WO2008075891A1 - Intrusion protection device and intrusion protection method for point-to-point tunneling protocol - Google Patents
Intrusion protection device and intrusion protection method for point-to-point tunneling protocol Download PDFInfo
- Publication number
- WO2008075891A1 WO2008075891A1 PCT/KR2007/006652 KR2007006652W WO2008075891A1 WO 2008075891 A1 WO2008075891 A1 WO 2008075891A1 KR 2007006652 W KR2007006652 W KR 2007006652W WO 2008075891 A1 WO2008075891 A1 WO 2008075891A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- packet data
- tunneling
- intrusion protection
- protection device
- network
- Prior art date
Links
- 230000005641 tunneling Effects 0.000 title claims abstract description 101
- 238000000034 method Methods 0.000 title claims abstract description 15
- 230000002159 abnormal effect Effects 0.000 claims abstract description 65
- 238000012544 monitoring process Methods 0.000 claims abstract description 21
- 230000000903 blocking effect Effects 0.000 claims abstract description 7
- 238000010295 mobile communication Methods 0.000 claims description 42
- 230000008093 supporting effect Effects 0.000 claims description 29
- 230000005540 biological transmission Effects 0.000 claims description 16
- 230000006837 decompression Effects 0.000 claims description 6
- 230000001360 synchronised effect Effects 0.000 claims description 5
- 238000005538 encapsulation Methods 0.000 claims description 4
- 241000700605 Viruses Species 0.000 description 11
- 238000010586 diagram Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/126—Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/128—Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2212/00—Encapsulation of packets
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Definitions
- the present invention relates to a point-to-point tunneling protocol in a mobile communication network, and in particular, to intrusion protection device and intrusion protection method for monitoring and blocking an abnormal traffic of a tunneling packet data transmitted between mobile communication terminals.
- An intrusion protection system (IPS) among IP (Internet Protocol) data network security systems corresponds to a precautionary approach of a network security technology for recognizing a potential attack and immediately responding to the attack.
- the IPS monitors a network traffic in the same way as an intrusion detection system (IDS).
- IDS intrusion detection system
- IPS should be capable of taking a prompt action based on a series of regulations set by an administrator.
- the IPS inspects a packet, and blocks all traffic entering through a corresponding IP or port when the packet is judged as an illegitimate packet, while transmitting a legitimate traffic to a receiver without any interruption or service delay.
- the intrusion protection system is located between a backbone switch and a host computer, and performs a function for blocking an abnormal IP packet data.
- IPS intrusion protection system
- a point-to-point tunneling packet data transmitted directly between a receiving terminal and a sending terminal in a mobile communication network does not pass through an IP network, and thus is vulnerable to an attack of an abnormal traffic.
- Document 1 Korean Laid-open Publication Patent No. 2006-118830 discloses signal packet controlling apparatus and method which divide a packet data transmitted between SGSN (Serving GPRS Supporting Node) and GGSN (Gateway GPRS Supporting Node) of an asynchronous mobile communication network (WCDMA network) into a signal packet and a data packet, classify the signal packet according to sources and remove a unnecessary signal packet or an intentional signal packet, thereby preventing a malicious signal packet or a signal packet in an abnormal condition from entering in large quantities.
- SGSN Serving GPRS Supporting Node
- GGSN Gateway GPRS Supporting Node
- WCDMA network asynchronous mobile communication network
- the Document 1 has a complicated procedure such as dividing a packet data into a signal packet and a data packet and classifying the signal packet according to sources. And, the Document 1 compares the signal packet with the data packet or a set threshold to detect an abnormal traffic, and thus has difficulty in monitoring and blocking various malicious information. Disclosure of Invention
- An object of the present invention is to provide an intrusion protection function of a point-to-point tunneling packet of a mobile communication network.
- Another object of the present invention is to apply a malicious traffic discriminating policy used for an IP packet to a tunneling packet of a mobile communication network as it is.
- Still another object of the present invention is to incorporate an intrusion protection system applicable to a synchronous mobile communication network as well as an asynchronous mobile communication network.
- an intrusion protection device is located in a mobile communication network and configured to implement an intrusion protection function to a point- to-point tunneling packet protocol between mobile communication terminals, and the intrusion protection device comprises a restoration means for restoring an IP packet data from a tunneling packet data transmitted between mobile communication terminals; a discrimination means for judging whether the IP packet data is a normal or abnormal traffic; and a discarding means for discarding the tunneling packet data in the case that the IP packet data is judged to be an abnormal traffic.
- the intrusion protection device further comprises a means for transmitting the tunneling packet data to a next network component when the IP packet data is judged to be a normal traffic by the discrimination means.
- the intrusion protection device may further comprise a malicious information database for storing and managing a plurality of abnormal traffic pattern information, and thus the discrimination means judges whether the IP packet data is a normal or abnormal traffic with reference to the malicious information database.
- the restoration means includes a decapsulation means for decapsulating the tunneling packet data; and a merging means for merging at least payload of the tunneling packet data. And, the restoration means may further include a decompression means for decompressing the tunneling packet data.
- a packet data transmission system for implementing a point-to-point tunneling protocol between mobile communication terminals comprises a first network node for supporting a tunneling packet protocol with an access network; a second network node for supporting a connection with another packet switching network; and an intrusion protection device interposed between the first network node and the second network node for restoring a tunneling packet data being transmitted to an IP packet data and discarding the tunneling packet data in the case that the restored IP packet data is an abnormal traffic.
- the intrusion protection device includes a restoration means for restoring an IP packet data from the tunneling packet data; a discrimination means for judging whether the IP packet data is a normal or abnormal traffic; and a discarding means for discarding the tunneling packet data in the case that the IP packet data is judged to be an abnormal traffic.
- the intrusion protection device further includes a means for transmitting the tunneling packet data to the first network node or the second network node when the IP packet data is judged to be a normal traffic by the discrimination means.
