WO2015030458A1 - Apparatus and method for detecting abnormal call - Google Patents

Apparatus and method for detecting abnormal call Download PDF

Info

Publication number
WO2015030458A1
WO2015030458A1 PCT/KR2014/007915 KR2014007915W WO2015030458A1 WO 2015030458 A1 WO2015030458 A1 WO 2015030458A1 KR 2014007915 W KR2014007915 W KR 2014007915W WO 2015030458 A1 WO2015030458 A1 WO 2015030458A1
Authority
WO
WIPO (PCT)
Prior art keywords
gtp
packet
teid
abnormal call
call detection
Prior art date
Application number
PCT/KR2014/007915
Other languages
French (fr)
Inventor
Chae Tae Im
Joo Hyung Oh
Se Kwon Kim
Jun Hyung Cho
Bon Min Koo
Original Assignee
Korea Internet & Security Agency
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Korea Internet & Security Agency filed Critical Korea Internet & Security Agency
Publication of WO2015030458A1 publication Critical patent/WO2015030458A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/22Arrangements for preventing the taking of data from a data transmission channel without authorisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/102Gateways
    • H04L65/1033Signalling gateways
    • H04L65/104Signalling gateways in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1069Session establishment or de-establishment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1076Screening of IP real time communications, e.g. spam over Internet telephony [SPIT]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1101Session protocols
    • H04L65/1104Session initiation protocol [SIP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2207/00Type of exchange or network, i.e. telephonic medium, in which the telephonic communication takes place
    • H04M2207/18Type of exchange or network, i.e. telephonic medium, in which the telephonic communication takes place wireless networks
    • H04M2207/187Type of exchange or network, i.e. telephonic medium, in which the telephonic communication takes place wireless networks combining circuit and packet-switched, e.g. GPRS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/22Arrangements for supervision, monitoring or testing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/12Setup of transport tunnels

