal symptom is confirmed. It can be delivered to the security agent 550.

According to various embodiments, a method of determining an abnormality symptom for data being processed by the VNF modules 541, 542, and 543 may be variously set. For example, the VNF module (541, 542, 543) receives data exceeding a specified number of bytes or a specified number of packets within a specified time, a terminal transmitting wireless communication data exceeds a specified number, or the received wireless communication If a specific wireless communication protocol is checked more than a specified number of times on the data payload, it may be determined as an abnormal symptom. Specific embodiments of the abnormal symptom determination method will be described in detail in the description of FIGS. 6 to 12.

According to various embodiments, the security agent 550 may receive information related to data determined to have the abnormality symptom from the VNF modules 541, 542, and 543. The security agent 550 may determine an expected security threat on the wireless access network based on information related to the wireless communication data for which the abnormality is confirmed.

According to various embodiments, the security agent 550 checks the payload information of the data determined to have the abnormality indication, and at least one of identification information of the terminal, the number of transmissions or receptions of the wireless communication protocol, or encryption. Based on this, it is possible to determine the security threat on the wireless access network. Specific embodiments of the security threat determination method will be described in detail in the description of FIGS. 6 to 12.

According to various embodiments, a method of determining an abnormality symptom for data being processed by the VNF modules 541, 542, and 543 may be variously set. According to various embodiments, when the VNF modules 541, 542, and 543 violate the mobile communication protocol standard, it may be determined as an abnormal symptom. For example, if the VNF modules 541, 542, and 543 omit the required security procedure disclosed in the mobile communication protocol standard and perform the next step, it can normally process the protocol corresponding to the next step, but the standard Since the mandatory security procedure disclosed in is omitted, it can be judged as an abnormal symptom of an attack that does not follow the mobile communication protocol standard.

According to various embodiments, even when a procedure disclosed in a mobile communication protocol standard is followed, when a specific situation occurs, it may be determined as an abnormal symptom. For example, if data conforming to the standard procedure cannot verify integrity, a message to be encrypted and transmitted is transmitted in plain text, or if the field value of the header or payload of the data is not the expected value, the VNF module ( 541, 542, 543) can be determined as data indicating abnormal symptoms even if data complying with standard procedures.

According to various embodiments, the abnormal symptom determination operation may be a preset security check for a specific wireless communication protocol packet. Table 1 below is an example of determining an abnormal symptom through a security check processed by the VNF modules 541, 542, and 543, and various embodiments of this document are not limited thereto.

Classification of abnormal signs Determination of abnormalities in the target procedure/message Anomalies in compliance with standard procedures Messages allowed to be sent in plain text Messages that are not allowed to be sent in plain text Messages with invalid integrity protection Message with invalid sequence number Abnormal signs of non-compliance with standard procedures Mutual authentication procedure Key agreement procedure

According to various embodiments, the VNF modules 541, 542, and 543 call the SM modules 541a, 542a, 543a when it is determined that the security test result for each item illustrated in Table 1 is an abnormality. Information related to the anomaly (e.g., anomaly information, identification information on data (or packets) determined to have anomaly, and corresponding data (or packet) in which anomaly is confirmed) can be delivered to the security agent 550 have. According to various embodiments, identification information (e.g., packet identification) related to information related to the anomaly (e.g., the anomaly information, the data (or the packet) for which the anomaly is confirmed) transmitted to the security agent 550 Number), or the corresponding data (or packets) for which anomalies have been identified) will be referred to as security log, error log, security data, or security information in this document. I can.

5A shows that the electronic device 120 includes three VNF modules, but according to various embodiments, one VNF module or two VNF modules may be included, and four or more VNF modules may be included. May be. Each of the VNF modules 541, 542, and 543 may correspond to the VNF module 121 of FIG. 1.

Each of the VNF modules 541, 542, 543 may mean a software module that is installed in various virtual machines (VMs) or containers to process network traffic as described above, and each VNF module (541, 542, 543) may perform a set virtualized radio access network service or a part thereof. According to various embodiments, each VNF module 541, 542, 543 may perform at least one radio access network function performed by a base station, and FIG. 2A or FIG. 2B according to the configuration type of the radio network. At least one of a radio unit (RU), a digital unit (DU), a central/cloud unit (CU), or an access unit (AU) shown in FIG.

The VNF modules 541, 542, and 543 provide network functions and services that can be dynamically and generally executed on an electronic device (or server) equipped with a general-purpose processor by separating specific network functions within a network device from basic hardware. can do. The plurality of VNF modules 541, 542, and 543 may perform the same or similar network functions, or may perform different network functions. For example, the plurality of VNF modules 541, 542, and 543 may replace various equipment (eg, network-related equipment) according to the network functions that each performs, and their arrangement and role may also be configured in various forms. have. According to various embodiments, the first VNF module 541 and the second VNF module 542 may perform the function of the AU 290, and the third VNF module 543 is the function of the CU 280. You can do it. According to another embodiment, the first VNF module 541 and the second VNF module 542 may perform the function of the DU 240, and the third VNF module 543 is the function of the CU 260. You can do it. Various embodiments of the present disclosure are not limited thereto and may be configured in various combinations.

The security agent 550 may include a security monitoring (SM) agent 551, a secure storage 552, a packet analyzer 553, and a signature module 554. , Various functions related to security may be performed according to various embodiments.

A kernel serving as a host 560 for each of the modules included in the electronic device 120 (eg, VNF manager 530, VNF modules 541, 542, 543, and security agent 550). ) Includes a shared memory 561, a linux security module (LSM) 562, a daemon verifier 563, a communicator 564, and an access controller 565. I can.

Hereinafter, security related procedures performed by each of the above-described functional blocks according to various embodiments will be described in detail with reference to FIGS. 5A to 5D.

Referring to FIG. 5A, when each VNF module 541, 542, 543 performs processing according to a specific wireless communication network protocol, SM modules 541a, 542a and 542a included in each VNF module 541, 542, 543 543a) may perform a specified function. According to various embodiments, when an abnormal symptom is identified for data being processed by a specific VNF module 541, 542, 543, the corresponding SM module 541a, 542a, 543a is called, and information related to the abnormal symptom (security information (security information)) (e.g., anomaly information, data (or packet) for which anomaly is confirmed, or identification information on data (or packet) that is determined to have anomaly) can be notified to the security agent 550 have. As another method, the SM module (541a, 542a, 543a) hooks the data being processed in the specific VNF module (541, 542, 543) (e.g., wireless communication network protocol related data) to directly detect the abnormality. You can also check. In addition, to check the abnormality of the data being processed, a security check is performed on the header or payload of the corresponding data (eg, protocol data unit (PDU)) processed by a specific VNF module (541, 542, 543). It can be confirmed by performing. For example, if an error occurs in the sequence number as a result of checking the header of the PDU of the corresponding data, the VNF module 541, 542, 543 or the SM module 541a, 542a, 543a indicates that there is an abnormality in the corresponding data. It can be determined, and various embodiments of the present disclosure are not limited thereto. Various embodiments related to the identification of abnormalities through the VNF modules 541, 542, and 543 or the SM modules 541a, 542a, and 543a will be described later in detail for each wireless communication protocol.