- the first network node is PCF (Packet Control Function) or SGSN
- PDSN Packet Data Serving Node
- GGSN Gateway GPRS Supporting Node
- an intrusion protection method for monitoring and blocking an abnormal traffic of a point-to-point tunneling packet data between mobile communication terminals comprises a restoration step for restoring the tunneling packet data to an IP packet data; a discrimination step for judging whether the IP packet data is a normal or abnormal traffic; and a packet handling step for discarding the tunneling packet data when the IP packet data is judged to be an abnormal traffic in the discrimination step, and transmitting the tunneling packet data to another network node when the IP packet data is judged to be a normal traffic.
- the restoration step includes a decapsulation step for decapsulating the tunneling packet data; and a merging step for merging at least payload of the tunneling packet data.
- the restoration step further includes a decompression step for decompressing the tunneling packet data, in the case that the tunneling packet data is a Van Jacobson compressed GRE (Generic Route Encapsulation) packet data.
- a decompression step for decompressing the tunneling packet data, in the case that the tunneling packet data is a Van Jacobson compressed GRE (Generic Route Encapsulation) packet data.
- FIG. 1 is a block diagram of a tunneling packet transmission system for performing an intrusion protection function according to the present invention.
- FIG. 2 is an internal block diagram of an intrusion protection system applicable to the system of FIG. 1.
- FIG. 3 is a view showing restoration of an IP packet data from a CDMA (Code
- FIG. 4 is a view showing restoration of an IP packet data from a WCDMA
- FIG. 5 is a data flow chart showing an intrusion protection function of a point- to-point tunneling packet data according to the present invention. Best Mode for Carrying Out the Invention
- FIG. 1 is a block diagram of a tunneling packet transmission system for performing an intrusion protection function according to the present invention.
- the packet transmission system of the present invention comprises a mobile communication terminal 10, an access network 100, a core network 200, an IP network 300 and an Internet network 400.
- a mobile communication network including the access network 100 and the core network 200 of FIG. 1 may be a synchronous mobile communication network (GSM (Global System for Mobile Communication) or WCDMA) or an asynchronous mobile communication network (CDMA or CDMA-2000 EV-DO (Evolution-Data Optimized)).
- GSM Global System for Mobile Communication
- WCDMA synchronous mobile communication network
- CDMA or CDMA-2000 EV-DO Evolution-Data Optimized
- the mobile communication terminal 10 performs a point-to-point tunneling packet protocol with another mobile communication terminal through the mobile communication network, and includes a synchronous or asynchronous mobile phone, PDA (Personal Digital Assistant), notebook computer capable of wireless communication or a DMB (Digital Multimedia Broadcasting) phone.
- PDA Personal Digital Assistant
- DMB Digital Multimedia Broadcasting
- the access network 100 interfaces the mobile communication terminal 10 with the core network 200 in a tunneling packet protocol, and includes Node B and RNC (Radio Network Controller) in WCDMA, and BTS (Base Transceiver Station) and RNC in CDMA 2000.
- Node B and RNC Radio Network Controller
- BTS Base Transceiver Station
- the core network 200 includes all network components related to call processing, session management, mobility control and switching in the network of subscribers.
- the core network 200 of the present invention includes an intrusion protection system 250 having a configuration shown in FIG. 2.
- the intrusion protection system 250 is a network component for monitoring and blocking an abnormal (or malicious) traffic of a tunneling packet transmitted from the access network 200, and may be arranged anywhere in the core network 200. However, as shown in FIG. 1, preferably the intrusion protection system 250 is interposed between a first packet supporting node 210 and a second packet supporting node 260 in the core network 200.
- the first packet supporting node 210 is SGSN (Serving GPRS Supporting Node) and the second packet supporting node 260 is GGSN (Gateway GPRS Supporting Node).
- the SGSN is a network component for managing and supporting a packet switching service toward the access network 100, and performs functions such as routing area updating, location information registration or calling out for managing mobility of a mobile communication terminal provided with the packet switching service.
- the GGSN is a network component for connecting a packet switching area to another packet switching network such as the IP network 300 or the Internet network 400.
- the first packet supporting node 210 is PCF (Packet Control Function) and the second packet supporting node 260 is PDSN (Packet Data Serving Node).
- PCF Packet Control Function
- PDSN Packet Data Serving Node
- the PCF is a network component connected with the access network 100 and
- PDSN and configured to perform functions for setting/maintaining/releasing a connection with PDSN, request radio resource assignment for packet data transmission to the access network 100 and collect and transmit a billing information to PDSN.
- the PDSN is a network component for transmitting the packet data received from the access network 100 to another packet switching network such as the IP network 300 or the Internet network 400.
- the IP network 300 connects the second packet supporting node 260 of the core network 200, the Internet network 400 and other network components (for example, Home Agent, SIP (Session Initiation Protocol) server and so on) with each other, and relays data transmission between all components connected thereto.
- network components for example, Home Agent, SIP (Session Initiation Protocol) server and so on
- the Internet network 400 is a world- wide open computer network structure for providing TCP/IP (Transmission Control Protocol/Internet Protocol) protocol and various services of its upper layer, i.e. HTTP (Hypertext Transfer Protocol), Telnet (TELecommunication NET work), FTP (File Transfer Protocol), DNS (Domain Name System), SMTP (Simple Mail Transfer Protocol), SNTP (Simple Network Time Protocol), NFS (Network File System) and NIS (Network Information Service).
- HTTP Hypertext Transfer Protocol
- Telnet Telnet
- FTP File Transfer Protocol
- DNS Domain Name System
- SMTP Simple Mail Transfer Protocol
- SNTP Simple Network Time Protocol
- NFS Network File System
- NIS Network Information Service
- the intrusion protection system 250 is interposed between the first packet supporting node 210 and the second packet supporting node 220 of the core network 200, and is configured to monitor an abnormal traffic of a tunneling packet data transmitted from the access network 100 or other mobile communication terminal, and block the abnormal traffic.
- the intrusion protection system 250 includes a tunneling packet sending/receiving unit 251, an IP packet generating unit 252, an abnormal traffic monitoring and handling unit 253 and a malicious information database 254.