Definitions

  • the invention relates to an apparatus and method for detecting an abnormal call, and more particularly, to an abnormal call detection apparatus and method capable of detecting an abnormal call based on session information in a mobile environment using a General Packet Radio Service (GPRS) Tunneling Protocol (GTP).
  • GPRS General Packet Radio Service
  • GTP General Packet Radio Service Tunneling Protocol
  • a 4th Generation (4G) network (or a Long-Term Evolution (LTE) network) includes a 4G Enterprise-Radio Access Network (E-RAN) managing wireless resources and a 4G Evolved Packet Core (EPC) performing data processing/authorization/charging.
  • E-RAN 4G Enterprise-Radio Access Network
  • EPC 4G Evolved Packet Core
  • the 4G E-RAN includes User Equipment (UE) and an evolved Node B (eNB), and the 4G EPC includes a Mobility Management Entity (MME), a Serving Gateway (S-GW), a Packet Data Network (PDN) Gateway (P-GW), a Home Subscriber Server (HSS), and a Policy & Charging Rule Function (PCRF).
  • MME Mobility Management Entity
  • S-GW Serving Gateway
  • PDN Packet Data Network Gateway
  • HSS Home Subscriber Server
  • PCRF Policy & Charging Rule Function
  • a data packet may be transmitted through a S1-U GPRS Tunneling Protocol (GTP) tunnel between the eNB and the S-GW and a S5 GTP tunnel between the S-GW and the P-GW.
  • the data packet includes a Session Initiation Protocol (SIP) message for setting a Voice over LTE (VoLTE) call, and may be transmitted by being capsulated into the payload of a GTP packet.
  • SIP Session Initiation Protocol
  • the P-GW transmits the data packet into an Internet Protocol (IP) Multimedia Subsystem (IMS) network without considering the values included in the SIP message. Accordingly, even when the SIP message includes fabricated values, the data packet may be forwarded into the IMS network without being hindered.
  • IP Internet Protocol
  • IMS Internet Multimedia Subsystem
  • Exemplary embodiments of the invention provide an abnormal call detection method of detecting an abnormal call, which is capable of detecting an abnormal call with a fabricated user equipment identification number in a Session Initiation Protocol (SIP) message.
  • SIP Session Initiation Protocol
  • Exemplary embodiments of the invention also provide an abnormal call detection method of detecting an abnormal call, which is capable of detecting an abnormal call with a fabricated user equipment identification number in an SIP message.
  • an abnormal call detection apparatus includes: a session information storage unit configured to store session information, including a first General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U Tunnel Endpoint Identifier (TEID) and a first User Equipment (UE) identification number; a packet information extraction unit configured to extract a second GTP-U TEID from a GTP-U packet, extract an SIP message from the payload of the GTP-U packet and extract a second UE identification number from the SIP message; and a packet processing unit configured to drop the GTP-U packet in response to the first and second GTP-U TEIDs being identical but the first and second UE identification numbers being different.
  • GPRS General Packet Radio Service
  • GTP General Packet Radio Service
  • TEID Tunneling Protocol
  • UE User Equipment
  • an abnormal call detection apparatus includes: a GTP-C packet information extraction unit configured to extract a first GTP-U TEID and a first UE identification number from a GTP-C packet; a session information storage unit configured to store session information, including the first GTP-U TEID and the first UE identification number; a GTP-U packet information extraction unit configured to extract a second GTP-U TEID from the header of a GTP-U packet, extract an SIP message from the payload of the GTP-U packet and extract a second UE identification number from the SIP message; and a packet processing unit configured to drop the GTP-U packet in accordance with the results of comparison of the first and second GTP-U TEIDs with each other and comparison of the first and second UE identification numbers with each other.
  • an abnormal call detection system includes: a session information collection apparatus including a GTP-C packet information extraction unit, which extracts a first GTP-U TEID and a first UE identification number from a GTP-C packet, and a session information generation unit, which generates session information including the first GTP-U TEID and the first UE identification number; and an abnormal call detection apparatus including a GTP-U packet information extraction unit, which extracts a second GTP-U TEID from the header of a GTP-U packet, extracts an SIP message from the payload of the GTP-U packet, and extracts a second UE identification number from the SIP message, and a packet processing unit, which drops the GTP-U packet in accordance with results of comparison of the first and second GTP-U TEIDs with each other and comparison of the first and second UE identification numbers with each other with the use of the session information provided by the session information collection apparatus.
  • an abnormal call detection method includes: receiving a GTP-U packet; extracting a second GTP-U TEID from the header of a GTP-U packet, extracting an SIP message from the payload of the GTP-U packet, and extracting a second UE identification number from the SIP message; comparing the second GTP-U TEID and the second UE identification number with a first GTP-U TEID and a first UE identification number, respectively, of session information and to determine whether the first and second GTP-U TEIDs are identical and whether the first and second UE identification numbers are identical; and in response to the first and second GTP-U TEIDs being identical but the first and second UE identification numbers being different, dropping the GTP-U packet.
  • a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U Tunnel Endpoint Identifier (TEID) is extracted from a GTP-U packet
  • GTP General Packet Radio Service
  • SIP Session Initiation Protocol
  • UE User Equipment
  • FIG. 1 is a block diagram of an abnormal call detection apparatus according to an exemplary embodiment of the invention.
  • FIG. 2 is a diagram illustrating the transmission of an abnormal Session Initiation Protocol (SIP) message within a 4th Generation (4G) or between the 4G network and an Internet Protocol (IP) Multimedia Subsystem (IMS) network.
  • SIP Session Initiation Protocol
  • 4G 4th Generation
  • IP Internet Protocol
  • IMS Internet Multimedia Subsystem
  • FIG. 3 is a diagram illustrating the setting of a Voice over LTE (VoLTE) call with the use of an SIP message.
  • VoIP Voice over LTE
  • FIG. 4 is a diagram for explaining values included in an “SIP Invite” message.
  • FIG. 5 is a table for explaining session information stored in a session information storage unit illustrated in FIG. 1.
  • FIG. 6 is a flowchart illustrating an abnormal call detection method according to an exemplary embodiment of the invention.
  • FIG. 7 is a block diagram of an abnormal call detection apparatus according to another exemplary embodiment of the invention.
  • FIG. 8 is a diagram illustrating the creation of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP) tunnel in a 4G network.
  • GPRS General Packet Radio Service
  • GTP General Packet Radio Service Tunneling Protocol
  • FIG. 9 is a diagram for explaining values included in a “Create Session Request” message.
  • FIG. 10 is a diagram for explaining values included in a “Create Session Response” message.
  • FIG. 11 is a block diagram of an abnormal call detection system according to an exemplary embodiment of the invention.
  • FIG. 12 is a flowchart illustrating a session information collection method according to an exemplary embodiment of the invention.
  • FIG. 13 is a diagram illustrating the structure of a 4G network to which an abnormal call detection apparatus or method according to exemplary embodiments of the invention is applied.
  • FIG. 14 is a diagram illustrating the structure of an IMS network interlinked with the 4G network illustrated in FIG. 13.
  • Each block represents a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the blocks may occur out of the order noted herein. For example, two blocks shown herein in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved, as will be further clarified hereinbelow.
  • first, second, and so forth are used to describe diverse constituent elements, such constituent elements are not limited by the terms. The terms are used only to discriminate a constituent element from other constituent elements. Accordingly, in the following description, a first constituent element may be a second constituent element.
  • FIG. 1 is a block diagram of an abnormal call detection apparatus according to an exemplary embodiment of the invention.
  • an abnormal call detection apparatus 100 incudes Network Interface Cards (NICs) 110a and 110b, a packet information extraction unit 120, a packet analysis unit 130, a session information storage unit 140, a packet processing unit 150, and a log storage unit 160.
  • NICs Network Interface Cards
  • the NIC 110a receives a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet, and transmits the GTP-U packet to the packet information extraction unit 120.
  • the NIC 110b forwards or drop the GTP-U packet in accordance with a control signal.
  • the NICs 110a and 110b may be typical NICs or hardware acceleration NICs.
  • the GTP-U packet is used for transmitting a user’s data packet within a 4th Generation (4G) network.
  • the packet information extraction unit 120 extracts various packet information from the GTP-U packet.
  • the packet information extraction unit 120 may extract a Tunnel Endpoint IDentifier (TEID) from the header of the GTP-U packet.
  • the TEID may be an uplink GTP-U TEID.
  • uplink may indicate the transmission of a data packet from User Equipment (UE) to an Internet Protocol (IP) Multimedia Subsystem (IMS) network
  • IP Internet Protocol
  • IMS Internet Multimedia Subsystem
  • downlink as used herein, may indicate the transmission of a data packet from an IMS network to UE.
  • the packet information extraction unit 120 may extract a Session Initiation Protocol (SIP) message from the payload of the GTP-U packet.
  • SIP Session Initiation Protocol
  • the SIP message is used for connecting a Voice over LTE (VoLTE) call.
  • VoIP Voice over LTE
  • the packet information extraction unit 120 may extract a UE identification number from the SIP message.
  • the UE identification number may be a Mobile Station International Integrated Service Digital Network (ISDN) Number (MSISDN), but the invention is not limited thereto.
  • ISDN Mobile Station International Integrated Service Digital Network
  • the packet analysis unit 130 may determine whether the GTP-U packet is associated with an abnormal call based on the uplink GTP-U TEID and the UE identification number extracted by the packet information extraction unit 120.
  • the term “abnormal call”, as used herein, may indicate a GTP-U packet with an SIP message having a fabricated UE identification number.
  • the packet analysis unit 130 may use session information stored in advance to analyze the GTP-U packet.
  • the session information storage unit 140 may store session information, including an uplink GTP-U TEID and a UE identification number, in advance.
  • the uplink GTP-U TEID and the UE identification number of the session information may be extracted in advance from a GTP-C packet.
  • the GTP-C packet is used for creating/updating/deleting a GTP tunnel within a 4G network.
  • the GTP-U packet may be transmitted via a GTP tunnel.
  • the uplink GTP-U TEID and the UE identification number stored in the session information storage unit 140 will hereinafter be referred to as a first uplink GTP-U TEID and a first UE identification number, respectively, and the uplink GTP-U TEID and the UE identification number extracted by the packet information extraction unit 120 will hereinafter be referred to as a second uplink GTP-U TEID and a second UE identification number, respectively.