According to various embodiments, if it is determined that there is an abnormality in the data currently being processed in a specific VNF module 541, 542, 543, the SM module 541a, 542a, 543a is an SM agent of the security agent 550 Security information can be delivered to (551). According to various embodiments, when checking the abnormality symptom, the SM modules 541a, 542a, and 543a transmit only the abnormality symptom information or the identification information about the corresponding data (or corresponding packet) for which the abnormality is confirmed to the SM agent 550. After delivery, the security agent 550 may directly check the data or packet for which the corresponding abnormality is confirmed by using the identification information on the corresponding data or packet. According to various embodiments, when checking the abnormality symptom, the SM modules 541a, 542a, and 543a may directly transmit the data or packet for which the abnormality symptom is confirmed to the SM agent 550.

When the SM agent 551 receives the abnormal symptom information, the identification information on the data for which the abnormal symptom is confirmed, or the data for which the abnormal symptom is confirmed (or corresponding packet) from the SM modules 541a, 542a, 543a, the The security agent 550 may additionally analyze the data (or the packet) through the analysis module 553. According to various embodiments, the analysis module 553 may also analyze a communication protocol layer processed by the corresponding VNF module 541, 542, and 543 that processed the data for which the abnormality symptom was identified, and the VNF module 541 , 542, 543) can also analyze a communication protocol layer higher than the communication protocol layer. For example, when the VNF module 541, 542, 543 detects an abnormality in the corresponding data (e.g., MAC PDU) during MAC layer protocol data processing, the analysis module 553 of the security agent 550 It is also possible to additionally analyze the MAC layer for the corresponding data for which the indication is confirmed, and to analyze the data of the higher layer, the RLC layer, the PDCP layer, or the RRC layer. According to various embodiments, when analyzing data of a layer higher than that of the VNF modules 541, 542, and 543 in the analysis module 553, analyzing the data of the upper layer from an external electronic device or another VNF module. It is also possible to receive and analyze the authentication key (key) or decryption key for.

The analysis module 553 may determine a predictable attack or security threat based on the data through data analysis. For example, the predictable attack determined by the analysis module 553 may include at least one of denial of service (DoS), distributed DoS (DDoS), spoofing, or security vulnerability attack. Detailed embodiments of determining a predictable attack or security threat by the analysis module 553 will be described later in the description of FIGS. 6 to 12.

According to various embodiments, when an abnormality symptom is confirmed for data being processed by a specific VNF module 541, 542, 543, the specific VNF module 541, 542, 543 transmits a specific confirmation result of the abnormality to the security. It may be transmitted to the analysis module 553 of the agent 550. For example, if data being processed by a specific VNF module (541, 542, 543) contains an invalid sequence number, the specific VNF module (541, 542, 543) has a valid sequence number according to the result of checking the abnormality. A specific confirmation result, such as information indicating not to do so or a sequence number, may be transmitted to the analysis module 553 of the security agent 550. As the security agent 550 receives the specific confirmation result, it is possible to check not only the abnormal symptom of the corresponding data but also specific abnormal symptom related information. The analysis module 553 may quickly determine whether there is a security threat based on a specific confirmation result according to the abnormal symptom confirmation received from the specific VNF module 541, 542, 543.

According to various embodiments, when a security threat or a predictable attack is determined by the analysis module 553, a preset countermeasure or security policy may be applied based on the determination result. For example, the SM agent 551 transmits information related to the set security policy to the corresponding VNF module 541, 542, 543 so that the security policy is applied to the data (or packet) for which the abnormality is confirmed. I can. According to various embodiments, the set security policy may include at least one of a drop processing, a non-response processing, or an alert processing for corresponding wireless communication data or a corresponding packet.

According to various embodiments, the SM agent 551 determines that it is not possible to detect an attack or is suspected of an attack based on the analysis result of the analysis module 553. When it is determined that additional confirmation is necessary, the data may be transmitted to the remote security agent 510 of the security server 110 to request additional analysis.

As described above, by configuring the security agent 550 in the electronic device 120 as a virtualization module separate from at least one VNF module 541, 542, 543, the VNF module 541, 542, 543 Security-related processing for the data can be performed more efficiently. For example, the at least one VNF module 541, 542, 543 focuses only on processing according to the wireless communication protocol, and additional operations related to security are separately processed by the security agent 550, thereby processing wireless communication protocols and security related processing. The efficiency of the electronic device 120 can be increased at the same time, and resource management in the electronic device 120 can be efficiently operated. According to various embodiments, by configuring at least one VNF module 541, 542, 543 in the electronic device 120 as a separate virtualization module from the security agent 550, the function of the security agent 550 is updated. If so, it is possible to update the function of the security agent 550 while maintaining the operation of the at least one VNF module 541, 542, and 543. Hereinafter, the above-described security related procedure performed by the electronic device 120 will be described in more detail in conjunction with the kernel 560.

First, referring to FIG. 5A, the VNF manager 530 manages each VNF module 541, 542, 543 or the security agent 550. The management functions of the VNF manager 530 may include functions such as installation, deletion, and update of each VNF module 541, 542, and 543 or the security agent 550. According to various embodiments, the VNF manager 530 may set the security agent 550 to always operate to perform security-related functions (1 in FIG. 5A ).

According to various embodiments, a daemon authentication module 563, a communicator 564, and a connection control module 565 may be installed in the kernel 560 and set to operate (2 in FIG. 5A). When the respective VNF modules 541, 542, 543 are installed in the electronic device 120, the corresponding SM modules 541a, 542a, 543a are set to be included in the respective VNF modules 541, 542, 543 It can be (③ of Fig. 5a). At this time, the binary location information and hash value for the virtualized image of each of the VNF modules 541, 542, 543 including each of the SM modules 541a, 542a, 543a are daemon authentication module 563 ) Can be stored in the secure storage 552 of the security agent 550. (④ in FIG. 5A)

According to various embodiments, the access control module 565 may grant write permission to the shared memory 561 included in the kernel 560 to all VNF modules 541, 542, and 543. (5 of FIG. 5A) The communicator 564 is set to monitor the LSM 562, and it is possible to obtain necessary information by confirming that the LSM 562 is operating. (6 of FIG. 5A) According to various embodiments, a symptom of an abnormality is identified in a specific VNF module 541, 542, 543, and the corresponding SM module 541a, 542a, 543a is called, and the abnormality is in the shared memory 561. When information related to a symptom (security information) is recorded, when the LSM 562 detects a change (read/write) of the shared memory 561, the communicator 564 monitors the LSM 562 to detect the abnormality. Information related to the indication may be delivered to the security agent 550.