- the tunneling packet sending/receiving unit 251 receives a tunneling packet data
- the IP packet generating unit 252 restores the tunneling packet data 30, 40, 50 and
- IP packet data 31, 41, 51 and 61 As shown in FIGs. 3a to 4b, and transmits the IP packet data 31, 41, 51 and 61 to the abnormal traffic monitoring and handling unit 253.
- the abnormal traffic monitoring and handling unit 253 monitors if an abnormal traffic (for example, worm/virus, UDP Flooding, IP Spoofing, DoS traffic and so on) exists in the IP packet data 31, 41, 51 and 61 received from the IP packet generating unit 252. As a monitoring result, in the case that an abnormal traffic exists in the IP packet data, the abnormal traffic monitoring and handling unit 253 instructs the tunneling packet sending/receiving unit 251 to discard the corresponding tunneling packet data, and in the case that an abnormal traffic does not exist in the IP packet data, the abnormal traffic monitoring and handling unit 253 instructs the tunneling packet sending/receiving unit 251 to normally send the corresponding tunneling packet data.
- an abnormal traffic for example, worm/virus, UDP Flooding, IP Spoofing, DoS traffic and so on
- the malicious information database 254 stores and manages an abnormal traffic pattern found already or set by an administrator.
- the malicious information database 254 can update the abnormal traffic pattern periodically or according to events.
- the abnormal traffic pattern (for example, worm, virus, UDP Flooding, IP Spoofing, DoS traffic and so on) includes an abnormal traffic pattern by the external attack.
- the intrusion protection system 250 of the present invention restores a tunneling packet data to an IP packet data, and thus can monitor an abnormal traffic of the tunneling packet data using the same abnormal traffic discriminating policy as that for a conventional IPS of IP packet data.
- a mechanism for restoring an IP packet data from a point-to-point tunneling packet data is described in detail with reference to FIGs. 3a to 4b.
- the IP packet generating unit 252 of the intrusion protection system 250 restores an IP packet data from a CDMA-2000 based GRE (Generic Routing Encapsulation)/VJC packet data 30.
- GRE Generic Routing Encapsulation
- the GRE/VJC packet data 30 transmitted from the tunneling packet sending/ receiving unit 251 of the intrusion protection system 250 has an additional header encapsulated and Van Jacobson compressed in a data frame. And, a worm/virus exists in a TCP payload of the GRE/VJC packet data 30.
- the IP packet generating unit 252 decapsulates the GRE/VJC packet data 30 to generate an IP header and a TCP header for an IP packet data. And, the IP packet generating unit 252 Van Jacobson decompresses the GRE/VJC packet data 30 and merges the TCP payload to restore an IP packet data 31. Accordingly, a worm/virus still exists in the TCP payload of the restored IP packet data 31.
- the restored IP packet data 31 is transmitted to the abnormal traffic monitoring and handling unit 253, and the abnormal traffic monitoring and handling unit 253 checks a worm/virus pattern information, a port information or frequency of occurrence per hour in the payload of the restored IP packet data 31 , and judges if the restored IP packet data 31 is an abnormal traffic.
- FIG. 3b shows formats of a CDMA-2000 based GRE packet data 40 and an IP packet data 41 restored from the CDMA-2000 based GRE packet data 40.
- the GRE packet data 40 transmitted from the tunneling packet sending/receiving unit 251 of the intrusion protection system 250 has an additional header encapsulated in a data frame. And, a worm/virus exists in a UDP payload of the GRE packet data 40.
- the IP packet generating unit 252 decapsulates the GRE packet data 40 of FIG. 3b to generate an IP header and a UDP header for an IP packet data, and merges the UDP payload to restore an IP packet data 41. Accordingly, a worm/virus still exists in the UDP payload of the restored IP packet data 41.
- FIGs. 4a and 4b show formats of WCDMA based GTP (GPRS (General
- Packet Radio Service Tunneling Protocol Packet Radio Service Tunneling Protocol
- the GTP packet data 50, 60 transmitted from the tunneling packet sending/ receiving unit 251 of the intrusion protection system 250 each has an additional header encapsulated in a data frame. And, a worm/virus also exists in a TCP payload of each GTP packet data 50, 60.
- the IP packet generating unit 252 decapsulates the GTP packet data 50, 60 of FIGs.
- the restored IP packet data 51, 61 are transmitted to the abnormal traffic monitoring and handling unit 253, and the abnormal traffic monitoring and handling unit 253 checks a worm/virus pattern information, a port information or frequency of occurrence per hour in the payloads of the restored IP packet data 51, 61, and judges if the restored IP packet data 51, 61 are abnormal traffic.
- the first packet supporting node 210 of the core network 200 receives a point- to-point tunneling packet data (for example, GRE/VJC packet data or GTP packet data) from the mobile communication terminal 10 and transmits the tunneling packet data to the tunneling packet sending/receiving unit 251 of the intrusion protection system 250 (SlOO, S200).
- a point- to-point tunneling packet data for example, GRE/VJC packet data or GTP packet data
- the IP packet generating unit 252 of the intrusion protection system 250 performs at least one process selected from the group consisting of decapsulation, decompression and payload merging on the tunneling packet data 30, 40, 50 and 60 to generate IP packet data 31, 41, 51 and 61 each having a header field (IP header- TCP header or IP header- UDP header) and a payload field (TCP payload or UDP payload) as shown in FIGs. 3a to 4b (S300).
- the generated IP packet data 31, 41, 51 and 61 are transmitted to the abnormal traffic monitoring and handling unit 253 of the intrusion protection system 250, and the abnormal traffic monitoring and handling unit 253 judges if the IP packet data are abnormal traffic (for example, worm, virus, UDP Flooding, IP Spoofing, DoS traffic and so on) with reference to the malicious information database 254 (S400).
- abnormal traffic for example, worm, virus, UDP Flooding, IP Spoofing, DoS traffic and so on
- the abnormal traffic monitoring and handling unit 253 instructs the tunneling packet sending/receiving unit 251 to discard the corresponding tunneling packet data (S420). Meanwhile, in the case that the IP packet data are judged to be normal traffic, the abnormal traffic monitoring and handling unit 253 instructs the tunneling packet sending/receiving unit 251 to send the corresponding tunneling packet data to the second packet supporting node 260 (S410). Accordingly, a tunneling packet data received via the access network 100 is judged if it is an abnormal traffic, and transmitted to the corresponding mobile communication terminal via the second packet supporting node 260.