  • the packet analysis unit 130 may detect an abnormal call by determining whether the first and second uplink GTP-U TEIDs are identical and whether the first and second UE identification numbers are identical. The packet analysis unit 130 may determine whether there exists a first uplink GTP-U TEID identical to the second uplink GTP-U TEID in session information. In response to the first and second uplink GTP-U TEIDs being identical but the first and second UE identification numbers being different, the packet analysis unit 130 may determine that the second UE identification number has been fabricated, and may determine the GTP-U packet as being associated with an abnormal call.
  • the packet processing unit 150 may control the NIC 110b to forward or drop the GTP-U packet depending on the results of the detection of an abnormal call by the packet analysis unit 130.
  • the expression “forward the GTP-U packet”, as used herein, may indicate transmitting the GTP-U packet to a destination IP address
  • the expression “drop the GTP-U packet, as used herein, may indicate not transmitting the GTP-U packet to the destination IP address.
  • the log storage unit 160 may write a detection log.
  • the detection log may include at least one of the second uplink GTP-U TEID and the second UE identification number extracted from the GTP-U packet.
  • the detection log may also include information such as the time of detection of an abnormal call, whether the GTP-U packet has been dropped and the destination IP address and a destination port of the GTP-U packet.
  • the NICs 110a and 110b, the packet information extraction unit 120, the packet analysis unit 130, the session information storage unit 140, the packet processing unit 150, and the log storage unit 160 are provided as separate elements.
  • the packet information extraction unit 120, the packet analysis unit 130, and the packet processing unit 150 may be incorporated into a single unit or module, or the session information storage unit 140 and the log storage unit 160 may be incorporated into a single unit or module.
  • FIG. 2 is a diagram illustrating the transmission of an abnormal SIP message within a 4G or between the 4G network and an IMS network.
  • UE 1100 may transmit a data packet to a Serving Gateway 1400, and the S-GW 1400 may transmit the data packet transmitted by the UE 1100 to a Packet Data Network (PDN) Gateway 1500.
  • PDN Packet Data Network
  • the UE 1100 may transmit a data packet to an evolved Node B (eNB). Then, the eNB may transmit the data packet to the S-GW 1400, and the S-GW 1400 may transmit the data packet to the P-GW 1500.
  • the data packet transmitted by the UE 1100 may be an IP packet.
  • a GTP tunnel may be created between the eNB and the S-GW 1400 and between the S-GW 1400 and the P-GW 1500, respectively, and the data packet transmitted by the UE 1100 may be transmitted to the P-GW via each of the GTP tunnels.
  • the data packet transmitted by the UE 1100 may be transmitted within a 4G network with the use of a GTP protocol.
  • a GTP-U packet transmitted from the UE 1100 to the P-GW 1500 may be referred to as an outbound GTP-U Packet.
  • An IP header, a User Datagram Protocol (UDP) header, and a GTP-U header for a GTP tunnel may be added to the header of the GTP-U packet, and the data packet transmitted by the UE 1100 may be capsulated into the payload of the GTP-U packet.
  • the header of the GTP-U header may include a TEID.
  • the data packet transmitted by the UE 1100 may be transmitted from the P-GW 1500 to a Proxy Call Session Control Function (P-CSCF) 2100 in an IMS network.
  • P-CSCF Proxy Call Session Control Function
  • the data packet transmitted by the UE 1100 may include an SIP message for setting a VoLTE call.
  • the SIP message may include a UE identification number.
  • the PG-SW 1500 in the 4G network transmits the data packet transmitted by the UE 1100 to the P-CSCF 2100 in the IMS network without considering the values included in the SIP message. Accordingly, even when the SIP message includes some fabricated values, instead of an uplink GTP-U TEID and a UE identification number allocated upon the creation/update of a GTP tunnel the data packet transmitted by the UE 1100 may be transmitted to the P-GW 1500 and to the P-CSCF 2100 in the IMS network without being hindered.
  • reference numerals 10 and 30 denote the transmission of normal SIP messages
  • reference numerals 20 and 40 denote the transmission of abnormal SIP messages.
  • the abnormal call detection apparatus 100 may store a first uplink GTP-U TEID and a first UE identification number that are allocated upon the creation/update of a GTP tunnel in advance as session information, may detect an abnormal SIP message by comparing the first GTP-U TEID and the first UE identification number of the session information with a second GTP-U TEID and a second UE identification number, respectively, that are extracted from a GTP-U packet to determine whether the first and second GTP-U TEIDs are identical and whether the first and second UE identification numbers are identical.
  • FIG. 3 is a diagram illustrating the setting of a Voice over LTE (VoLTE) call with the use of an SIP message.
  • VoIP Voice over LTE
  • a VoLTE call setting process may be completed.
  • an SIP message may be transmitted via a P-GW 500 in a 4G network and via a P-CSCF 2100, an Interrogating Call Session Control Function (I-CSCF) 2200 and a Serving Call Session Control Function (S-CSCF) 2300 in an IMS network.
  • I-CSCF Interrogating Call Session Control Function
  • S-CSCF Serving Call Session Control Function
  • the sender UE 1100a and the receiver UE 1100b may transmit voice traffic to or receive voice traffic from each other by using a Real-time Transport Protocol (RTP).
  • RTP Real-time Transport Protocol
  • the packet information extraction unit 120 may extract a second UE identification number from a first “SIP Invite” message transmitted by the sender UE 1100a.
  • FIG. 4 is a diagram for explaining values included in an “SIP Invite” message.
  • the message header of an “SIP Invite” message may include a “Via” field, a “From” field, and a “P_Preferred_Identity” field.
  • a UE IP address may be recorded in the “Via” field, and a UE identification number may be recorded in each of the “From” and “P_Preferred_Identity” fields.
  • the packet information extraction unit 120 may extract a second UE identification number from the “From” field of the “SIP Invite” message.
  • the message header or the message body of the “SIP Invite” message may also include other fields having a UE identification number recorded therein.
  • the packet information extraction unit 120 may also extract a second UE identification number from the other fields.
  • FIG. 5 is a table for explaining session information stored in a session information storage unit illustrated in FIG. 1.
  • the session information storage unit 140 may store session information including an uplink GTP-C TEID, an uplink GTP-U TEID, a UE identification number (for example, an MSISDN), a downlink GTP-C TEID, and a response flag.
  • session information including an uplink GTP-C TEID, an uplink GTP-U TEID, a UE identification number (for example, an MSISDN), a downlink GTP-C TEID, and a response flag.
  • the uplink GTP-C TEID may be the TEID of a GTP-C packet transmitted from a Mobility Management Entity (MME) to the S-GW 1400 or the TEID of a GTP-C packet transmitted from the S-GW 1400 to the P-GW 1500 via an S5 GTP tunnel.
  • MME Mobility Management Entity
  • the downlink GTP-C TEID may be the TEID of a GTP-C packet transmitted from the S-GW 1400 to the MME 1400 via an S11 GTP tunnel or the TEID of a GTP-C packet transmitted from the P-GW 1500 to the S-GW 1400 via the S5 GTP tunnel.
  • the session information storage unit 140 may manage the session information together with GTP tunnel information (for example, TEIDs).
  • GTP tunnel information for example, TEIDs.
  • the session information storage unit 140 may update session information corresponding to the TEID of the GTP-C packet, and may store the updated session information.
  • the session information storage unit 140 may delete the session information corresponding to the TEID of the GTP-C packet.
  • FIG. 6 is a flowchart illustrating an abnormal call detection method according to an exemplary embodiment of the invention. For convenience, detailed descriptions of features that the exemplary embodiment of FIG. 6 and the exemplary embodiment of FIG. 1 have in common will be omitted.
  • a GTP-U packet is received (S201).
  • the packet information extraction unit 120 extracts information from the GTP-U packet (S202), and determines whether an SIP message exists in the payload of the GTP-U packet (S203).
  • the packet information extraction unit 120 determines whether the SIP message in the payload of the GTP-U packet is an “SIP Invite” message (S204).
  • the packet information extraction unit 120 extracts a second uplink GTP-U TEID from the header of the GTP-U packet and a second UE identification number from the “SIP Invite” message (S205).
  • the second UE identification number may be an MSISDN, but the invention is not limited thereto.
  • the packet analysis unit 130 determines whether session information corresponding to the second uplink GTP-U TEID exists in the session information storage unit 140 (S206).
  • the packet analysis unit 130 may determine whether there exists a first uplink GTP-U TEID identical to the second uplink GTP-U TEID in the session information corresponding to the second uplink GTP-U TEID.
  • the packet analysis unit 130 may determine whether the session information matches the second uplink GTP-U TEID and the second UE identification number (S207).
  • the packet analysis unit 130 may compare a first uplink GTP-U TEID and a first UE identification number of the session information with the second uplink GTP-U TEID and the second UE identification number, respectively, to determine whether the session information matches the second uplink GTP-U TEID and the second UE identification number.
  • the packet processing unit 150 forwards the GTP-U packet (S209).
  • the packet processing unit 150 may also forward the GTP-U packet if no SIP message is included in the GTP-U packet, an SIP message is included in the GTP-U packet but is not an “SIP Invite” message, or there is no matching session information.
  • the packet processing unit 150 drops the GTP-U packet (S209).
  • the packet analysis unit 130 may drop the GTP-U packet if the first and second uplink GTP-U TEIDs are identical but the first and second UE identification numbers are different.
  • the log storage unit 160 may write a detection log (S210).
  • FIG. 7 is a block diagram of an abnormal call detection apparatus according to another exemplary embodiment of the invention.
  • the exemplary embodiment of FIG. 7 will hereinafter be described, focusing mainly on differences with the exemplary embodiment of FIG. 1.
  • an abnormal call detection apparatus 300 includes NICs 310a and 310b, a GTP-U packet information extraction unit 320, a packet analysis unit 330, a session information storage unit 340, a packet processing unit 350, a log storage unit 360, a packet classification unit 370, a GTP-C packet information extraction unit 380, and a session information generation unit 390.
  • the NIC 310a receives a GTP packet, and transmits the GTP packet to the packet classification unit 370.
  • the NIC 310b forwards or drops the GTP packet in accordance with a control signal provided by the packet processing unit 350.
  • the GTP-U packet information extraction unit 320 may extract a second uplink GTP-U TEID from the header of a GTP-U packet.
  • the GTP-U packet information extraction unit 320 may extract an SIP message from the payload of the GTP-U packet and a second UE identification number from the SIP message.
  • the packet analysis unit 330 may detect an abnormal call by comparing the second uplink GTP-U TEID and the second UE identification number with a first uplink GTP-U TEID and a first UE identification number, respectively, to determine whether the first and second GTP-U TEIDs are identical and whether the first and second UE identification numbers are identical.
  • the session information storage unit 340 may store session information, including the first uplink GTP-U TEID and the first UE identification number, in advance.
  • the packet processing unit 350 may control the NIC 310b to forward or drop a GTP packet based on the results of the detection of an abnormal call by the packet analysis unit 330.