More specifically, referring to FIG. 5B, when each VNF module 541, 542, 543 performs processing according to a specific wireless communication network protocol, the SM module included in each VNF module 541, 542, 543 ( 541a, 542a, 543a) may perform a designated function. When the corresponding SM modules 541a, 542a, 543a installed in the VNF modules 541, 542, 543 are executed, each SM module (for example, hash verification, certificate, etc.) is executed through the daemon authentication module 563. Integrity of 541a, 542a, 543a) can be verified. (1 in FIG. 5B) When each of the VNF modules 541, 542, 543 operates, and an abnormality symptom is identified in a specific VNF module, the corresponding SM module ( Information related to an abnormality symptom may be recorded in the shared memory 561 through 541a, 542a, and 543a. (2 in FIG. 5B) The access control module 565 prevents information related to the recorded abnormality from being changed. For this purpose, the write permission for the shared memory 561 of each VNF module can be recovered. (③ in FIG. 5B) The communicator 564 monitors the LSM 562 and includes the corresponding SM modules 541a, 542a, 543a. The location information of the VNF modules 541, 542, and 543 and information related to abnormal symptoms can be transmitted to the SM agent 551. (4 in FIG. 5B) The SM agent 551 uses the LSM 562 Based on the location information of the VNF modules 541, 542, 543 including the received corresponding SM modules 541a, 542a, 543a, authentication for the corresponding VNF modules 541, 542, 543 is performed, and In this case, the information related to the abnormal symptom received together may be stored in the secure storage 552. (5 in FIG. 5B) The access control module 565 is a shared memory 561 of each VNF module 541, 542, and 543. Write permission for can be re-granted. (⑥ in Fig. 5b)

According to various embodiments, the SM agent 551 may transmit information related to the received abnormal symptom to the analysis module 553. The analysis module 553 determines a security threat based on information related to an abnormal symptom received from the SM agent 551, generates security policy information corresponding to the security threat, and generates the SM agent ( 551). (7 of FIG. 5B) The SM agent 551 may process to apply a new security policy to the corresponding VNF modules 541, 542, and 543 based on the security policy information received from the analysis module 553. (8 of FIG. 5B) According to various embodiments, the SM agent 551 uses the VNF module 541, 542 through the VNF manager 530 to apply a new security policy to the corresponding VNF module 541, 542, 543. , 543). In addition, the SM agent 551 is connected to the shared memory 561, LSM 562, or communicator 564 in the same manner as each VNF module 541, 542, 543 delivered abnormal symptom related information (security information). A new security policy may be delivered through a combination of at least one of the control modules 565.

Next, a procedure of transmitting a security report to the security server 110 from the security agent 550 of the electronic device 120 will be described in detail with reference to FIG. 5C. 5C, the SM agent 551 included in the security agent 550 of the electronic device 120 and the SM agent 514 included in the remote security agent 510 of the security server 110 are mutually authenticated. A possible certificate and a private key may be stored in the security storage 552 and 511, respectively. (1 in FIG. 5C) The SM agent 551 of the security agent 550 is the security storage 552 ) To generate a security report by classifying the information related to the abnormal symptom stored in each of the VNF modules 541, 542, and 543, and to deliver the generated security report to the signature module 554 (2 in Fig. 5C). The signature module 554 may sign the security report by using a key stored in the secure storage 552. (3 in FIG. 5C) The security agent 550 uses the SM agent 551 to sign the security report. The signed security report may be delivered to the SM agent 514 of the remote security agent 510 (4 in FIG. 5C).

Next, referring to FIG. 5D, a security policy is generated by the remote security agent 510 of the security server 110 and transmitted to the electronic device 120, and the VNF modules 541, 542, 543 The procedure applied to) will be described in detail. Referring to FIG. 5D, the SM agent 514 of the remote security agent 510 may transmit the security report transmitted from the SM agent 551 of the electronic device 120 to the log collector 516 (FIG. 5d ①) The log collector 516 may transmit the security report received from the SM agent 551 to the signature module 512. The signature module 512 may verify the signature value stored in the secure storage 511, perform authentication processing for the security report, and then transmit the authentication result to the log collector 516. (2 in FIG. 5D) According to an embodiment, when the security report is normally authenticated, the log collector 516 may transmit the authenticated security report to the SM agent 514. The SM agent 514 transmits the security report processed with the normal authentication to the policy generation module 513, and the policy generation module 513 performs an analysis on whether there is a security threat through the analysis module 515. I can. The policy generation module 513 may generate new security policy information to be applied for each VNF module 541, 542, and 543 according to the analysis result of the analysis module 515. (③ in FIG. 5D) The policy creation The module 513 may transmit the generated new security policy information to the signature module 512. The signature module 512 signs the new security policy information generated by the policy generation module 513 using a key stored in the security storage 511, and then generates the signed security policy information as a policy generation module 513. ). (4 of FIG. 5D) The policy generation module 513 may transmit the signed security policy information to the SM agent 514. The remote security agent 510 may transmit the signed new security policy information to the SM agent 551 of the electronic device 120 through the SM agent 514. (5D in FIG. 5D) The new security The SM agent 551 of the security agent 550 receiving the policy information may transmit the new security policy information to the signature module 554. The signature module 554 may authenticate by verifying the signature using a key stored in the secure storage 552 and transmit the authentication result to the SM agent 551 (6 in FIG. 5D). After classifying the normally authenticated new security policy for each VNF module 541, 542, 543, it can process to apply the new security policy to the corresponding VNF module 541, 542, 543. (⑦ of FIG. 5D) )

Specific examples of security policies generated by the remote security agent 510 of the security server 110 and applied to each VNF module 541, 542, and 543 will be described in detail with reference to FIGS. 13 and 14.

According to various embodiments, the plurality of VNF modules 541, 542, and 543 shown in FIGS. 5A to 5D may be configured to be included in different electronic devices. For example, the first VNF module 541 is composed of at least one VNF module included in a first electronic device, and the second VNF module 542 is in a second electronic device configured separately from the first electronic device. It can be configured with at least one included VNF module.

In addition, according to various embodiments, the security agent 550 illustrated in FIGS. 5A to 5D may be configured to be included in different electronic devices from the plurality of VNF modules 541, 542, and 543. For example, the plurality of VNF modules 541, 542, and 544 are composed of at least one VNF module included in a first electronic device, and the security agent 550 is a second electronic device configured separately from the first electronic device. It may be configured with at least one virtualization module included in the electronic device.

When configured in this way, the plurality of VNF modules 541, 542, and 543 included in the first electronic device (eg, wireless access network server) may process wireless communication data through a virtualized wireless access network function. I can. The plurality of VNF modules 541, 542, and 543 included in the first electronic device (for example, a wireless access network server) check for an abnormal symptom and transmit security information indicating the abnormal symptom to the first electronic device. It may be transmitted to a separately configured second electronic device (eg, a security device or a security server). The security agent included in the second electronic device receives security information from the plurality of VNF modules 541, 542, and 543 of the first electronic device, and a wireless access network expected based on the received security information You can determine the security threats on your computer.

According to various embodiments, when the first VNF module 541 in FIG. 5A is a module that performs a function of a DU (eg, a module virtualized to replace the function of a DU device), PHY-H, MAC , RLC layer protocol data processing may be performed. For example, in FIG. 5A, the first VNF module 541 of the electronic device 120 may perform at least one of the MAC layer protocol data processing described in FIG. 3.

6 to 9 are diagrams illustrating scenarios in a MAC layer according to an embodiment of the present disclosure. The MAC layer may provide a role of managing radio resource access between a base station (eg, eNB or gNB) and a terminal within a specific cell. According to various embodiments, UEs in a cell are classified through a cell radio network temporary identity (C-RNTI), and the C-RNTI may be managed at the MAC layer. For example, the C-RNTI may be a unique UE identifier used for scheduling as an identifier for RRC access.