- the present invention can block an abnormal traffic using a conventional
- an exemplary embodiment of the present invention shows that a tunneling packet data is uplinked from a mobile communication terminal to a mobile communication network.
- the present invention is substantially equally applied to the case that a tunneling packet data is downlinked from a mobile communication network to a mobile communication terminal.
- the present invention can judge whether a tunneling packet data contains a normal or abnormal traffic by using a conventional abnormal traffic discriminating policy in a point-to-point tunneling protocol between mobile communication terminals in a synchronous or asynchronous mobile communication network.
- the intrusion protection device of the present invention is constructed in a core network of a mobile communication network, and thus can block an abnormal traffic before billing, thereby preventing an erroneous billing.
Abstract
The present invention relates to a method for monitoring and blocking an abnormal traffic of a point-to-point tunneling packet data, comprising restoring a tunneling packet data to an IP packet data, judging whether the IP packet data is a normal or abnormal traffic, discarding the tunneling packet data when the IP packet data is judged to be an abnormal traffic and transmitting the tunneling packet data to another network node when the IP packet data is judged to be a normal traffic.
Description
Description
INTRUSION PROTECTION DEVICE AND INTRUSION PROTECTION METHOD FOR POINT-TO-POINT TUNNELING
PROTOCOL
Technical Field
[1] The present invention relates to a point-to-point tunneling protocol in a mobile communication network, and in particular, to intrusion protection device and intrusion protection method for monitoring and blocking an abnormal traffic of a tunneling packet data transmitted between mobile communication terminals. Background Art
[2] An intrusion protection system (IPS) among IP (Internet Protocol) data network security systems corresponds to a precautionary approach of a network security technology for recognizing a potential attack and immediately responding to the attack. The IPS monitors a network traffic in the same way as an intrusion detection system (IDS).
[3] Once an attacker obtains an authority for the inside of a system, he/she may use the system maliciously in a fast speed, and thus IPS should be capable of taking a prompt action based on a series of regulations set by an administrator. For this purpose, the IPS inspects a packet, and blocks all traffic entering through a corresponding IP or port when the packet is judged as an illegitimate packet, while transmitting a legitimate traffic to a receiver without any interruption or service delay.
[4] The intrusion protection system (IPS) is located between a backbone switch and a host computer, and performs a function for blocking an abnormal IP packet data. In this context, a point-to-point tunneling packet data transmitted directly between a receiving terminal and a sending terminal in a mobile communication network does not pass through an IP network, and thus is vulnerable to an attack of an abnormal traffic.
[5] Document 1 (Korean Laid-open Publication Patent No. 2006-118830) discloses signal packet controlling apparatus and method which divide a packet data transmitted between SGSN (Serving GPRS Supporting Node) and GGSN (Gateway GPRS Supporting Node) of an asynchronous mobile communication network (WCDMA network) into a signal packet and a data packet, classify the signal packet according to sources and remove a unnecessary signal packet or an intentional signal packet, thereby preventing a malicious signal packet or a signal packet in an abnormal condition from entering in large quantities.
[6] However, the Document 1 has a complicated procedure such as dividing a packet data into a signal packet and a data packet and classifying the signal packet according
to sources. And, the Document 1 compares the signal packet with the data packet or a set threshold to detect an abnormal traffic, and thus has difficulty in monitoring and blocking various malicious information. Disclosure of Invention
Technical Problem
[7] An object of the present invention is to provide an intrusion protection function of a point-to-point tunneling packet of a mobile communication network.
[8] And, another object of the present invention is to apply a malicious traffic discriminating policy used for an IP packet to a tunneling packet of a mobile communication network as it is.
[9] Further, still another object of the present invention is to incorporate an intrusion protection system applicable to a synchronous mobile communication network as well as an asynchronous mobile communication network.
[10] Other objects and advantages of the present invention will be described below, and understood through embodiments of the present invention. And, objects and advantages of the present invention may be realized by means and combination recited in the following claims. Technical Solution
[11] In order to achieve the above-mentioned objects, an intrusion protection device according to an aspect of the present invention is located in a mobile communication network and configured to implement an intrusion protection function to a point- to-point tunneling packet protocol between mobile communication terminals, and the intrusion protection device comprises a restoration means for restoring an IP packet data from a tunneling packet data transmitted between mobile communication terminals; a discrimination means for judging whether the IP packet data is a normal or abnormal traffic; and a discarding means for discarding the tunneling packet data in the case that the IP packet data is judged to be an abnormal traffic.
[12] And, the intrusion protection device further comprises a means for transmitting the tunneling packet data to a next network component when the IP packet data is judged to be a normal traffic by the discrimination means.
[13] Also, the intrusion protection device may further comprise a malicious information database for storing and managing a plurality of abnormal traffic pattern information, and thus the discrimination means judges whether the IP packet data is a normal or abnormal traffic with reference to the malicious information database.
[14] The restoration means includes a decapsulation means for decapsulating the tunneling packet data; and a merging means for merging at least payload of the tunneling packet data. And, the restoration means may further include a decompression
means for decompressing the tunneling packet data.
[15] According to another aspect of the present invention, a packet data transmission system for implementing a point-to-point tunneling protocol between mobile communication terminals comprises a first network node for supporting a tunneling packet protocol with an access network; a second network node for supporting a connection with another packet switching network; and an intrusion protection device interposed between the first network node and the second network node for restoring a tunneling packet data being transmitted to an IP packet data and discarding the tunneling packet data in the case that the restored IP packet data is an abnormal traffic.
[16] At this time, the intrusion protection device includes a restoration means for restoring an IP packet data from the tunneling packet data; a discrimination means for judging whether the IP packet data is a normal or abnormal traffic; and a discarding means for discarding the tunneling packet data in the case that the IP packet data is judged to be an abnormal traffic.