  • the log storage unit 360 may write a detection log in response to the GTP-U packet being dropped in accordance with the results of the detection of an abnormal call by the packet analysis unit 330.
  • the packet classification unit 370 classifies a GTP packet. More specifically, the packet classification unit 370 may classify a GTP packet as a GTP-C packet or a GTP-U packet. The packet classification unit 370 may transmit a GTP-C packet to the GTP-C packet information extraction unit 380 and may transmit a GTP-U packet to the GTP-U packet information extraction unit 320.
  • the GTP-C packet information extraction unit 380 may extract a first uplink GTP-U TEID and a first UE identification number from a GTP-C packet.
  • the GTP-C packet information extraction unit 380 may also extract an uplink GTP-C TEID and a downlink GTP-C TEID from the GTP-C packet.
  • the session information generation unit 390 may generate session information, including the first uplink GTP-U TEID and the first UE identification number extracted by the GTP-C packet information extraction unit 380.
  • FIG. 8 is a diagram illustrating the creation of a GTP tunnel in a 4G network.
  • a “Create Session Request” message and a “Create Session Response” message may be transmitted to create a GTP tunnel in a 4G network.
  • the “Create Session Request” message and the “Create Session Response” message may be included in a GTP-C packet and may then be transmitted.
  • An MME 1300 may transmit the “Create Session Request” message to a S-GW 1400, and the S-GW 1400 may transmit the “Create Session Request” message to a P-GW 1500.
  • the P-GW 1500 may transmit the “Create Session Response” message to the S-GW 1400 and may thus create an S5 GTP tunnel between the S-GW 1400 and the P-GW 1500.
  • the S-GW 1400 may transmit the “Create Session Response” message to the MME 1300 and may thus create an S11 GTP tunnel between the MME 1300 and the S-GW 1400 and an S1-U GTP tunnel between an eNB 1200 and the S-GW 1400.
  • An “Update Session” message and a “Delete Session” message may be transmitted via the S11 GTP tunnel or the S5 GTP tunnel.
  • messages may be additionally transmitted between the eNB 1200 and the MME 1300 and between the MME 1300 and the S-GW 1400 before the creation of the S1-U GTP tunnel.
  • the GTP-C packet information extraction unit 380 may extract a first UE identification number and a first uplink GTP-U TEID from the “Create Session Request” message and the “Create Session Response” message.
  • FIG. 9 is a diagram for explaining values included in a “Create Session Request” message
  • FIG. 10 is a diagram for explaining values included in a “Create Session Response” message.
  • the header of a “Create Session Request” message may include a “Sequence Number” field, an “MSISDN” field, and an “F-TEID” field
  • the header of a “Create Session Response” message may include a “Tunnel Endpoint Identifier” field, a “Sequence Number” field, an “F-TEID” field, and a “Bearer Context” field.
  • a UE identification number may be recorded in the “MSISDN” field of the “Create Session Request” message
  • an uplink GTP-U TEID may be recorded in the “Bearer Context” field of the “Create Session Response” message.
  • the value recorded in the “Sequence Number” field may be used for a matching between the “Create Session Request” message and the “Create Session Response” message.
  • the GTP-C packet information extraction unit 380 may extract a UE identification number from the “MSISDN” field of the “Create Session Request” message and an uplink GTP-U TEID from the “Bearer Context” field of the “Create Session Response” message.
  • the GTP-C packet information extraction unit 380 may extract a downlink GTP-C TEID from the “F-TEID” field of the “Create Session Request” message and an uplink GTP-C TEID from the “F-TEID” field of the “Create Session Response” message.
  • the uplink GTP-C TEID and the downlink GTP-C TEID may be used to update and delete session information.
  • FIG. 11 is a block diagram of an abnormal call detection system according to an exemplary embodiment of the invention.
  • the exemplary embodiment of FIG. 11 will hereinafter be described, focusing mainly on differences with the exemplary embodiment of FIG. 7.
  • an abnormal call detection system 400 includes a session information collection apparatus 410 and an abnormal call detection apparatus 420.
  • the session information collection apparatus 410 may include NICs 411a and 411b, a GTP-C packet information extraction unit 408, a session information generation unit 409, and a packet processing unit 405.
  • the abnormal call detection apparatus 420 may include NICs 421a and 421b, a GTP-U packet information extraction unit 422, a packet analysis unit 423, a session information storage unit 424, a packet processing unit 425, and a log storage unit 426.
  • an element for extracting a first uplink GTP-U TEID and a first UE identification number from a GTP-C packet and generating session information including the first uplink GTP-U TEID and the first UE identification number and an element for extracting a second uplink GTP-U TEID and a second UE identification number from a GTP-U packet and detecting an abnormal call by comparing the second uplink GTP-U TEID and the second UE identification number with the session information are physically separate from each other.
  • the GTP packet information extraction unit 408 may extract a first uplink GTP-U TEID and a first UE identification number from a GTP-C packet.
  • the session information generation unit 409 may generate session information including the first uplink GTP-U TEID and the first UE identification number extracted by the GTP-C packet information extraction unit 408.
  • the GTP-U packet information extraction unit 422 may extract an uplink GTP-U TEID from the header of a GTP-U packet, may extract an SIP message from the payload of the GTP-U packet, and may extract a second UE identification number from the SIP message.
  • the packet analysis unit 423 may detect an abnormal call with the use of session information present in the session information storage unit 424, and particularly, by comparing the first uplink GTP-U TEID and the first UE identification number with the second uplink GTP-U TEID and the second UE identification number, respectively, to determine whether the first and second uplink GTP-U TEIDs are identical and whether the first and second UE identification numbers are identical.
  • the session information storage unit 424 may store session information provided by the session information collection apparatus 410.
  • the packet processing unit 425 may control the NIC 421b to forward or drop a GTP-U packet in accordance with the results of the detection of an abnormal call by the packet analysis unit 423.
  • FIG. 12 is a flowchart illustrating a session information collection method according to an exemplary embodiment of the invention.
  • a GTP-C packet is received (S501).
  • the GTP-C packet information extraction unit 380 or 408 extracts information from the GTP-C packet (S502), and determines whether the GTP-C packet includes a “Create Session” message (S503).
  • the GTP-C packet information extraction unit 380 or 408 determines whether the “Create Session” message included in the GTP-C packet is a “Create Session Request” message (S504).
  • the GTP-C packet information extraction unit 380 or 408 extracts a downlink GTP-C TEID and a UE identification number and sets a response flag to “0” (S505).
  • the UE identification number may be an MSISDN, but the invention is not limited thereto.
  • the GTP-C packet information extraction unit 380 or 408 extracts an uplink GTP-C TEID and an uplink GTP-U TEID, and sets the response flag to “1” (S506).
  • the GTP-C packet information extraction unit 380 or 408 determines whether the GTP-C packet includes an “Update Session” message (S507). In response to a determination being made that the GTP-C packet includes an “Update Session” message, the session information storage unit 390 or 409 updates session information corresponding to the TEID of the GTP-C packet and stores the updated session information (S508).
  • the session information storage unit 390 or 409 deletes the session information corresponding to the TEID of the GTP-C packet (S509).
  • the packet processing unit 350 or 405 forwards the GTP-C packet (S510).
  • FIG. 13 is a diagram illustrating the structure of a 4G network to which an abnormal call detection apparatus or method according to exemplary embodiments of the invention is applied.
  • a 4G network 1000 may include a 4G Enterprise Radio Access Network (E-RAN) managing wireless resources and a 4G Evolved Packet Core (EPC) performing data processing/authorization/charging.
  • E-RAN 4G Enterprise Radio Access Network
  • EPC 4G Evolved Packet Core
  • the 4G E-RAN may include UE 1100 and an eNB 1200.
  • the UE 1100 may be a subscriber mobile terminal of the 4G network 1000.
  • the eNB 1200 may be a base station providing wireless connection between the UE 1100 and the 4G network 1000.
  • the 4G EPC may include an MME 1300, an S-GW 1400, a P-GW 1500, a Home Subscriber Server 1600, and a Policy & Charging Rule Function (PCRF) 1700.
  • the MME 1300 may transmit a GTP packet to or receive a GTP packet from the eNB 1200 via an S1-MME GTP tunnel.
  • the S-GW 1400 may transmit a GTP packet to or receive a GTP packet from the eNB 1200 via an S1-U GTP tunnel.
  • the MME 1300 may transmit a GTP packet to or receive a GTP packet from the S-GW 1400 via an S11 GTP tunnel.
  • the P-GW 1500 may be connected to a P-CSCF 2100 of an IMS network and to the Internet.
  • the S1-U GTP tunnel may be a path for data traffic
  • the S11 GTP tunnel may be a path for signaling
  • the S5 GTP tunnel may be a path for data traffic and signaling.
  • the abnormal call detection apparatus 100 or 300 of FIG. 1 or 7 may be provided at a point P1 between the eNB 1200 and the MME 1300, a point P2 between the MME 1300 and the S-GW 1400 or a point P3 between the S-GW 1400 and the P-GW 1500.
  • the abnormal call detection apparatus 100 or 300 of FIG. 1 or 7 may be provided as an element of the S-GW 1400 or the P-GW 1500.
  • the session information collection apparatus 410 of the abnormal call detection apparatus 400 of FIG. 11 may be provided at the point P2 between the MME 1300 and the S-GW 1400, and the abnormal call detection apparatus 420 of the abnormal call detection apparatus 400 of FIG. 11 may be provided at the point P1 between the eNB 1200 and the S-GW 1400.
  • the 4G network 1000 may be connected to a 3rd Generation (3G) network or a femtocell network via the S-GW 1400.
  • 3G 3rd Generation
  • FIG. 14 is a diagram illustrating the structure of an IMS network interlinked with the 4G network illustrated in FIG. 13.
  • an IMS network 2000 may include a P-CSCF 2100, an I-CSCF 2200, an S-CSCF 2300, a Border Gateway Control Function 2400, an HSS 2500, an S-GW 2600, a Media Gateway Control Function (MGCF) 2700, an Application Server (AS) 2800, and a Media-Gateway (M-GW) 2900.
  • An SIP message transmitted by the UE 1100 in the 4G network 1000 may be forwarded into the IMS network 2000 via the P-GW 1500.
  • the P-CSCFF 2100 which is connected to the P-GW 1500, may transmit the SIP message to the I-CSCF 2200, and the I-CSCF 2200 may transmit the SIP message to the S-CSCF 2300.
  • the S-GW 2600 may be connected to a Public Switching Telephone Network (PSTN), and the M-GW 2900 may be connected to a Public Land Mobile Network (PLMN).
  • PSTN Public Switching Telephone Network
  • PLMN Public Land Mobile Network
  • abnormal call detection apparatus 100 or 300 of FIG. 1 or 7 or the abnormal call detection system 400 of FIG. 11 may be provided at the point P1, P2 or P3 in the 4G network 1000, an abnormal call with a fabricated UE identification number in an SIP message may be detected, and may be prevented from being forwarded into the IMS network 2000.
  • a software module may reside in a RAM memory, flash memory, a ROM memory, an EPROM memory, an EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
  • An exemplary storage medium may be coupled to the processor, such that the processor can read information from, and write information to, the storage medium.
  • the storage medium may be integral to the processor.
  • the processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