6, a user equipment (UE) 630 in an RRC-Idle state includes cells managed by a first base station (eNB) 610 (e.g., Cell 0 610a, Cell 1 610b), It may be located in the area of Cell 0 (610a) of Cell 2 (610c)). The terminal 630 performs a cell search for the first base station 610, and a radio access procedure for the Cell 0 610a of the first base station 610 (e.g., radio resource (RRC)). control) connection procedure). After completing the radio access procedure, the terminal 630 may switch from the RRC-Idle state to the RRC-Connected state.

7 is a diagram illustrating a radio access procedure between a terminal 630 and a first base station (eNB) 610. Referring to FIG. 7, according to various embodiments, the terminal 630 transmits a signal received from the first base station 610 (eg, a primary synchronization signal (PSS) and/or a secondary synchronization signal (SSS)). In operation 710 based at least, a physical random access channel (PRACH) preamble may be transmitted to the first base station 610. For example, the terminal 630 checks the PRACH parameter corresponding to the first base station 610 from the MIB (master information block) or SIB (secondary information block) information received from the first base station 610, and the The PRACH preamble may be transmitted based on the identified PRACH parameter.

According to various embodiments, the terminal 630 may receive a PRACH response from the first base station 610 in operation 720 corresponding to transmission of the PRACH preamble. The PRACH response message may include resource block assignment information and CRNTI. In response to receiving the PRACH response, the terminal 630 may generate and transmit an RRC connection request message including the CRNTI in operation 730. According to various embodiments, the first base station 610 may transmit an RRC connection response message to the terminal 630 in response to reception of the RRC connection request message in operation 740.

According to various embodiments, the C-RNTI is a value temporarily allocated by the first base station 610 and is allocated again when a cell is moved. For example, referring to FIG. 6 again, when the terminal 630 is allocated C-RNTI 1 from Cell 0 and then moves to Cell 2 610c, C-RNTI 2 may be allocated again. By continuing to move, the terminal 630 is in the Cell 3 (620a) area among cells managed by the second base station (eNB) 620 (eg, Cell 3 (620a), Cell 4 (620b), Cell 5 (620c)). Can be located in The terminal 630 performs a cell search for the second base station 620 again, performs a radio access procedure for the Cell 3 620a of the second base station 620, and allocates C-RNTI 3 I can receive it.

According to various embodiments, the C-RNTI resource is a value for distinguishing a terminal in a cell, and the terminal 630 changes the C-RNTI to request communication from the base stations 610 and 620, thereby ) Can be attacked. For example, the attack may be referred to as a “BTS resource depletion attack” as a DoS attack against the base stations 610 and 620. According to various embodiments, a specific device may perform an attack that exhausts RRC Connection resources by performing RRC Connection while continuously changing the C-RNTI for a specific base station. Such an attack may be difficult to judge as an attack because there is no problem with the wireless communication protocol.

According to various embodiments, when the first VNF module 541 in FIG. 5A described above is a module that performs a function of a DU (eg, a module that is virtualized to replace the function of a DU device), a cell managed by itself When the number of connected terminals of is more than a preset number, it is determined that there is an abnormality symptom, and information related to the abnormality symptom (security log) (for example, to the security agent 550 of FIG. 5A through the SM agent 541a) (e.g. , Information related to anomaly or information about data or packets in which anomaly occurs) can be delivered.

According to various embodiments, the security agent 550 of FIG. 5A corresponds to a case in which there is no response (e.g., when not transmitting an RRC completion message to the base station) after a set number of terminals or more attempts RRC access within a set time. It can be judged as a DoS attack on the base station.

For example, when performing the MAC layer protocol processing of the received data according to the operation of the first VNF module 541 of FIG. 5A, the security agent 550 checks the MAC layer data frame of the received data to determine the corresponding electronic device. It is possible to determine whether or not to attack (120).

According to various embodiments, when the terminal 630 transmits a PRACH preamble to the first base station 610 as described above in FIG. 6, the first base station 610 may transmit a PRACH response to the terminal 630. have. In this case, the MAC layer data frame corresponding to the PRACH Response may be represented as shown in FIG. 8A.

8 is a diagram illustrating a MAC layer data frame of received data 800 checked by the security agent 550. Referring to FIG. 8, the MAC layer data frame of the received data 800 may include a MAC header 810 and a MAC payload 820. The MAC header 810 may include a plurality of subheaders. The MAC payload 820 may include at least one MAC Control element 821, at least one MAC SDU, or a padding area. The MAC header 810 may indicate whether C-RNTI information is included in the MAC payload 820 or a location of C-RNTI information in the MAC payload 820. The security agent 550 may check C-RNTI information at a specific location (eg, the MAC Control element 821) inside the MAC payload 820 with reference to the MAC header 810.

According to various embodiments, the security agent 550 of FIG. 5A may check C-RNTI data by analyzing the MAC layer data frame of FIG. 8. The confirmed C-RNTI data may be stored in the secure storage 552 of FIG. 5A. The security agent 550 checks the security storage 552 and, within the set time period as described above, a terminal having a different C-RNTI attempts RRC access more than a set number, or after the RRC connection is attempted, a response is returned. If there is no (e.g., when the RRC completion message is not transmitted to the base station), the terminals may be determined as terminals performing a DoS attack on the corresponding base stations 610 and 620 (e.g., electronic device 120).

According to various embodiments, the security agent 550 of FIG. 5A transmits identification information (eg, C-RNTI information) of the specific terminals to the corresponding VNF module (e.g., when it is determined that the specific terminals are DoS attacks). 1 The VNF module 541 may be provided, and the first VNF module 541 may be instructed to apply a security policy for dropping data received from the corresponding terminal.

According to various embodiments, when determining that a specific terminal is a terminal attacking through the analysis module 541, the security server 110 may generate the identification information of the terminal as policy information and transmit it to the electronic device 120. have. The security agent 550 of the electronic device 120 provides identification information of the terminal determined as the attacking terminal to at least one VNF module 541, 542, 543, and the corresponding VNF module 541, 542 , 543) may be instructed to apply a security policy for dropping data received from the corresponding terminal.

As described above, when the electronic device 120 or the security server 110 determines that a specific terminal is attacking, the corresponding VNF module (e.g., the first VNF module) performs the function of the DU in the electronic device 120. At 541), data received from the corresponding terminal can be preemptively blocked.

Hereinafter, an embodiment in which the VNF module is a module that performs a function of a CU will be described with reference to FIGS. 9 to 12.

According to various embodiments, when the third VNF module 543 in FIG. 5A described above is a module that performs a function of a CU (eg, a module that is virtualized to replace the function of a CU device), a PDCP, or an RRC layer Protocol data processing can be performed. For example, in FIG. 5A, the third VNF module 543 of the electronic device 120 may perform at least one of the PDCP layer protocol data processing described in FIG. 3.

9 to 12 are diagrams illustrating scenarios in a PDCP layer according to an embodiment of the present disclosure. According to various embodiments, the PCDP layer protocol may perform packet encryption, integrity verification, header compression, and the like. For example, the third VNF module 543 of FIG. 5A may perform PDCP layer protocol processing shown in FIG. 9 on transmission data or reception data.