[17] And, the intrusion protection device further includes a means for transmitting the tunneling packet data to the first network node or the second network node when the IP packet data is judged to be a normal traffic by the discrimination means.
[18] At this time, the first network node is PCF (Packet Control Function) or SGSN
(Serving GPRS Supporting Node), and the second network node is PDSN (Packet Data Serving Node) or GGSN (Gateway GPRS Supporting Node).
[19] According to still another aspect of the present invention, an intrusion protection method for monitoring and blocking an abnormal traffic of a point-to-point tunneling packet data between mobile communication terminals comprises a restoration step for restoring the tunneling packet data to an IP packet data; a discrimination step for judging whether the IP packet data is a normal or abnormal traffic; and a packet handling step for discarding the tunneling packet data when the IP packet data is judged to be an abnormal traffic in the discrimination step, and transmitting the tunneling packet data to another network node when the IP packet data is judged to be a normal traffic.
[20] At this time, the restoration step includes a decapsulation step for decapsulating the tunneling packet data; and a merging step for merging at least payload of the tunneling packet data.
[21] The restoration step further includes a decompression step for decompressing the tunneling packet data, in the case that the tunneling packet data is a Van Jacobson compressed GRE (Generic Route Encapsulation) packet data. Brief Description of the Drawings
[22] These and other features, aspects, and advantages of preferred embodiments of the
present invention will be more fully described in the following detailed description, taken accompanying drawings. In the drawings:
[23] FIG. 1 is a block diagram of a tunneling packet transmission system for performing an intrusion protection function according to the present invention.
[24] FIG. 2 is an internal block diagram of an intrusion protection system applicable to the system of FIG. 1.
[25] FIG. 3 is a view showing restoration of an IP packet data from a CDMA (Code
Division Multiple Access)-2000 based GRE (Generic Route Encapsulation) packet data in (a) and (b).
[26] FIG. 4 is a view showing restoration of an IP packet data from a WCDMA
(Wideband CDMA) based GTP (GPRS (General Packet Radio Service) Tunneling Protocol) packet data in (a) and (b).
[27] FIG. 5 is a data flow chart showing an intrusion protection function of a point- to-point tunneling packet data according to the present invention. Best Mode for Carrying Out the Invention
[28] Hereinafter, a preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings.
[29] FIG. 1 is a block diagram of a tunneling packet transmission system for performing an intrusion protection function according to the present invention.
[30] Referring to FIG. 1, the packet transmission system of the present invention comprises a mobile communication terminal 10, an access network 100, a core network 200, an IP network 300 and an Internet network 400. A mobile communication network including the access network 100 and the core network 200 of FIG. 1 may be a synchronous mobile communication network (GSM (Global System for Mobile Communication) or WCDMA) or an asynchronous mobile communication network (CDMA or CDMA-2000 EV-DO (Evolution-Data Optimized)).
[31] The mobile communication terminal 10 performs a point-to-point tunneling packet protocol with another mobile communication terminal through the mobile communication network, and includes a synchronous or asynchronous mobile phone, PDA (Personal Digital Assistant), notebook computer capable of wireless communication or a DMB (Digital Multimedia Broadcasting) phone.
[32] The access network 100 interfaces the mobile communication terminal 10 with the core network 200 in a tunneling packet protocol, and includes Node B and RNC (Radio Network Controller) in WCDMA, and BTS (Base Transceiver Station) and RNC in CDMA 2000.
[33] And, the core network 200 includes all network components related to call processing, session management, mobility control and switching in the network of
subscribers. In particular, the core network 200 of the present invention includes an intrusion protection system 250 having a configuration shown in FIG. 2.
[34] The intrusion protection system 250 is a network component for monitoring and blocking an abnormal (or malicious) traffic of a tunneling packet transmitted from the access network 200, and may be arranged anywhere in the core network 200. However, as shown in FIG. 1, preferably the intrusion protection system 250 is interposed between a first packet supporting node 210 and a second packet supporting node 260 in the core network 200.
[35] In the case that the system of FIG. 1 is based on WCDMA, the first packet supporting node 210 is SGSN (Serving GPRS Supporting Node) and the second packet supporting node 260 is GGSN (Gateway GPRS Supporting Node).
[36] The SGSN is a network component for managing and supporting a packet switching service toward the access network 100, and performs functions such as routing area updating, location information registration or calling out for managing mobility of a mobile communication terminal provided with the packet switching service.
[37] The GGSN is a network component for connecting a packet switching area to another packet switching network such as the IP network 300 or the Internet network 400.
[38] Meanwhile, in the case that the system of FIG. 1 is based on CDMA-2000, the first packet supporting node 210 is PCF (Packet Control Function) and the second packet supporting node 260 is PDSN (Packet Data Serving Node).
[39] Here, the PCF is a network component connected with the access network 100 and
PDSN, and configured to perform functions for setting/maintaining/releasing a connection with PDSN, request radio resource assignment for packet data transmission to the access network 100 and collect and transmit a billing information to PDSN.
[40] The PDSN is a network component for transmitting the packet data received from the access network 100 to another packet switching network such as the IP network 300 or the Internet network 400.
[41] The IP network 300 connects the second packet supporting node 260 of the core network 200, the Internet network 400 and other network components (for example, Home Agent, SIP (Session Initiation Protocol) server and so on) with each other, and relays data transmission between all components connected thereto.
[42] The Internet network 400 is a world- wide open computer network structure for providing TCP/IP (Transmission Control Protocol/Internet Protocol) protocol and various services of its upper layer, i.e. HTTP (Hypertext Transfer Protocol), Telnet (TELecommunication NET work), FTP (File Transfer Protocol), DNS (Domain Name System), SMTP (Simple Mail Transfer Protocol), SNTP (Simple Network Time Protocol), NFS (Network File System) and NIS (Network Information Service).
[43] Next, a configuration of the intrusion protection system 250 is described in detail with reference to FIG. 2.