An abnormal call detection apparatus and method are provided. The abnormal call detection apparatus includes: a session information storage unit configured to store session information, including a first General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U Tunnel Endpoint Identifier (TEID) and a first User Equipment (UE) identification number; a packet information extraction unit configured to extract a second GTP-U TEID from a GTP-U packet, extract a Session Initiation Protocol (SIP) message from the payload of the GTP-U packet and extract a second UE identification number from the SIP message; and a packet processing unit configured to drop the GTP-U packet in response to the first and second GTP-U TEIDs being identical but the first and second UE identification numbers being different.

Description

APPARATUS AND METHOD FOR DETECTING ABNORMAL CALL
The invention relates to an apparatus and method for detecting an abnormal call, and more particularly, to an abnormal call detection apparatus and method capable of detecting an abnormal call based on session information in a mobile environment using a General Packet Radio Service (GPRS) Tunneling Protocol (GTP).
A 4th Generation (4G) network (or a Long-Term Evolution (LTE) network) includes a 4G Enterprise-Radio Access Network (E-RAN) managing wireless resources and a 4G Evolved Packet Core (EPC) performing data processing/authorization/charging.
The 4G E-RAN includes User Equipment (UE) and an evolved Node B (eNB), and the 4G EPC includes a Mobility Management Entity (MME), a Serving Gateway (S-GW), a Packet Data Network (PDN) Gateway (P-GW), a Home Subscriber Server (HSS), and a Policy & Charging Rule Function (PCRF).
In the 4G network, a data packet may be transmitted through a S1-U GPRS Tunneling Protocol (GTP) tunnel between the eNB and the S-GW and a S5 GTP tunnel between the S-GW and the P-GW. The data packet includes a Session Initiation Protocol (SIP) message for setting a Voice over LTE (VoLTE) call, and may be transmitted by being capsulated into the payload of a GTP packet.
The P-GW transmits the data packet into an Internet Protocol (IP) Multimedia Subsystem (IMS) network without considering the values included in the SIP message. Accordingly, even when the SIP message includes fabricated values, the data packet may be forwarded into the IMS network without being hindered.
Exemplary embodiments of the invention provide an abnormal call detection method of detecting an abnormal call, which is capable of detecting an abnormal call with a fabricated user equipment identification number in a Session Initiation Protocol (SIP) message.
Exemplary embodiments of the invention also provide an abnormal call detection method of detecting an abnormal call, which is capable of detecting an abnormal call with a fabricated user equipment identification number in an SIP message.
However, exemplary embodiments of the invention are not restricted to those set forth herein. The above and other exemplary embodiments of the invention will become more apparent to one of ordinary skill in the art to which the invention pertains by referencing the detailed description of the invention given below.
According to an exemplary embodiment of the invention, an abnormal call detection apparatus includes: a session information storage unit configured to store session information, including a first General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U Tunnel Endpoint Identifier (TEID) and a first User Equipment (UE) identification number; a packet information extraction unit configured to extract a second GTP-U TEID from a GTP-U packet, extract an SIP message from the payload of the GTP-U packet and extract a second UE identification number from the SIP message; and a packet processing unit configured to drop the GTP-U packet in response to the first and second GTP-U TEIDs being identical but the first and second UE identification numbers being different.
According to another exemplary embodiment of the invention, an abnormal call detection apparatus includes: a GTP-C packet information extraction unit configured to extract a first GTP-U TEID and a first UE identification number from a GTP-C packet; a session information storage unit configured to store session information, including the first GTP-U TEID and the first UE identification number; a GTP-U packet information extraction unit configured to extract a second GTP-U TEID from the header of a GTP-U packet, extract an SIP message from the payload of the GTP-U packet and extract a second UE identification number from the SIP message; and a packet processing unit configured to drop the GTP-U packet in accordance with the results of comparison of the first and second GTP-U TEIDs with each other and comparison of the first and second UE identification numbers with each other.
According to another exemplary embodiment of the invention, an abnormal call detection system includes: a session information collection apparatus including a GTP-C packet information extraction unit, which extracts a first GTP-U TEID and a first UE identification number from a GTP-C packet, and a session information generation unit, which generates session information including the first GTP-U TEID and the first UE identification number; and an abnormal call detection apparatus including a GTP-U packet information extraction unit, which extracts a second GTP-U TEID from the header of a GTP-U packet, extracts an SIP message from the payload of the GTP-U packet, and extracts a second UE identification number from the SIP message, and a packet processing unit, which drops the GTP-U packet in accordance with results of comparison of the first and second GTP-U TEIDs with each other and comparison of the first and second UE identification numbers with each other with the use of the session information provided by the session information collection apparatus.
According to another exemplary embodiment of the invention, an abnormal call detection method includes: receiving a GTP-U packet; extracting a second GTP-U TEID from the header of a GTP-U packet, extracting an SIP message from the payload of the GTP-U packet, and extracting a second UE identification number from the SIP message; comparing the second GTP-U TEID and the second UE identification number with a first GTP-U TEID and a first UE identification number, respectively, of session information and to determine whether the first and second GTP-U TEIDs are identical and whether the first and second UE identification numbers are identical; and in response to the first and second GTP-U TEIDs being identical but the first and second UE identification numbers being different, dropping the GTP-U packet.
Other features and exemplary embodiments will be apparent from the following detailed description, the drawings, and the claims.
According to the exemplary embodiments of the invention, a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U Tunnel Endpoint Identifier (TEID) is extracted from a GTP-U packet, a Session Initiation Protocol (SIP) message is extracted from the GTP-U packet, a User Equipment (UE) identification number is extracted from the SIP message, and the GTP-U TEID and the UE identification number are compared with session information to determine whether the session information matches the GTP-U TEID and the UE identification number. Accordingly, an abnormal call with a fabricated UE identification number in an SIP message can be effectively detected and dropped.
FIG. 1 is a block diagram of an abnormal call detection apparatus according to an exemplary embodiment of the invention.
FIG. 2 is a diagram illustrating the transmission of an abnormal Session Initiation Protocol (SIP) message within a 4th Generation (4G) or between the 4G network and an Internet Protocol (IP) Multimedia Subsystem (IMS) network.
FIG. 3 is a diagram illustrating the setting of a Voice over LTE (VoLTE) call with the use of an SIP message.
FIG. 4 is a diagram for explaining values included in an “SIP Invite” message.
FIG. 5 is a table for explaining session information stored in a session information storage unit illustrated in FIG. 1.
FIG. 6 is a flowchart illustrating an abnormal call detection method according to an exemplary embodiment of the invention.
FIG. 7 is a block diagram of an abnormal call detection apparatus according to another exemplary embodiment of the invention.
FIG. 8 is a diagram illustrating the creation of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP) tunnel in a 4G network.
FIG. 9 is a diagram for explaining values included in a “Create Session Request” message.
FIG. 10 is a diagram for explaining values included in a “Create Session Response” message.
FIG. 11 is a block diagram of an abnormal call detection system according to an exemplary embodiment of the invention.
FIG. 12 is a flowchart illustrating a session information collection method according to an exemplary embodiment of the invention.
FIG. 13 is a diagram illustrating the structure of a 4G network to which an abnormal call detection apparatus or method according to exemplary embodiments of the invention is applied.
FIG. 14 is a diagram illustrating the structure of an IMS network interlinked with the 4G network illustrated in FIG. 13.
Advantages and features of the invention and methods of accomplishing the same may be understood more readily by reference to the following detailed description of exemplary embodiments and the accompanying drawings. The invention may, however, be embodied in many different provides and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete and will fully convey the concept of the invention to those skilled in the art, and the invention will only be defined by the appended claims. Like reference numerals refer to like elements throughout the specification.
Each block represents a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the blocks may occur out of the order noted herein. For example, two blocks shown herein in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved, as will be further clarified hereinbelow.
Although the terms “first, second, and so forth” are used to describe diverse constituent elements, such constituent elements are not limited by the terms. The terms are used only to discriminate a constituent element from other constituent elements. Accordingly, in the following description, a first constituent element may be a second constituent element.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting. As used herein, the singular forms “a,” “an,” and “the” are intended to include the plural forms, including “at least one,” unless the content clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” or “includes” and/or “including” when used in this specification, specify the presence of stated features, regions, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, regions, integers, steps, operations, elements, components, and/or groups thereof.
Unless indicated otherwise, it is to be understood that all the terms used in the specification including technical and scientific terms have the same meanings as those as understood by a person skilled in the art. It should be understood that the terms defined by a dictionary must be identical with the meanings within the context of the related art, and they should not be ideally or excessively formally defined unless the context clearly dictates otherwise.
FIG. 1 is a block diagram of an abnormal call detection apparatus according to an exemplary embodiment of the invention.
Referring to FIG. 1, an abnormal call detection apparatus 100 incudes Network Interface Cards (NICs) 110a and 110b, a packet information extraction unit 120, a packet analysis unit 130, a session information storage unit 140, a packet processing unit 150, and a log storage unit 160.
The NIC 110a receives a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet, and transmits the GTP-U packet to the packet information extraction unit 120. The NIC 110b forwards or drop the GTP-U packet in accordance with a control signal. The NICs 110a and 110b may be typical NICs or hardware acceleration NICs. The GTP-U packet is used for transmitting a user’s data packet within a 4th Generation (4G) network.
The packet information extraction unit 120 extracts various packet information from the GTP-U packet. The packet information extraction unit 120 may extract a Tunnel Endpoint IDentifier (TEID) from the header of the GTP-U packet. The TEID may be an uplink GTP-U TEID. The term “uplink”, as used herein, may indicate the transmission of a data packet from User Equipment (UE) to an Internet Protocol (IP) Multimedia Subsystem (IMS) network, and the term “downlink”, as used herein, may indicate the transmission of a data packet from an IMS network to UE.
The packet information extraction unit 120 may extract a Session Initiation Protocol (SIP) message from the payload of the GTP-U packet. The SIP message is used for connecting a Voice over LTE (VoLTE) call. The packet information extraction unit 120 may extract a UE identification number from the SIP message. For example, the UE identification number may be a Mobile Station International Integrated Service Digital Network (ISDN) Number (MSISDN), but the invention is not limited thereto.
The packet analysis unit 130 may determine whether the GTP-U packet is associated with an abnormal call based on the uplink GTP-U TEID and the UE identification number extracted by the packet information extraction unit 120. The term “abnormal call”, as used herein, may indicate a GTP-U packet with an SIP message having a fabricated UE identification number. The packet analysis unit 130 may use session information stored in advance to analyze the GTP-U packet.
The session information storage unit 140 may store session information, including an uplink GTP-U TEID and a UE identification number, in advance. The uplink GTP-U TEID and the UE identification number of the session information may be extracted in advance from a GTP-C packet. The GTP-C packet is used for creating/updating/deleting a GTP tunnel within a 4G network. The GTP-U packet may be transmitted via a GTP tunnel.