According to various embodiments, the transmitting-side PDCP layer processing unit 910 may process the sequence numbering 911 on input transmission data to set an order for each packet. The transmitting side PDCP layer processing unit 910 may perform header compression 912 when the transmission data is user plane (u-plane) data. Next, the transmitting-side PDCP layer processing unit 910 may perform an integrity protection procedure 913 on control plane (c-plane) data. In addition, the transmitting-side PDCP layer processing unit 910 may perform encryption processing 914 in the case of PDCP SDU-related data. If the transmission data is non-PDCP SDU data, the PDCP layer processing unit 910 of the transmitting side may omit the integrity protection and encryption processing and add a PDCP header (915). When the PDCP header-added transmission data is user plane data, the transmitting-side PDCP layer processing unit 910 may route 916 and transmit the data to the wireless interface.

According to various embodiments, received data may be processed in a reverse direction to the transmission data. For example, the receiving side PDCP layer processing unit 920 processes the input received data by removing the PDCP header 921, and then decrypting 922, integrity verification 923, and reordering 924. ) Can be processed. According to various embodiments, the receiving PDCP layer processing unit 920 may omit an integrity verification procedure for user plane data, and a rearrangement procedure for control plane data may be omitted.

The receiving side PDCP layer processing unit 920 may decompress the header 925 on the rearranged user plane received data, and then perform an in order delivery and duplicate detection 926 procedure. . According to various embodiments, the receiving-side PDCP layer processing unit 920 may omit the decoding, integrity verification, and rearrangement procedures for non-PDCP SDU packets.

When the data processed by the PDCP layer protocol is control plane data, the PDCP payload may include an RRC message or a non-access stratum (NAS) message. For example, referring to FIG. 10, the PDCP data 1000 of the control plane includes at least one R field 1001, a PDCP sequence number (SN) field 1002, a data field 1003, and a MAC-I field 1004. It may include. The R field 1001 may indicate a reserved area, and the PDCP SN field 1002 may indicate a PDCP sequence number. As described above, the data field 1003 may include an RRC message or a NAS message. The MAC-I may include data used for the integrity verification 923 of FIG. 9.

According to various embodiments, the security agent 550 of FIG. 5A may detect or prevent attacks using the vulnerability of the RRC protocol when the third VNF 543 operates as a CU. For example, the malicious terminal sends an RRC Connection Request message spoofing the SAE Temporary Mobile Subscriber Identity (S-TMSI) value of the target terminal to the base station to perform an attack to disconnect the existing RRC connection. For example, the attack may be referred to as a "Blind DoS Attack" as a DoS attack on the terminal. According to various embodiments, since the S-TMSI value is managed by a mobility management entity (MME), it may be determined through the remote security agent 510 of the security server 110 in order to determine whether there is a security threat. According to various embodiments, in order to continuously block the attack, spoofed RRC connections must be continuously sent. In this case, the CU may also determine whether the security threat exists or whether it is an attack. For example, when the third VNF module 543 of FIG. 5A operates as a CU, the security agent 550 may check continuous reception of an RRC connection transmitted from a specific terminal and determine the connection of the corresponding terminal as a spoofing attack. have. In addition, the third VNF module 543 operating as a CU generates an RRC connection transmitted from terminals within a managed cell more than a certain number of times for a predetermined period of time, or an RRC connection reestablishment request again after an RRC connection request transmitted from a specific terminal. If received, it may be determined as an abnormal symptom and may request the security agent 550 to determine whether a security threat or attack exists. According to various embodiments, the security agent 550 may determine that the terminal is a spoofing attack terminal when the RRC Connection is received more than a set number of times from a specific terminal within a set time. For example, the security agent 550 checks the RRC message through PDCP layer protocol processing of the received data, and when the condition is satisfied, identification information of the terminal determined to be the attacking terminal (e.g., S-TMSI information ) May be provided as at least one VNF module 541, 542, and 543. According to various embodiments, when RRC Conection frequently occurs from a specific terminal and an RRC connection reestablishment request is received again after an RRC connection request transmitted from a specific terminal, the security agent 550 is used for RRC communication with a specific terminal. The RRC message can be confirmed through PDCP layer protocol processing of the received data using a key (eg, KRRCenc). The security agent 550 determines that the S-TMSI of the specific terminal is spoofed when it is determined that the key value for RRC communication (KRRCenc) is a valid key value as a result of checking the RRC message and performs the attack. The identification information of the terminal determined as may be provided to at least one VNF module 541, 542, and 543. The security agent 550 may instruct the corresponding VNF module 541, 542, and 543 to apply a security policy for dropping data received from the corresponding terminal. According to various embodiments, the security agent 550 performs a procedure for re-issuing the S-TMSI or applies a security policy for re-issuing the S-TMSI to the corresponding VNF module 541, 542, 543. You may be able to dictate.

According to various embodiments, the security agent 550 may determine a “key reinstallation attack” that decrypts an encrypted PDCP payload and prevent it. For example, if an attacker (or attacking terminal) prevents the base station from receiving a response signal transmitted by the terminal through jamming, the base station repeatedly sends a request message for the response signal, which is used to generate the terminal key. The PDCP SN of the terminal may be repeatedly reset. An attacker can perform an attack to find the key through the response signal transmitted by the terminal encrypted with the same key generated in this way. In this type of attack, it may be difficult to determine whether a specific message is anomaly or abnormal because it is impossible to identify whether a specific message does not come through jamming or a communication problem. According to various embodiments, the third VNF module 543 operating as a CU determines that a request message transmitted to UEs in a managed cell occurs more than a certain number of times for a certain period of time, and determines it as an abnormal symptom and sends it to the security agent 550. You can request a judgment about whether it is a security threat or attack. When a specific message is transmitted to a specific terminal within a set time period more than a set number of times, the security agent 550 may determine that the terminal is a terminal subject to a key reset attack. For example, the security agent 550 checks the RRC message through PDCP layer protocol processing of the received data, and when the condition is satisfied, the security agent 550 receives the identification information of the terminal determined as the attacked terminal at least one VNF module ( 541, 542, 543). According to various embodiments, the security agent 550 instructs the corresponding VNF module 541, 542, 543 to re-perform the RRC Security Mode procedure with the corresponding terminal to change the key (KRRCenc) value for RRC communication. I can. According to various embodiments, when a vulnerability in the protocol or implementation as described above is found, it is possible to quickly respond to all CUs through the security agent 550.

According to various embodiments, when the third VNF 543 operates as a CU, the security agent 550 of FIG. 5A may detect or prevent an attack at a layer higher than the IP layer. For example, when the third VNF module 543 of FIG. 5A operates as a CU, the security agent 550 receives a specific terminal and KUPenc for decoding an IP packet from the third VNF module 543 and The transmitted PDCP payload (eg, IP packet) can be decoded and checked to detect or prevent an attack at a layer higher than the IP layer.