[44] Preferably, the intrusion protection system 250 is interposed between the first packet supporting node 210 and the second packet supporting node 220 of the core network 200, and is configured to monitor an abnormal traffic of a tunneling packet data transmitted from the access network 100 or other mobile communication terminal, and block the abnormal traffic.
[45] To perform the functions, the intrusion protection system 250 includes a tunneling packet sending/receiving unit 251, an IP packet generating unit 252, an abnormal traffic monitoring and handling unit 253 and a malicious information database 254.
[46] The tunneling packet sending/receiving unit 251 receives a tunneling packet data
(for example, GRE/VJC packet or GTP packet) transmitted from the first packet supp orting node 210 through the access network 100, and discards the tunneling packet data or sends the tunneling packet data to the second packet supporting node 260 according to instructions of the abnormal traffic monitoring and handling unit 253.
[47] The IP packet generating unit 252 restores the tunneling packet data 30, 40, 50 and
60 received from the tunneling packet sending/receiving unit 251 to IP packet data 31, 41, 51 and 61 as shown in FIGs. 3a to 4b, and transmits the IP packet data 31, 41, 51 and 61 to the abnormal traffic monitoring and handling unit 253.
[48] The abnormal traffic monitoring and handling unit 253 monitors if an abnormal traffic (for example, worm/virus, UDP Flooding, IP Spoofing, DoS traffic and so on) exists in the IP packet data 31, 41, 51 and 61 received from the IP packet generating unit 252. As a monitoring result, in the case that an abnormal traffic exists in the IP packet data, the abnormal traffic monitoring and handling unit 253 instructs the tunneling packet sending/receiving unit 251 to discard the corresponding tunneling packet data, and in the case that an abnormal traffic does not exist in the IP packet data, the abnormal traffic monitoring and handling unit 253 instructs the tunneling packet sending/receiving unit 251 to normally send the corresponding tunneling packet data.
[49] The malicious information database 254 stores and manages an abnormal traffic pattern found already or set by an administrator. The malicious information database 254 can update the abnormal traffic pattern periodically or according to events. The abnormal traffic pattern (for example, worm, virus, UDP Flooding, IP Spoofing, DoS traffic and so on) includes an abnormal traffic pattern by the external attack.
[50] As described above, the intrusion protection system 250 of the present invention restores a tunneling packet data to an IP packet data, and thus can monitor an abnormal traffic of the tunneling packet data using the same abnormal traffic discriminating policy as that for a conventional IPS of IP packet data.
[51] Hereinafter, a mechanism for restoring an IP packet data from a point-to-point tunneling packet data is described in detail with reference to FIGs. 3a to 4b.
[52] First, referring to FIG. 3a, the principle is described that the IP packet generating unit 252 of the intrusion protection system 250 restores an IP packet data from a CDMA-2000 based GRE (Generic Routing Encapsulation)/VJC packet data 30.
[53] The GRE/VJC packet data 30 transmitted from the tunneling packet sending/ receiving unit 251 of the intrusion protection system 250 has an additional header encapsulated and Van Jacobson compressed in a data frame. And, a worm/virus exists in a TCP payload of the GRE/VJC packet data 30.
[54] The IP packet generating unit 252 decapsulates the GRE/VJC packet data 30 to generate an IP header and a TCP header for an IP packet data. And, the IP packet generating unit 252 Van Jacobson decompresses the GRE/VJC packet data 30 and merges the TCP payload to restore an IP packet data 31. Accordingly, a worm/virus still exists in the TCP payload of the restored IP packet data 31.
[55] The restored IP packet data 31 is transmitted to the abnormal traffic monitoring and handling unit 253, and the abnormal traffic monitoring and handling unit 253 checks a worm/virus pattern information, a port information or frequency of occurrence per hour in the payload of the restored IP packet data 31 , and judges if the restored IP packet data 31 is an abnormal traffic.
[56] FIG. 3b shows formats of a CDMA-2000 based GRE packet data 40 and an IP packet data 41 restored from the CDMA-2000 based GRE packet data 40.
[57] The GRE packet data 40 transmitted from the tunneling packet sending/receiving unit 251 of the intrusion protection system 250 has an additional header encapsulated in a data frame. And, a worm/virus exists in a UDP payload of the GRE packet data 40.
[58] The IP packet generating unit 252 decapsulates the GRE packet data 40 of FIG. 3b to generate an IP header and a UDP header for an IP packet data, and merges the UDP payload to restore an IP packet data 41. Accordingly, a worm/virus still exists in the UDP payload of the restored IP packet data 41.
[59] Next, FIGs. 4a and 4b show formats of WCDMA based GTP (GPRS (General
Packet Radio Service) Tunneling Protocol) packet data 50, 60 and IP packet data 51, 61 restored from the WCDMA based GTP packet data 50, 60.
[60] The GTP packet data 50, 60 transmitted from the tunneling packet sending/ receiving unit 251 of the intrusion protection system 250 each has an additional header encapsulated in a data frame. And, a worm/virus also exists in a TCP payload of each GTP packet data 50, 60.
[61] The IP packet generating unit 252 decapsulates the GTP packet data 50, 60 of FIGs.
4a and 4b to generate an IP header (or inner IP header) and a TCP header of each IP packet data, and merges the TCP payload to restore IP packet data 51, 61. Accordingly,
a worm/virus still exists in the TCP payload of each of the restored IP packet data 51, 61.
[62] The restored IP packet data 51, 61 are transmitted to the abnormal traffic monitoring and handling unit 253, and the abnormal traffic monitoring and handling unit 253 checks a worm/virus pattern information, a port information or frequency of occurrence per hour in the payloads of the restored IP packet data 51, 61, and judges if the restored IP packet data 51, 61 are abnormal traffic.
[63] Referring to FIG. 5, a method for transmitting a tunneling packet data according to the present invention is described in detail.
[64] The first packet supporting node 210 of the core network 200 receives a point- to-point tunneling packet data (for example, GRE/VJC packet data or GTP packet data) from the mobile communication terminal 10 and transmits the tunneling packet data to the tunneling packet sending/receiving unit 251 of the intrusion protection system 250 (SlOO, S200).