For a proper distinction between TEIDs and between UE identification numbers, the uplink GTP-U TEID and the UE identification number stored in the session information storage unit 140 will hereinafter be referred to as a first uplink GTP-U TEID and a first UE identification number, respectively, and the uplink GTP-U TEID and the UE identification number extracted by the packet information extraction unit 120 will hereinafter be referred to as a second uplink GTP-U TEID and a second UE identification number, respectively.
The packet analysis unit 130 may detect an abnormal call by determining whether the first and second uplink GTP-U TEIDs are identical and whether the first and second UE identification numbers are identical. The packet analysis unit 130 may determine whether there exists a first uplink GTP-U TEID identical to the second uplink GTP-U TEID in session information. In response to the first and second uplink GTP-U TEIDs being identical but the first and second UE identification numbers being different, the packet analysis unit 130 may determine that the second UE identification number has been fabricated, and may determine the GTP-U packet as being associated with an abnormal call.
The packet processing unit 150 may control the NIC 110b to forward or drop the GTP-U packet depending on the results of the detection of an abnormal call by the packet analysis unit 130. The expression “forward the GTP-U packet”, as used herein, may indicate transmitting the GTP-U packet to a destination IP address, and the expression “drop the GTP-U packet, as used herein, may indicate not transmitting the GTP-U packet to the destination IP address.
In response to the GTP-U packet being dropped in accordance with the results of the detection of an abnormal call by the packet analysis unit 130, the log storage unit 160 may write a detection log. The detection log may include at least one of the second uplink GTP-U TEID and the second UE identification number extracted from the GTP-U packet. The detection log may also include information such as the time of detection of an abnormal call, whether the GTP-U packet has been dropped and the destination IP address and a destination port of the GTP-U packet.
In the abnormal call detection apparatus 100, the NICs 110a and 110b, the packet information extraction unit 120, the packet analysis unit 130, the session information storage unit 140, the packet processing unit 150, and the log storage unit 160 are provided as separate elements. In an alternative exemplary embodiment, the packet information extraction unit 120, the packet analysis unit 130, and the packet processing unit 150 may be incorporated into a single unit or module, or the session information storage unit 140 and the log storage unit 160 may be incorporated into a single unit or module.
FIG. 2 is a diagram illustrating the transmission of an abnormal SIP message within a 4G or between the 4G network and an IMS network.
Referring to FIG. 2, UE 1100 may transmit a data packet to a Serving Gateway 1400, and the S-GW 1400 may transmit the data packet transmitted by the UE 1100 to a Packet Data Network (PDN) Gateway 1500. Even though not specifically illustrated in FIG. 2, the UE 1100 may transmit a data packet to an evolved Node B (eNB). Then, the eNB may transmit the data packet to the S-GW 1400, and the S-GW 1400 may transmit the data packet to the P-GW 1500. For example, the data packet transmitted by the UE 1100 may be an IP packet.
A GTP tunnel may be created between the eNB and the S-GW 1400 and between the S-GW 1400 and the P-GW 1500, respectively, and the data packet transmitted by the UE 1100 may be transmitted to the P-GW via each of the GTP tunnels. The data packet transmitted by the UE 1100 may be transmitted within a 4G network with the use of a GTP protocol. A GTP-U packet transmitted from the UE 1100 to the P-GW 1500 may be referred to as an outbound GTP-U Packet. An IP header, a User Datagram Protocol (UDP) header, and a GTP-U header for a GTP tunnel may be added to the header of the GTP-U packet, and the data packet transmitted by the UE 1100 may be capsulated into the payload of the GTP-U packet. The header of the GTP-U header may include a TEID. The data packet transmitted by the UE 1100 may be transmitted from the P-GW 1500 to a Proxy Call Session Control Function (P-CSCF) 2100 in an IMS network.
The data packet transmitted by the UE 1100 may include an SIP message for setting a VoLTE call. The SIP message may include a UE identification number.
The PG-SW 1500 in the 4G network transmits the data packet transmitted by the UE 1100 to the P-CSCF 2100 in the IMS network without considering the values included in the SIP message. Accordingly, even when the SIP message includes some fabricated values, instead of an uplink GTP-U TEID and a UE identification number allocated upon the creation/update of a GTP tunnel the data packet transmitted by the UE 1100 may be transmitted to the P-GW 1500 and to the P-CSCF 2100 in the IMS network without being hindered. In FIG. 2, reference numerals 10 and 30 denote the transmission of normal SIP messages, and reference numerals 20 and 40 denote the transmission of abnormal SIP messages.
The abnormal call detection apparatus 100 may store a first uplink GTP-U TEID and a first UE identification number that are allocated upon the creation/update of a GTP tunnel in advance as session information, may detect an abnormal SIP message by comparing the first GTP-U TEID and the first UE identification number of the session information with a second GTP-U TEID and a second UE identification number, respectively, that are extracted from a GTP-U packet to determine whether the first and second GTP-U TEIDs are identical and whether the first and second UE identification numbers are identical.
FIG. 3 is a diagram illustrating the setting of a Voice over LTE (VoLTE) call with the use of an SIP message.
Referring to FIG. 3, in response to an “SIP Invite” message transmitted by sender UE 1100a being received by receiver UE 1100a and a “200 OK” message” transmitted by the receiver UE 1100b being received by the sender UE 1100a, a VoLTE call setting process may be completed. During the VoLTE call setting process, an SIP message may be transmitted via a P-GW 500 in a 4G network and via a P-CSCF 2100, an Interrogating Call Session Control Function (I-CSCF) 2200 and a Serving Call Session Control Function (S-CSCF) 2300 in an IMS network. In response to the VoLTE call setting process being completed, the sender UE 1100a and the receiver UE 1100b may transmit voice traffic to or receive voice traffic from each other by using a Real-time Transport Protocol (RTP).
During the VoLTE call setting process, the packet information extraction unit 120 may extract a second UE identification number from a first “SIP Invite” message transmitted by the sender UE 1100a.
The rest of the VoLTE call setting process is already obvious to a person skilled in the art to which the invention pertains, and thus, a detailed description thereof will be omitted.
FIG. 4 is a diagram for explaining values included in an “SIP Invite” message.
Referring to FIG. 4, the message header of an “SIP Invite” message may include a “Via” field, a “From” field, and a “P_Preferred_Identity” field. A UE IP address may be recorded in the “Via” field, and a UE identification number may be recorded in each of the “From” and “P_Preferred_Identity” fields.
The packet information extraction unit 120 may extract a second UE identification number from the “From” field of the “SIP Invite” message.
Even though not specifically illustrated in FIG. 4, the message header or the message body of the “SIP Invite” message may also include other fields having a UE identification number recorded therein.
The packet information extraction unit 120 may also extract a second UE identification number from the other fields.
FIG. 5 is a table for explaining session information stored in a session information storage unit illustrated in FIG. 1.
Referring to FIG. 5, the session information storage unit 140 may store session information including an uplink GTP-C TEID, an uplink GTP-U TEID, a UE identification number (for example, an MSISDN), a downlink GTP-C TEID, and a response flag.
The uplink GTP-C TEID may be the TEID of a GTP-C packet transmitted from a Mobility Management Entity (MME) to the S-GW 1400 or the TEID of a GTP-C packet transmitted from the S-GW 1400 to the P-GW 1500 via an S5 GTP tunnel. The downlink GTP-C TEID may be the TEID of a GTP-C packet transmitted from the S-GW 1400 to the MME 1400 via an S11 GTP tunnel or the TEID of a GTP-C packet transmitted from the P-GW 1500 to the S-GW 1400 via the S5 GTP tunnel.
The session information storage unit 140 may manage the session information together with GTP tunnel information (for example, TEIDs). In response to a GTP-C packet including an “Update Session Request” message or an “Update Session Response” message, the session information storage unit 140 may update session information corresponding to the TEID of the GTP-C packet, and may store the updated session information. On the other hand, in response to the GTP-C packet including a “Delete Session Request” message or a “Delete Session Response” message, the session information storage unit 140 may delete the session information corresponding to the TEID of the GTP-C packet.
FIG. 6 is a flowchart illustrating an abnormal call detection method according to an exemplary embodiment of the invention. For convenience, detailed descriptions of features that the exemplary embodiment of FIG. 6 and the exemplary embodiment of FIG. 1 have in common will be omitted.
Referring to FIG. 6, a GTP-U packet is received (S201).
The packet information extraction unit 120 extracts information from the GTP-U packet (S202), and determines whether an SIP message exists in the payload of the GTP-U packet (S203).
In response to a determination being made that an SIP message exists in the payload of the GTP-U packet, the packet information extraction unit 120 determines whether the SIP message in the payload of the GTP-U packet is an “SIP Invite” message (S204).
In response to a determination being made that the SIP in the payload of the GTP-U packet is an “SIP Invite” message, the packet information extraction unit 120 extracts a second uplink GTP-U TEID from the header of the GTP-U packet and a second UE identification number from the “SIP Invite” message (S205). For example, the second UE identification number may be an MSISDN, but the invention is not limited thereto.
The packet analysis unit 130 determines whether session information corresponding to the second uplink GTP-U TEID exists in the session information storage unit 140 (S206). The packet analysis unit 130 may determine whether there exists a first uplink GTP-U TEID identical to the second uplink GTP-U TEID in the session information corresponding to the second uplink GTP-U TEID. In response to a determination being made that session information corresponding to the second uplink GTP-U TEID exists in the session information storage unit 140, the packet analysis unit 130 may determine whether the session information matches the second uplink GTP-U TEID and the second UE identification number (S207). The packet analysis unit 130 may compare a first uplink GTP-U TEID and a first UE identification number of the session information with the second uplink GTP-U TEID and the second UE identification number, respectively, to determine whether the session information matches the second uplink GTP-U TEID and the second UE identification number.
In response to a determination being made that the session information matches the second uplink GTP-U TEID and the second UE identification number, the packet processing unit 150 forwards the GTP-U packet (S209). The packet processing unit 150 may also forward the GTP-U packet if no SIP message is included in the GTP-U packet, an SIP message is included in the GTP-U packet but is not an “SIP Invite” message, or there is no matching session information.
In response to a determination being made that the session information does not match the second uplink GTP-U TEID and the second UE identification number, the packet processing unit 150 drops the GTP-U packet (S209). The packet analysis unit 130 may drop the GTP-U packet if the first and second uplink GTP-U TEIDs are identical but the first and second UE identification numbers are different. The log storage unit 160 may write a detection log (S210).
FIG. 7 is a block diagram of an abnormal call detection apparatus according to another exemplary embodiment of the invention. For convenience, the exemplary embodiment of FIG. 7 will hereinafter be described, focusing mainly on differences with the exemplary embodiment of FIG. 1.
Referring to FIG. 7, an abnormal call detection apparatus 300 according to another exemplary embodiment of the invention includes NICs 310a and 310b, a GTP-U packet information extraction unit 320, a packet analysis unit 330, a session information storage unit 340, a packet processing unit 350, a log storage unit 360, a packet classification unit 370, a GTP-C packet information extraction unit 380, and a session information generation unit 390.
The NIC 310a receives a GTP packet, and transmits the GTP packet to the packet classification unit 370. The NIC 310b forwards or drops the GTP packet in accordance with a control signal provided by the packet processing unit 350.
The GTP-U packet information extraction unit 320 may extract a second uplink GTP-U TEID from the header of a GTP-U packet. The GTP-U packet information extraction unit 320 may extract an SIP message from the payload of the GTP-U packet and a second UE identification number from the SIP message.
The packet analysis unit 330 may detect an abnormal call by comparing the second uplink GTP-U TEID and the second UE identification number with a first uplink GTP-U TEID and a first UE identification number, respectively, to determine whether the first and second GTP-U TEIDs are identical and whether the first and second UE identification numbers are identical.