11 is a diagram showing the structure of a PDCP PDU. The PDCP PDU may include a PDCP header 1120 and a PDCP payload, and the PDCP payload may include an IP packet 1110 as a PDCP SDU. Referring to FIG. 12, PDCP data 1200 of a user plane may include a header area 1210 and a data area 1220. The header area 1210 may include a D/C field, an R field, and a PDCP SN field. The D/C field may indicate whether the PDCP data 1200 is user data or control data. The data area 1220 may include an IP packet, and the IP packet may include an IP header and an IP payload. The IP header of the IP packet may include a source IP address and a destination IP address of the IP packet.

According to various embodiments, the security agent 550 may detect and block various attacks (eg, DNS amplification, SYN spoofing, etc.) using IP address spoofing in advance. According to various embodiments, the third VNF module 543 operating as a CU is the PDCP data 1200 transmitted by terminals within the managed cell is user data, and the amount of data is greater than a certain size or more than a certain number of times for a certain time. If received, it may be determined as an abnormal situation and may request the security agent 550 to determine whether or not to attack. For example, the security agent 550 may receive a KUPenc for decrypting a specific terminal and an IP packet from the third VNF module 543 and compare the IP address of the received data with the IP address assigned to the user terminal. If, as a result of the comparison, the IP addresses are not the same, the security agent 550 may determine that an attack using IP address spoofing is used, and apply a policy for filtering corresponding data. For example, the security agent 550 provides identification information (eg, S-TMSI information) of the terminal determined to be the attacking terminal to at least one VNF module 541, 542, 543 to filter the corresponding data. Can be instructed to apply a policy According to various embodiments, the IP address of the attacking terminal may be determined through the remote security agent 510 of the security server 110. For example, the security agent 550 checks the IP packet determined to be malicious from the security server 110, receives the IP address of the sender of the IP packet, and stores the received IP address at least one VNF module (541). , 542, 543). The security agent 550 may instruct the corresponding VNF modules 541, 542, and 543 to apply a security policy for dropping data received from the corresponding IP address.

According to various embodiments, the role of the intrusion detection system (IDS)/intrusion prevention system (IPS) for the above-described IP layer can also be played in a general network past the CU, but the security agent 550 can be used for the terminal using the RRC connection. Additional information about the information may be used, and network traffic may be reduced by blocking the electronic device 120 in advance.

According to various embodiments, the security agent 550 determines whether an attack exists through constant monitoring by setting a terminal that transmits wireless communication network protocol data that does not comply with the RRC protocol as a terminal that needs to be monitored, and protects it. I can. For example, when the third VNF 543 of FIG. 5A operates as a CU, the third VNF 543 transmits an RRC message without sending a message including a protocol related to the RRC Security Mode. It can be judged as an abnormal symptom. In the above case, in the case of the wireless communication network protocol sent by the corresponding terminal, encryption or integrity check may not be performed, and thus security may be vulnerable, so that the third VNF 543 provides information on anomalies to the security agent 550 or the specific terminal. Can be requested to communicate and monitor information. According to various embodiments, the security agent 550 registers the specific terminal as a terminal requiring constant monitoring, checks the RRC message through PDCP layer protocol processing of the data received from the specific terminal, and then checks the registered terminal. It can be determined as an attacking terminal at a lower number of times than the set number of times. According to various embodiments, the security agent 550 may confirm that the PDCP message is not encrypted and may further analyze the non-encrypted PDCP payload. For example, the security agent 550 may analyze header information of the IP packet 1110 as a preset security rule or PDCP SDU to check whether there is a malicious IP, and then determine whether an attack has occurred. According to various embodiments, when the condition is satisfied, the security agent 550 may provide identification information of the terminal determined to be the attacking terminal to at least one VNF module 541, 542, and 543. The security agent 550 may instruct the corresponding VNF module 541, 542, and 543 to apply a security policy for dropping data received from the corresponding terminal.

13 and 14 are diagrams illustrating an embodiment in which a security policy is applied in conjunction with a security server according to various embodiments. Referring to FIG. 13, security modules 122a, 122b, 122c, and 122d of each electronic device 120a, 120b, 120c, and 120d are security information generated according to the operation of the VNF modules 121a, 121b, 121c, and 121d. Based on the determination of a security threat, a security report may be generated according to the determination result and transmitted to the security module 111 of the security server 110.

For example, the security module 122a of the first electronic device 120a may analyze the corresponding data based on the security information generated according to the operation of the VNF module 121a. Alternatively, a security report including a sender IP address and a receiver IP address (Source: 10.113.109.11 to 20, Destination: 10.114.105.12) of the IP packet) may be transmitted to the security module 111 of the security server 110.

Similarly, the security module 122b of the second electronic device 120b may analyze the corresponding data based on the security information generated according to the operation of the VNF module 121b, and as a result of the analysis, the data ( Alternatively, a security report including a sender IP address and a receiver IP address (Source: 10.113.108.11 to 20, Destination: 10.114.105.12) of the IP packet) may be transmitted to the security module 111 of the security server 110.

Similarly, the security module 122c of the third electronic device 120c is the sender IP address and the receiver IP address (Source: 10.113.107.11 to 20, Destination: 10.114.105.12) of data (or IP packet) that is expected to be a security threat. A security report including a may be transmitted to the security module 111 of the security server 110, and the security module 122d of the fourth electronic device 120d is the sender IP of the data (or IP packet) expected to be a security threat. A security report including an address and a recipient IP address (Source: 10.113.106.11 to 20, Destination: 10.114.105.12) may be transmitted to the security module 111 of the security server 110.

The security server 110 receiving security reports from each of the electronic devices 120a, 120b, 120c, and 120d may generate a new security policy by analyzing information included in the security report. For example, the security module 111 of the security server 110 analyzes information included in the security reports received from each of the electronic devices 120a, 120b, 120c, and 120d. As a result, 10.113.106. If a packet transmitted from a device corresponding to an address from * to 10.113.109.* destined for 10.114.105.12, the packet is determined as a security threat (e.g., DDoS attack), and the packet is blocked. You can create security policy information. The security server 110 may transmit the generated security policy information to the security modules 122a, 122b, 122c, and 122d of each electronic device 120a, 120b, 120c, and 120d. The security modules 122a, 122b, 122c, and 122d of each of the electronic devices 120a, 120b, 120c, and 120d convert the security policy information received from the security server 110 into the respective VNF modules 121a, 121b, 121c, 121d. ) To apply.

According to the security policy newly applied to each of the VNF modules 121a, 121b, 121c, and 121d, packets transmitted from devices corresponding to addresses from 10.113.106.* to 10.113.109.* have 10.114.105.12 as their destination. If so, it can be processed to drop the packet.

Referring to FIG. 14, the security module 122 of the electronic device 120 determines a security threat based on security information generated according to an operation of the VNF module 121, and a security report according to the determination result. May be transmitted to the security module 111 of the security server 110. For example, the security module 122 of the electronic device 120 may transmit the NAS message to the security server 110 when it is determined that there is a possibility of a security threat by examining the NAS message of the received data. The security module 111 of the security server 110 analyzes the NAS message transmitted from the security module 122 of the electronic device 120 and, when it is determined that there is a security threat, generates new security policy information related thereto. I can. For example, the security module 111 of the security server 110 analyzes MAC (Message Authentication Code) information, sequence number, and NAS message included in the NAS message, and there is an error in the MAC information, If the sequence number is duplicated or the NAS message is not encrypted and is in plain text, it can be determined that the NAS message is a security threat.