[65] The IP packet generating unit 252 of the intrusion protection system 250 performs at least one process selected from the group consisting of decapsulation, decompression and payload merging on the tunneling packet data 30, 40, 50 and 60 to generate IP packet data 31, 41, 51 and 61 each having a header field (IP header- TCP header or IP header- UDP header) and a payload field (TCP payload or UDP payload) as shown in FIGs. 3a to 4b (S300).
[66] The generated IP packet data 31, 41, 51 and 61 are transmitted to the abnormal traffic monitoring and handling unit 253 of the intrusion protection system 250, and the abnormal traffic monitoring and handling unit 253 judges if the IP packet data are abnormal traffic (for example, worm, virus, UDP Flooding, IP Spoofing, DoS traffic and so on) with reference to the malicious information database 254 (S400).
[67] At this time, in the case that the IP packet data are judged to be abnormal traffic, the abnormal traffic monitoring and handling unit 253 instructs the tunneling packet sending/receiving unit 251 to discard the corresponding tunneling packet data (S420). Meanwhile, in the case that the IP packet data are judged to be normal traffic, the abnormal traffic monitoring and handling unit 253 instructs the tunneling packet sending/receiving unit 251 to send the corresponding tunneling packet data to the second packet supporting node 260 (S410). Accordingly, a tunneling packet data received via the access network 100 is judged if it is an abnormal traffic, and transmitted to the corresponding mobile communication terminal via the second packet supporting node 260.
[68] Therefore, the present invention can block an abnormal traffic using a conventional
IPS function in a point-to-point tunneling packet protocol between mobile communication terminals that do not pass through an IPS of an IP network.
[69] As described above, an exemplary embodiment of the present invention shows that a tunneling packet data is uplinked from a mobile communication terminal to a mobile communication network. However, it is obvious that the present invention is substantially equally applied to the case that a tunneling packet data is downlinked from a mobile communication network to a mobile communication terminal.
[70] As such, the preferred embodiments of the present invention are described in detail with reference to the accompanying drawings. However, it should be understood that the detailed description and specific examples, while indicating preferred embodiments of the invention, are given by way of illustration only, since various changes and modifications within the spirit and scope of the invention will become apparent to those skilled in the art from this detailed description. Industrial Applicability
[71] The present invention can judge whether a tunneling packet data contains a normal or abnormal traffic by using a conventional abnormal traffic discriminating policy in a point-to-point tunneling protocol between mobile communication terminals in a synchronous or asynchronous mobile communication network.
[72] And, the intrusion protection device of the present invention is constructed in a core network of a mobile communication network, and thus can block an abnormal traffic before billing, thereby preventing an erroneous billing.
Claims
[1] An intrusion protection device located in a mobile communication network and configured to implement an intrusion protection function to a point-to-point tunneling packet protocol between mobile communication terminals, the intrusion protection device comprising: a restoration means for restoring an IP (Internet Protocol) packet data from a tunneling packet data transmitted between mobile communication terminals; a discrimination means for judging whether the IP packet data is a normal or abnormal traffic; and a discarding means for discarding the tunneling packet data in the case that the IP packet data is judged to be an abnormal traffic.
[2] The intrusion protection device according to claim 1, further comprising: a means for transmitting the tunneling packet data to a next network component when the IP packet data is judged to be a normal traffic by the discrimination means.
[3] The intrusion protection device according to claim 1 or 2, further comprising: a malicious information database for storing and managing a plurality of abnormal traffic pattern information, wherein the discrimination means judges whether the IP packet data is a normal or abnormal traffic with reference to the malicious information database.
[4] The intrusion protection device according to claim 3, wherein the restoration means includes: a decapsulation means for decapsulating the tunneling packet data; and a merging means for merging at least payload of the tunneling packet data.
[5] The intrusion protection device according to claim 4, wherein the restoration means further includes: a decompression means for decompressing the tunneling packet data.
[6] The intrusion protection device according to claim 3, wherein the intrusion protection device is located in a core network of the mobile communication network.
[7] The intrusion protection device according to claim 6, wherein, in the case that the mobile communication network is a synchronous system, the intrusion protection device is interposed between PCF (Packet Control Function) and PDSN (Packet Data Serving Node).
[8] The intrusion protection device according to claim 6, wherein, in the case that the mobile communication network is an asynchronous system, the intrusion protection device is interposed between SGSN (Serving
GPRS Supporting Node) and GGSN (Gateway GPRS Supporting Node). [9] A packet data transmission system for implementing a point-to-point tunneling protocol between mobile communication terminals, the packet data transmission system comprising: a first network node for supporting a tunneling packet protocol with an access network; a second network node for supporting a connection with another packet switching network; and an intrusion protection device interposed between the first network node and the second network node for restoring a tunneling packet data being transmitted to an IP packet data and discarding the tunneling packet data in the case that the restored IP packet data is an abnormal traffic. [10] The packet data transmission system according to claim 9, wherein the intrusion protection device includes: a restoration means for restoring an IP packet data from the tunneling packet data; a discrimination means for judging whether the IP packet data is a normal or abnormal traffic; and a discarding means for discarding the tunneling packet data in the case that the IP packet data is judged to be an abnormal traffic. [11] The packet data transmission system according to claim 10, wherein the intrusion protection device further includes: a means for transmitting the tunneling packet data to the first network node or the second network node when the IP packet data is judged to be a normal traffic by the discrimination means. [12] The packet data transmission system according to claim 10 or 11, wherein the intrusion protection device further includes: a malicious information database for storing and managing a plurality of abnormal traffic pattern information, and wherein the discrimination means judges whether the IP packet data is a normal or abnormal traffic with reference to the malicious information database. [13] The packet data transmission system according to claim 10, wherein the restoration means includes: a decapsulation means for decapsulating the tunneling packet data; and a merging means for merging at least payload of the tunneling packet data. [14] The packet data transmission system according to claim 13, wherein the restoration means further includes: a decompression means for decompressing the tunneling packet data.