The session information storage unit 340 may store session information, including the first uplink GTP-U TEID and the first UE identification number, in advance.
The packet processing unit 350 may control the NIC 310b to forward or drop a GTP packet based on the results of the detection of an abnormal call by the packet analysis unit 330.
The log storage unit 360 may write a detection log in response to the GTP-U packet being dropped in accordance with the results of the detection of an abnormal call by the packet analysis unit 330.
The packet classification unit 370 classifies a GTP packet. More specifically, the packet classification unit 370 may classify a GTP packet as a GTP-C packet or a GTP-U packet. The packet classification unit 370 may transmit a GTP-C packet to the GTP-C packet information extraction unit 380 and may transmit a GTP-U packet to the GTP-U packet information extraction unit 320.
The GTP-C packet information extraction unit 380 may extract a first uplink GTP-U TEID and a first UE identification number from a GTP-C packet. The GTP-C packet information extraction unit 380 may also extract an uplink GTP-C TEID and a downlink GTP-C TEID from the GTP-C packet.
The session information generation unit 390 may generate session information, including the first uplink GTP-U TEID and the first UE identification number extracted by the GTP-C packet information extraction unit 380.
FIG. 8 is a diagram illustrating the creation of a GTP tunnel in a 4G network.
Referring to FIG. 8, a “Create Session Request” message and a “Create Session Response” message may be transmitted to create a GTP tunnel in a 4G network. The “Create Session Request” message and the “Create Session Response” message may be included in a GTP-C packet and may then be transmitted.
An MME 1300 may transmit the “Create Session Request” message to a S-GW 1400, and the S-GW 1400 may transmit the “Create Session Request” message to a P-GW 1500. In reply to the “Create Session Request” message, the P-GW 1500 may transmit the “Create Session Response” message to the S-GW 1400 and may thus create an S5 GTP tunnel between the S-GW 1400 and the P-GW 1500. The S-GW 1400 may transmit the “Create Session Response” message to the MME 1300 and may thus create an S11 GTP tunnel between the MME 1300 and the S-GW 1400 and an S1-U GTP tunnel between an eNB 1200 and the S-GW 1400. An “Update Session” message and a “Delete Session” message may be transmitted via the S11 GTP tunnel or the S5 GTP tunnel.
Even though not specifically illustrated in FIG. 8, messages may be additionally transmitted between the eNB 1200 and the MME 1300 and between the MME 1300 and the S-GW 1400 before the creation of the S1-U GTP tunnel.
During the creation of a GTP tunnel, the GTP-C packet information extraction unit 380 may extract a first UE identification number and a first uplink GTP-U TEID from the “Create Session Request” message and the “Create Session Response” message.
FIG. 9 is a diagram for explaining values included in a “Create Session Request” message, and FIG. 10 is a diagram for explaining values included in a “Create Session Response” message.
Referring to FIGS. 9 and 10, the header of a “Create Session Request” message may include a “Sequence Number” field, an “MSISDN” field, and an “F-TEID” field, and the header of a “Create Session Response” message may include a “Tunnel Endpoint Identifier” field, a “Sequence Number” field, an “F-TEID” field, and a “Bearer Context” field. A UE identification number may be recorded in the “MSISDN” field of the “Create Session Request” message, and an uplink GTP-U TEID may be recorded in the “Bearer Context” field of the “Create Session Response” message. The value recorded in the “Sequence Number” field may be used for a matching between the “Create Session Request” message and the “Create Session Response” message.
The GTP-C packet information extraction unit 380 may extract a UE identification number from the “MSISDN” field of the “Create Session Request” message and an uplink GTP-U TEID from the “Bearer Context” field of the “Create Session Response” message. The GTP-C packet information extraction unit 380 may extract a downlink GTP-C TEID from the “F-TEID” field of the “Create Session Request” message and an uplink GTP-C TEID from the “F-TEID” field of the “Create Session Response” message. The uplink GTP-C TEID and the downlink GTP-C TEID may be used to update and delete session information.
FIG. 11 is a block diagram of an abnormal call detection system according to an exemplary embodiment of the invention. For convenience, the exemplary embodiment of FIG. 11 will hereinafter be described, focusing mainly on differences with the exemplary embodiment of FIG. 7.
Referring to FIG. 11, an abnormal call detection system 400 according to an exemplary embodiment of the invention includes a session information collection apparatus 410 and an abnormal call detection apparatus 420.
The session information collection apparatus 410 may include NICs 411a and 411b, a GTP-C packet information extraction unit 408, a session information generation unit 409, and a packet processing unit 405.
The abnormal call detection apparatus 420 may include NICs 421a and 421b, a GTP-U packet information extraction unit 422, a packet analysis unit 423, a session information storage unit 424, a packet processing unit 425, and a log storage unit 426.
In the abnormal call detection system 400, an element for extracting a first uplink GTP-U TEID and a first UE identification number from a GTP-C packet and generating session information including the first uplink GTP-U TEID and the first UE identification number and an element for extracting a second uplink GTP-U TEID and a second UE identification number from a GTP-U packet and detecting an abnormal call by comparing the second uplink GTP-U TEID and the second UE identification number with the session information are physically separate from each other.
The GTP packet information extraction unit 408 may extract a first uplink GTP-U TEID and a first UE identification number from a GTP-C packet.
The session information generation unit 409 may generate session information including the first uplink GTP-U TEID and the first UE identification number extracted by the GTP-C packet information extraction unit 408.
The GTP-U packet information extraction unit 422 may extract an uplink GTP-U TEID from the header of a GTP-U packet, may extract an SIP message from the payload of the GTP-U packet, and may extract a second UE identification number from the SIP message.
The packet analysis unit 423 may detect an abnormal call with the use of session information present in the session information storage unit 424, and particularly, by comparing the first uplink GTP-U TEID and the first UE identification number with the second uplink GTP-U TEID and the second UE identification number, respectively, to determine whether the first and second uplink GTP-U TEIDs are identical and whether the first and second UE identification numbers are identical.
The session information storage unit 424 may store session information provided by the session information collection apparatus 410.
The packet processing unit 425 may control the NIC 421b to forward or drop a GTP-U packet in accordance with the results of the detection of an abnormal call by the packet analysis unit 423.
FIG. 12 is a flowchart illustrating a session information collection method according to an exemplary embodiment of the invention.
Referring to FIG. 12, a GTP-C packet is received (S501).
The GTP-C packet information extraction unit 380 or 408 extracts information from the GTP-C packet (S502), and determines whether the GTP-C packet includes a “Create Session” message (S503).
In response to a determination being made that the GTP-C packet includes a “Create Session” message, the GTP-C packet information extraction unit 380 or 408 determines whether the “Create Session” message included in the GTP-C packet is a “Create Session Request” message (S504).
In response to a determination being made that the “Create Session” message included in the GTP-C packet is a “Create Session Request” message, the GTP-C packet information extraction unit 380 or 408 extracts a downlink GTP-C TEID and a UE identification number and sets a response flag to “0” (S505). For example, the UE identification number may be an MSISDN, but the invention is not limited thereto.
In response to a determination being made that the “Create Session” message included in the GTP-C packet is not a “Create Session Request” message but a “Create Session Response” message, the GTP-C packet information extraction unit 380 or 408 extracts an uplink GTP-C TEID and an uplink GTP-U TEID, and sets the response flag to “1” (S506).
In response to a determination being made that the GTP-C packet does not include a “Create Session” message, the GTP-C packet information extraction unit 380 or 408 determines whether the GTP-C packet includes an “Update Session” message (S507). In response to a determination being made that the GTP-C packet includes an “Update Session” message, the session information storage unit 390 or 409 updates session information corresponding to the TEID of the GTP-C packet and stores the updated session information (S508). In response to a determination being made that the GTP-C packet does not include an “Update Session” message but includes a “Delete Session” message, the session information storage unit 390 or 409 deletes the session information corresponding to the TEID of the GTP-C packet (S509).
The packet processing unit 350 or 405 forwards the GTP-C packet (S510).
FIG. 13 is a diagram illustrating the structure of a 4G network to which an abnormal call detection apparatus or method according to exemplary embodiments of the invention is applied.
Referring to FIG. 13, a 4G network 1000 may include a 4G Enterprise Radio Access Network (E-RAN) managing wireless resources and a 4G Evolved Packet Core (EPC) performing data processing/authorization/charging.
The 4G E-RAN may include UE 1100 and an eNB 1200. For example, the UE 1100 may be a subscriber mobile terminal of the 4G network 1000. The eNB 1200 may be a base station providing wireless connection between the UE 1100 and the 4G network 1000.
The 4G EPC may include an MME 1300, an S-GW 1400, a P-GW 1500, a Home Subscriber Server 1600, and a Policy & Charging Rule Function (PCRF) 1700. The MME 1300 may transmit a GTP packet to or receive a GTP packet from the eNB 1200 via an S1-MME GTP tunnel. The S-GW 1400 may transmit a GTP packet to or receive a GTP packet from the eNB 1200 via an S1-U GTP tunnel. The MME 1300 may transmit a GTP packet to or receive a GTP packet from the S-GW 1400 via an S11 GTP tunnel. The P-GW 1500 may be connected to a P-CSCF 2100 of an IMS network and to the Internet.
The S1-U GTP tunnel may be a path for data traffic, the S11 GTP tunnel may be a path for signaling, and the S5 GTP tunnel may be a path for data traffic and signaling.
The abnormal call detection apparatus 100 or 300 of FIG. 1 or 7 may be provided at a point P1 between the eNB 1200 and the MME 1300, a point P2 between the MME 1300 and the S-GW 1400 or a point P3 between the S-GW 1400 and the P-GW 1500. The abnormal call detection apparatus 100 or 300 of FIG. 1 or 7 may be provided as an element of the S-GW 1400 or the P-GW 1500. The session information collection apparatus 410 of the abnormal call detection apparatus 400 of FIG. 11 may be provided at the point P2 between the MME 1300 and the S-GW 1400, and the abnormal call detection apparatus 420 of the abnormal call detection apparatus 400 of FIG. 11 may be provided at the point P1 between the eNB 1200 and the S-GW 1400.
Even though not illustrated in FIG. 13, the 4G network 1000 may be connected to a 3rd Generation (3G) network or a femtocell network via the S-GW 1400.
FIG. 14 is a diagram illustrating the structure of an IMS network interlinked with the 4G network illustrated in FIG. 13.
Referring to FIG. 14, an IMS network 2000 may include a P-CSCF 2100, an I-CSCF 2200, an S-CSCF 2300, a Border Gateway Control Function 2400, an HSS 2500, an S-GW 2600, a Media Gateway Control Function (MGCF) 2700, an Application Server (AS) 2800, and a Media-Gateway (M-GW) 2900.
An SIP message transmitted by the UE 1100 in the 4G network 1000 may be forwarded into the IMS network 2000 via the P-GW 1500. The P-CSCFF 2100, which is connected to the P-GW 1500, may transmit the SIP message to the I-CSCF 2200, and the I-CSCF 2200 may transmit the SIP message to the S-CSCF 2300. The S-GW 2600 may be connected to a Public Switching Telephone Network (PSTN), and the M-GW 2900 may be connected to a Public Land Mobile Network (PLMN).
Since the abnormal call detection apparatus 100 or 300 of FIG. 1 or 7 or the abnormal call detection system 400 of FIG. 11 may be provided at the point P1, P2 or P3 in the 4G network 1000, an abnormal call with a fabricated UE identification number in an SIP message may be detected, and may be prevented from being forwarded into the IMS network 2000.
The steps and/or actions of a method or algorithm described in connection with the aspects disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in a RAM memory, flash memory, a ROM memory, an EPROM memory, an EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium may be coupled to the processor, such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. Further, in some aspects, the processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
While the invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those of ordinary skill in the art that various changes in provide and detail may be made therein without departing from the spirit and scope of the invention as defined by the following claims. The exemplary embodiments should be considered in a descriptive sense only and not for purposes of limitation.