The security module 111 of the security server 110 may generate security policy information to block the corresponding base station 1410 that transmitted the NAS message and provide it to the security module 122 of the corresponding electronic device 120. have.

The security module 122 of each electronic device 120 may instruct to apply the security policy information received from the security server 110 to each VNF module 121. According to the security policy newly applied to each VNF module 121, the corresponding base station 1410 may be blocked or all data transmitted from the corresponding base station 1410 may be processed to be dropped.

15 is a flowchart illustrating an operation procedure of an electronic device according to various embodiments of the present disclosure. Referring to FIG. 15, according to various embodiments, the electronic device 120 may receive wireless communication data transmitted through a wireless access network in operation 1510.

In operation 1520, the electronic device 120 may process the received wireless communication data by at least one first virtualization module (eg, the VNF module 121) based on a wireless access network protocol.

In operation 1530, the electronic device 120 may check an abnormal symptom based on the received wireless communication data or a processing result of the wireless communication data by the at least one first virtualization module.

As a result of the verification, if it is determined that there is an abnormality symptom for the data in operation 1540, the electronic device 120 transmits the security information indicating the abnormality symptom to a second virtualization module (eg, the security agent 550), In operation 1550, the electronic device 120 may determine a security threat on the wireless access network based on the security information indicating the abnormality by the second virtualization module (eg, the security agent 550).

16 is a signal flow diagram illustrating an operation procedure between devices according to various embodiments. Referring to FIG. 16, according to various embodiments, the VNF module 541 of the electronic device 120 may process data according to a wireless communication protocol in operation 1602.

In operation 1604, the VNF module 541 may check an abnormal symptom based on the received wireless communication data or a processing result of the wireless communication data.

In operation 1606, the VNF module 541 identifies abnormal symptom-related information (e.g., abnormal symptom information, corresponding data (or corresponding packet) for which the abnormal symptom is confirmed) for the identified abnormal symptom (eg, packet identification). Number), or the corresponding data (or packet) in which the abnormality is confirmed may be transmitted to the security agent 550 in the electronic device 120.

In operation 1608, the security agent 550 may further analyze the data for which the abnormality symptom is confirmed, and in operation 1610, a new security policy may be generated or a preset security policy may be checked according to the analysis result.

In operation 1612, the security agent 550 may instruct the corresponding VNF module 541 to apply the new security policy or the confirmed security policy.

In operation 1614, the VNF module 541 may receive an instruction for applying the security policy of the security agent 550 and apply the corresponding security policy.

According to various examples, the security agent 550 may transmit the analysis result to the remote security agent 510 of the security server 110 in operation 1616.

In operation 1618, the remote security agent 510 may perform additional analysis based on the analysis result received from the security agent 550 of the electronic device 120.

In operation 1620, the remote security agent 510 may generate new security policy information as a result of the additional analysis.

In operation 1622, the remote security agent 510 may transmit the generated new security policy information to the security agent 550 of the electronic device 120.

In operation 1624, the security agent 550 of the electronic device 120 may store new security policy information received from the remote agent 510 of the security server 110.

In operation 1626, the security agent 550 may instruct the corresponding VNF module 541 to apply the received new security policy.

In operation 1628, the VNF module 541 may receive an instruction for applying a new security policy from the security agent 550 and apply the corresponding security policy.

According to any one of various embodiments, a method of determining a security threat on a wireless access network of an electronic device includes: receiving wireless communication data transmitted through the wireless access network; Processing the received wireless communication data based on a wireless access network protocol by at least one first virtualization module that virtualizes a function of a wireless access network; Checking, by the at least one first virtualization module, an abnormal symptom based on the processing result of the wireless communication data or the wireless communication data; Transmitting information related to the wireless communication data to a second virtualization module by the at least one first virtualization module; And determining, by the second virtualization module, an expected security threat on the wireless access network based on information related to the wireless communication data for which the abnormality is confirmed.

According to various embodiments, the operation of generating the security information may generate security information related to the wireless communication data by a security monitoring (SM) daemon executed in the VNF module.

According to various embodiments, the VNF module is performing packet data convergence protocol entity (PDCP) layer processing, radio link control entity (RLC) layer processing, medium access control entity (MAC) layer processing, or physical entity (PHY) layer processing. The received wireless communication data may be processed based on at least one.

According to various embodiments, the expected security threat on the wireless access network may include at least one of denial of service (DoS), distributed DoS (DDoS), spoofing, or security vulnerability attack. .

According to various embodiments, the security agent may determine a security threat by checking data of a layer higher than the wireless network layer processed by the first virtualization module, based on the generated security information.

According to various embodiments, the security agent, when it is determined that the expected security threat on the wireless access network, transmits a countermeasure set to the at least one first virtualization module, and the set countermeasure is based on the corresponding wireless communication data. It may include at least one of a drop processing, a non-response processing, or an alert processing.

According to various embodiments, the first virtualization module receives data exceeding a specified number of bytes or a specified number of packets within a specified time, a terminal transmitting wireless communication data exceeds a specified number, or the received wireless communication If a specific wireless communication protocol is checked more than a specified number of times on the data payload, it may be determined as an abnormal symptom.

According to various embodiments, the second virtualization module checks the payload information of the received wireless communication data, and based on at least one of identification information of the terminal, the number of transmissions or receptions of the wireless communication protocol, or whether encryption or not. You can determine the security threats on the wireless access network.

An electronic device according to various embodiments disclosed in this document may be a device of various types. The electronic device may include, for example, a computer device, a portable communication device (eg, a smartphone), a portable multimedia device, a portable medical device, a camera, a wearable device, or a home appliance. The electronic device according to the embodiment of the present document is not limited to the above-described devices.

Various embodiments of the present document and terms used therein are not intended to limit the technical features described in this document to specific embodiments, and should be understood to include various modifications, equivalents, or substitutes of the corresponding embodiment. In connection with the description of the drawings, similar reference numerals may be used for similar or related components. The singular form of a noun corresponding to an item may include one or more of the above items unless clearly indicated otherwise in a related context. In this document, “A or B”, “at least one of A and B”, “at least one of A or B,” “A, B or C,” “at least one of A, B and C,” and “A Each of the phrases such as "at least one of, B, or C" may include any one of the items listed together in the corresponding one of the phrases, or all possible combinations thereof. Terms such as "first", "second", or "first" or "second" may be used simply to distinguish the component from other Order) is not limited. Some (eg, first) component is referred to as “coupled” or “connected” to another (eg, second) component, with or without the terms “functionally” or “communicatively”. When mentioned, it means that any of the above components may be connected to the other components directly (eg by wire), wirelessly, or via a third component.