[15] The packet data transmission system according to claim 10, wherein the first network node is PCF (Packet Control Function), and the second network node is PDSN (Packet Data Serving Node). [16] The packet data transmission system according to claim 10, wherein the first network node is SGSN (Serving GPRS Supporting Node), and the second network node is GGSN (Gateway GPRS Supporting Node). [17] An intrusion protection method for monitoring and blocking an abnormal traffic of a point-to-point tunneling packet data between mobile communication terminals, the intrusion protection method comprising: a restoration step for restoring the tunneling packet data to an IP packet data; a discrimination step for judging whether the IP packet data is a normal or abnormal traffic; and a packet handling step for discarding the tunneling packet data when the IP packet data is judged to be an abnormal traffic in the discrimination step, and transmitting the tunneling packet data to another network node when the IP packet data is judged to be a normal traffic. [18] The intrusion protection method according to claim 17, wherein the restoration step includes: a decapsulation step for decapsulating the tunneling packet data; and a merging step for merging at least payload of the tunneling packet data. [19] The intrusion protection method according to claim 18, wherein the tunneling packet data is a GTP (GPRS (General Packet Radio
Service) Tunneling Protocol) packet data. [20] The intrusion protection method according to claim 18, wherein the tunneling packet data is a Van Jacobson compressed GRE (Generic
Route Encapsulation) packet data. [21] The intrusion protection method according to claim 20, wherein the restoration step further includes: a decompression step for decompressing the tunneling packet data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| JP2009541233A JP2010514248A (en) | 2006-12-19 | 2007-12-18 | Intrusion prevention apparatus and method for point-to-point tunneling communication |
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| KR10-2006-0130456 | 2006-12-19 | ||
| KR20060130456 | 2006-12-19 | ||
| KR10-2007-0132353 | 2007-12-17 | ||
| KR1020070132353A KR20080057161A (en) | 2006-12-19 | 2007-12-17 | Intrusion protection device and intrusion protection method for point-to-point tunneling protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2008075891A1 true WO2008075891A1 (en) | 2008-06-26 |
Family
ID=39536465
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/KR2007/006652 WO2008075891A1 (en) | 2006-12-19 | 2007-12-18 | Intrusion protection device and intrusion protection method for point-to-point tunneling protocol |
Country Status (1)
| Country | Link |
|---|---|
| WO (1) | WO2008075891A1 (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030084321A1 (en) * | 2001-10-31 | 2003-05-01 | Tarquini Richard Paul | Node and mobile device for a mobile telecommunications network providing intrusion detection |
| US20060015576A1 (en) * | 2002-11-13 | 2006-01-19 | Seo Kyoung-Ii | Apparatus for analyzing the packet data on mobile communication network and method thereof |
| KR20060118830A (en) * | 2005-05-17 | 2006-11-24 | 엘지노텔 주식회사 | Signal packet controlling apparatus of w-cdma system using traffic monitoring and the method of the same |
-
2007
- 2007-12-18 WO PCT/KR2007/006652 patent/WO2008075891A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030084321A1 (en) * | 2001-10-31 | 2003-05-01 | Tarquini Richard Paul | Node and mobile device for a mobile telecommunications network providing intrusion detection |
| US20060015576A1 (en) * | 2002-11-13 | 2006-01-19 | Seo Kyoung-Ii | Apparatus for analyzing the packet data on mobile communication network and method thereof |
| KR20060118830A (en) * | 2005-05-17 | 2006-11-24 | 엘지노텔 주식회사 | Signal packet controlling apparatus of w-cdma system using traffic monitoring and the method of the same |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP2010514248A (en) | Intrusion prevention apparatus and method for point-to-point tunneling communication | |
| EP1240744B1 (en) | Prevention of spoofing in telecommunications systems | |
| US20060128406A1 (en) | System, apparatus and method for detecting malicious traffic in a communications network | |
| US9781137B2 (en) | Fake base station detection with core network support | |
| US20060272025A1 (en) | Processing of packet data in a communication system | |
| US7346335B2 (en) | Methods computer program products and components for adjusting a mode of communication in a network based on emergency state information | |
| AU2020204346B2 (en) | Multi-access distributed edge security in mobile networks | |
| US20070169169A1 (en) | Method, System and Apparatus for Implementing Data Service Security in Mobile Communication System | |
| US8036107B2 (en) | Limiting traffic in communications systems | |
| US20070089165A1 (en) | Method and System for Network Security Control | |
| WO2007041157A1 (en) | Wireless network protection against malicious transmissions | |
| EP2329631B1 (en) | Lawful interception for 2g/3g equipment interworking with evolved packet system | |
| WO2008121470A1 (en) | Mobile access terminal security function | |
| EP3387856A1 (en) | Mobile aware intrusion detection system | |
| US8646081B1 (en) | Method and system to detect a security event in a packet flow and block the packet flow at an egress point in a communication network | |
| WO2008075891A1 (en) | Intrusion protection device and intrusion protection method for point-to-point tunneling protocol | |
| WO2019035488A1 (en) | Control device, communication system, control method, and computer program | |
| JP2003298763A (en) | Radio communication machine | |
| US20070113290A1 (en) | Method of detecting and preventing illicit use of certain network protocols without degrading legitimate use thereof | |
| KR100697422B1 (en) | Method for separating ip packets which can be allocated to specific groups and ip packet | |
| CN110944023A (en) | Network security management equipment and network security management method | |
| US20100299755A1 (en) | Anti-virus/spam method in mobile radio networks | |
| KR101235782B1 (en) | System and method for protecting communication network using terminal remote control | |
| CN112583692A (en) | Method, device and equipment for cleaning flow and computer storage medium | |
| EP1903830A1 (en) | Cellular data system security method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| WWE | Wipo information: entry into national phase |
Ref document number: 200780046592.9 Country of ref document: CN |
|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 07851618 Country of ref document: EP Kind code of ref document: A1 |
|
| ENP | Entry into the national phase |
Ref document number: 2009541233 Country of ref document: JP Kind code of ref document: A |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 07851618 Country of ref document: EP Kind code of ref document: A1 |