The term "module" used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic blocks, parts, or circuits. The module may be an integrally configured component or a minimum unit of the component or a part thereof that performs one or more functions. For example, according to an embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of the present document are software including one or more instructions stored in a storage medium (eg, internal memory or external memory) that can be read by a machine (eg, a master device or a task performing device). Example: Program). For example, the processor of the device (eg, a master device or a task performing device) may call at least one command among one or more commands stored from a storage medium and execute it. This enables the device to be operated to perform at least one function according to the at least one command invoked. The one or more instructions may include code generated by a compiler or code executable by an interpreter. A storage medium that can be read by a device may be provided in the form of a non-transitory storage medium. Here,'non-transitory' only means that the storage medium is a tangible device and does not contain a signal (e.g., electromagnetic waves), and this term refers to the case where data is semi-permanently stored in the storage medium. It does not distinguish between temporary storage cases.

According to an embodiment, a method according to various embodiments disclosed in the present document may be provided by being included in a computer program product. Computer program products can be traded between sellers and buyers as commodities. Computer program products are distributed in the form of a device-readable storage medium (e.g., compact disc read only memory (CD-ROM)), or through an application store (e.g. Play StoreTM) or two user devices (e.g. It can be distributed (e.g., downloaded or uploaded) directly between, e.g. smartphones). In the case of online distribution, at least a part of the computer program product may be temporarily stored or temporarily generated in a storage medium that can be read by a device such as a server of a manufacturer, a server of an application store, or a memory of a relay server.

According to various embodiments, each component (eg, module or program) of the above-described components may include a singular number or a plurality of entities. According to various embodiments, one or more components or operations among the above-described corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg, a module or program) may be integrated into one component. In this case, the integrated component may perform one or more functions of each component of the plurality of components in the same or similar to that performed by the corresponding component among the plurality of components prior to the integration. . According to various embodiments, operations performed by a module, program, or other component may be sequentially, parallel, repeatedly, or heuristically executed, or one or more of the operations may be executed in a different order or omitted. Or one or more other actions may be added.

Claims (20)

In the electronic device performing a radio access network (radio access network) function,
Communication interface;
A processor operatively connected with the communication interface; And
And a memory operatively connected to the processor,
The memory, when executed, the processor,
Receiving wireless communication data transmitted through a wireless access network through the communication interface,
Process the received wireless communication data based on a wireless access network protocol by at least one first virtualization module that virtualizes a function of a wireless access network,
By the at least one first virtualization module, based on the received wireless communication data or a processing result of the wireless communication data, confirming an abnormal symptom,
By the at least one first virtualization module, transfer the security information indicating the abnormality to the second virtualization module,
The electronic device that stores instructions for determining, by the second virtualization module, an expected security threat on a wireless access network based on security information indicating the anomaly.
The method of claim 1, wherein the at least one first virtualization module,
An electronic device that is a virtual network function (VNF) module that processes wireless communication data based on a wireless network protocol.
The method of claim 2, wherein the second virtualization module,
An electronic device that is a security agent (SA) that interworks with the at least one first virtualization module to process a function related to security for the at least one first virtualization module.
The method of claim 1, wherein the instructions are the processor,
The electronic device, configured to generate security information related to the wireless communication data by a security monitoring (SM) module executed in the first virtualization module.
The method of claim 1, wherein the first virtualization module,
The received radio communication data based on at least one of packet data convergence protocol entity (PDCP) layer processing, radio link control entity (RLC) layer processing, medium access control entity (MAC) layer processing, or physical entity (PHY) layer processing Processing, electronic devices.
The method of claim 1, wherein the expected security threat on the wireless access network,
An electronic device comprising at least one of denial of service (DoS), distributed DoS (DDoS), spoofing, or security vulnerability (exploit) attacks.
The method of claim 1, wherein the second virtualization module,
An electronic device that determines a security threat by checking data of a layer higher than the wireless network layer processed by the at least one first virtualization module, based on the generated security information.
The method of claim 1, wherein the second virtualization module,
When the expected security threat on the wireless access network is determined, transmitting a countermeasure set to the at least one first virtualization module.
The method of claim 8, wherein the set countermeasures,
An electronic device comprising at least one of a drop processing, a non-response processing, or an alert processing for corresponding wireless communication data.
The method of claim 1, wherein the second virtualization module,
An electronic device that checks wireless communication data corresponding to the generated security information to generate a security report, and processes the generated security report to be transmitted to a security server that manages security of devices performing a wireless access network function.
The method of claim 10, wherein the second virtualization module,
Receiving a security policy corresponding to the at least one first virtualization module from the security server, and applying the received security policy to a first virtualization module corresponding to the security policy among the at least one first virtualization module, Electronic device.
The method of claim 1, wherein the first virtualization module,
Data exceeding the specified number of bytes or the specified number of packets is received within a specified time, the terminal transmitting the wireless communication data exceeds the specified number, or a specific wireless communication protocol is set on the payload of the received wireless communication data. An electronic device that is determined as an abnormal symptom when it is checked more than a specified number of times.
The method of claim 1, wherein the second virtualization module,
Check the payload information of the received wireless communication data,
An electronic device that determines a security threat on a wireless access network based on at least one of identification information of a terminal, a number of transmissions or receptions of a wireless communication protocol, or encryption.
In the method of determining a security threat on a wireless access network of an electronic device,
Receiving wireless communication data transmitted through a wireless access network;
Processing the received wireless communication data based on a wireless access network protocol by at least one first virtualization module that virtualizes a function of a wireless access network;
Checking, by the at least one first virtualization module, an abnormal symptom based on the processing result of the wireless communication data or the wireless communication data;
Transmitting information related to the wireless communication data to a second virtualization module by the at least one first virtualization module; And
A method of determining a security threat on a wireless access network, including; determining, by a second virtualization module, an expected security threat on the wireless access network based on information related to the wireless communication data for which the abnormality is confirmed.
The method of claim 14, wherein the first virtualization module,
The received radio communication data based on at least one of packet data convergence protocol entity (PDCP) layer processing, radio link control entity (RLC) layer processing, medium access control entity (MAC) layer processing, or physical entity (PHY) layer processing A method of determining a security threat on a wireless access network that processes.
The method of claim 14, wherein the expected security threat on the wireless access network,
A method for determining a security threat on a wireless access network, including at least one of denial of service (DoS), distributed DoS (DDoS), spoofing, or security vulnerability (exploit) attack.
The method of claim 14, wherein the second virtualization module,
A method for determining a security threat on a wireless access network, based on the generated security information, for determining a security threat by checking data of a layer higher than the wireless network layer processed by the at least one first virtualization module.
The method of claim 14, wherein the second virtualization module,
When the expected security threat on the wireless access network is determined, a countermeasure set to the at least one first virtualization module is transmitted,
The set countermeasure includes at least one of a drop processing, a non-response processing, or an alert processing for the corresponding wireless communication data.
The method of claim 14, wherein the first virtualization module,
Data exceeding the specified number of bytes or the specified number of packets is received within a specified time, the terminal transmitting the wireless communication data exceeds the specified number, or a specific wireless communication protocol is set on the payload of the received wireless communication data. A method of determining security threats on a wireless access network, which is determined as an abnormal symptom if it is checked more than a specified number of times.
The method of claim 14, wherein the second virtualization module,
Check the payload information of the received wireless communication data,
A method of determining a security threat on a wireless access network, for determining a security threat on a wireless access network based on at least one of identification information of a terminal, a number of transmissions or receptions of a wireless communication protocol, or encryption.

Images