Claims (30)

  1. An abnormal call detection apparatus, comprising:
    a session information storage unit configured to store session information, including a first General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U Tunnel Endpoint Identifier (TEID) and a first User Equipment (UE) identification number;
    a packet information extraction unit configured to extract a second GTP-U TEID from a GTP-U packet, extract a Session Initiation Protocol (SIP) message from the payload of the GTP-U packet and extract a second UE identification number from the SIP message; and
    a packet processing unit configured to drop the GTP-U packet in response to the first and second GTP-U TEIDs being identical but the first and second UE identification numbers being different.
  2. The abnormal call detection apparatus of claim 1, wherein the packet processing unit is further configured to forward the GTP-U packet in response to there being no first GTP-U TEID identical to the second GTP-U TEID in the session information.
  3. The abnormal call detection apparatus of claim 1, wherein the SIP message includes an “SIP Invite” message.
  4. The abnormal call detection apparatus of claim 3, wherein the packet processing unit is further configured to forward the GTP-U packet, instead of dropping the GTP-U packet, in response to the SIP message not being an “SIP Invite” message.
  5. The abnormal call detection apparatus of claim 1, wherein the packet information extraction unit is further configured to extract the second UE identification number from a “From” field of the SIP message.
  6. The abnormal call detection apparatus of claim 1, further comprising:
    a packet analysis unit configured to compare the first and second GTP-U TIDs with each other and compare the first and second UE identification numbers with each other to determine whether the first and second GTP-U TIDs are identical and whether the first and second UE identification numbers are identical.
  7. The abnormal call detection apparatus of claim 1, further comprising:
    a log storage unit configured to record at least one of the second GTP-U TEID and the second UE identification number in response to the GTP-U packet being dropped.
  8. The abnormal call detection apparatus of claim 1, wherein the first and second UE identification numbers include Mobile Station International ISDN Numbers (MSISDNs).
  9. The abnormal call detection apparatus of claim 1, wherein the GTP-U packet includes an outbound GTP-U packet.
  10. The abnormal call detection apparatus of claim 1, wherein the GTP-U packet is transmitted via at least one of an S1-U GTP tunnel established between an evolved Node B (eNB) and a Serving Gateway (S-GW) and an S5 GTP tunnel established between the S-GW and a Packet Data Network (PDN) Gateway (P-GW).
  11. An abnormal call detection apparatus, comprising:
    a GTP-C packet information extraction unit configured to extract a first GTP-U TEID and a first UE identification number from a GTP-C packet;
    a session information storage unit configured to store session information, including the first GTP-U TEID and the first UE identification number;
    a GTP-U packet information extraction unit configured to extract a second GTP-U TEID from the header of a GTP-U packet, extract an SIP message from the payload of the GTP-U packet and extract a second UE identification number from the SIP message; and
    a packet processing unit configured to drop the GTP-U packet in accordance with the results of comparison of the first and second GTP-U TEIDs with each other and comparison of the first and second UE identification numbers with each other.
  12. The abnormal call detection apparatus of claim 11, wherein the GTP-C packet information extraction unit is further configured to extract the first UE identification number from a first GTP-C packet and the first GTP-U TEID from a second GTP-C packet, which is different from the first GTP-C packet.
  13. The abnormal call detection apparatus of claim 12, wherein the first GTP-C packet includes a “Create Session Request” message and the second GTP-C packet includes a “Create Session Response” message.
  14. The abnormal call detection apparatus of claim 11, wherein the GTP-C packet information extraction unit is further configured to a GTP-C TEID from the GTP-C packet and the session information storage unit is further configured to update session information corresponding to the GTP-C TEID and store the updated session information in response to the GTP-C packet including an “Update Session Request” message or an “Update Session Response” message.
  15. The abnormal call detection apparatus of claim 11, wherein the GTP-C packet information extraction unit is further configured to a GTP-C TEID from the GTP-C packet and the session information is further configured to delete session information corresponding to the GTP-C TEID in response to the GTP-C packet including a “Delete Session Request” message or a “Delete Session Response” message.
  16. The abnormal call detection apparatus of claim 11, further comprising:
    a packet analysis unit configured to compare the first and second GTP-U TIDs with each other and compare the first and second UE identification numbers with each other to determine whether the first and second GTP-U TIDs are identical and whether the first and second UE identification numbers are identical.
  17. The abnormal call detection apparatus of claim 11, wherein the packet information extraction unit is further configured to extract the second UE identification number from a “From” field of the SIP message.
  18. The abnormal call detection apparatus of claim 11, wherein the first and second UE identification numbers include MSISDNs.
  19. The abnormal call detection apparatus of claim 11, wherein the GTP-U packet includes an outbound GTP-U packet.
  20. The abnormal call detection apparatus of claim 11, wherein the GTP-U packet is transmitted via at least one of an S1-U GTP tunnel established between an eNB and a S-GW and an S5 GTP tunnel established between the S-GW and a P-GW.
  21. An abnormal call detection system, comprising:
    a session information collection apparatus including a GTP-C packet information extraction unit, which extracts a first GTP-U TEID and a first UE identification number from a GTP-C packet, and a session information generation unit, which generates session information including the first GTP-U TEID and the first UE identification number; and
    an abnormal call detection apparatus including a GTP-U packet information extraction unit, which extracts a second GTP-U TEID from the header of a GTP-U packet, extracts an SIP message from the payload of the GTP-U packet, and extracts a second UE identification number from the SIP message, and a packet processing unit, which drops the GTP-U packet in accordance with results of comparison of the first and second GTP-U TEIDs with each other and comparison of the first and second UE identification numbers with each other with the use of the session information provided by the session information collection apparatus.
  22. The abnormal call detection system of claim 21, wherein the GTP-C packet is transmitted via an S11 tunnel established between a Mobility Management Entity (MME) and an S-GW and the GTP-U packet is transmitted via an S1-U tunnel between an eNB and the S-GW.
  23. An abnormal call detection method, comprising:
    receiving a GTP-U packet;
    extracting a second GTP-U TEID from the header of a GTP-U packet, extracting an SIP message from the payload of the GTP-U packet, and extracting a second UE identification number from the SIP message;
    comparing the second GTP-U TEID and the second UE identification number with a first GTP-U TEID and a first UE identification number, respectively, of session information and to determine whether the first and second GTP-U TEIDs are identical and whether the first and second UE identification numbers are identical; and
    in response to the first and second GTP-U TEIDs being identical but the first and second UE identification numbers being different, dropping the GTP-U packet.
  24. The abnormal call detection method of claim 23, further comprising:
    in response to there being no first GTP-U TEID identical to the second GTP-U TEID in the session information, forwarding the GTP-U packet.
  25. The abnormal call detection method of claim 23, wherein the SIP message includes an “SIP Invite” message.
  26. The abnormal call detection method of claim 25, further comprising:
    in response to the SIP message not being an “SIP Invite” message, forwarding the GTP-U packet, instead of dropping the GTP-U packet.
  27. The abnormal call detection method of claim 23, wherein the extracting the second UE identification number comprises extracting the second UE identification number from a “From” field of the SIP message.
  28. The abnormal call detection method of claim 23, wherein the first and second UE identification numbers include MSISDNs.
  29. The abnormal call detection method of claim 23, wherein the GTP-U packet includes an outbound GTP-U packet.
  30. The abnormal call detection method of claim 23, wherein the GTP-U packet is transmitted via at least one of an S1-U GTP tunnel established between an eNB and a S-GW and an S5 GTP tunnel established between the S-GW and a P-GW.
PCT/KR2014/007915 2013-08-28 2014-08-26 Apparatus and method for detecting abnormal call WO2015030458A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2013-0102564 2013-08-28
KR20130102564A KR101414231B1 (en) 2013-08-28 2013-08-28 Apparatus and method for detecting abnormal call

Publications (1)

Publication Number Publication Date
WO2015030458A1 true WO2015030458A1 (en) 2015-03-05

Family

ID=51740927

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2014/007915 WO2015030458A1 (en) 2013-08-28 2014-08-26 Apparatus and method for detecting abnormal call

Country Status (3)

Country Link
KR (1) KR101414231B1 (en)
MY (1) MY157106A (en)
WO (1) WO2015030458A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017101121A1 (en) * 2015-12-18 2017-06-22 华为技术有限公司 Method and device for signaling transport, data transmission, and establishing gtp tunnel
WO2018205949A1 (en) * 2017-05-09 2018-11-15 中兴通讯股份有限公司 Information transmission method and apparatus

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101538309B1 (en) * 2014-12-17 2015-07-23 한국인터넷진흥원 APPARATUS, SYSTEM AND METHOD FOR DETECTING ABNORMAL VoLTE REGISTRATION MESSAGE IN 4G MOBILE NETWORKS
KR101538310B1 (en) * 2014-12-17 2015-07-22 한국인터넷진흥원 APPARATUS, SYSTEM AND METHOD FOR DETECTING ABNORMAL MESSAGE FOR OBTAINING LOCATION INFORMATION BASED ON VoLTE SERVICE IN 4G MOBILE NETWORKS
KR101541119B1 (en) 2015-01-15 2015-08-03 한국인터넷진흥원 APPARATUS, SYSTEM AND METHOD FOR DETECTING ABNORMAL VoLTE DE-REGISTRATION MESSAGE IN 4G MOBILE NETWORKS
KR101534160B1 (en) * 2015-01-16 2015-07-24 한국인터넷진흥원 Apparatus and method for VoLTE session management in 4G mobile network
KR101632241B1 (en) * 2015-04-24 2016-06-21 주식회사 윈스 METHOD AND APPARATUS FOR PROVIDING DETECTION SERVICE BASED VoLTE SESSION

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20050122997A (en) * 2004-06-26 2005-12-29 삼성전자주식회사 Method for connecting igsn to sgsn or ggsn of other network
KR20080057161A (en) * 2006-12-19 2008-06-24 주식회사 케이티프리텔 Intrusion protection device and intrusion protection method for point-to-point tunneling protocol
US20080198845A1 (en) * 2004-11-10 2008-08-21 Krister Boman Arrangement, Nodes and a Method Relating to Services Access Over a Communication System
US8191116B1 (en) * 2005-08-29 2012-05-29 At&T Mobility Ii Llc User equipment validation in an IP network
KR20120100872A (en) * 2012-08-13 2012-09-12 한국인터넷진흥원 Apparatus and method for ip spoofing detectng in mobile environment using gtp

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20050122997A (en) * 2004-06-26 2005-12-29 삼성전자주식회사 Method for connecting igsn to sgsn or ggsn of other network
US20080198845A1 (en) * 2004-11-10 2008-08-21 Krister Boman Arrangement, Nodes and a Method Relating to Services Access Over a Communication System
US8191116B1 (en) * 2005-08-29 2012-05-29 At&T Mobility Ii Llc User equipment validation in an IP network
KR20080057161A (en) * 2006-12-19 2008-06-24 주식회사 케이티프리텔 Intrusion protection device and intrusion protection method for point-to-point tunneling protocol
KR20120100872A (en) * 2012-08-13 2012-09-12 한국인터넷진흥원 Apparatus and method for ip spoofing detectng in mobile environment using gtp

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017101121A1 (en) * 2015-12-18 2017-06-22 华为技术有限公司 Method and device for signaling transport, data transmission, and establishing gtp tunnel
WO2018205949A1 (en) * 2017-05-09 2018-11-15 中兴通讯股份有限公司 Information transmission method and apparatus
US11405830B2 (en) 2017-05-09 2022-08-02 Zte Corporation Information transmission method and apparatus

Also Published As

Publication number Publication date
KR101414231B1 (en) 2014-07-01
MY157106A (en) 2016-04-28

Similar Documents

Publication Publication Date Title
WO2015030458A1 (en) Apparatus and method for detecting abnormal call
WO2011010869A2 (en) Method for switching session of user equipment in wireless communication system and system employing the same
WO2011056046A2 (en) Method and system to support single radio video call continuity during handover
WO2010019005A2 (en) Method and system for handling a dynamic host configuration protocol internet protocol version 4 address release
US10368229B2 (en) Communication apparatus and communication control method in a communication system
US10129110B2 (en) Apparatus and method of identifying a user plane identifier of a user device by a monitoring probe
WO2014098492A1 (en) Bearer management
US10785688B2 (en) Methods and systems for routing mobile data traffic in 5G networks
WO2017007122A1 (en) Method and system for providing private network service
WO2016098997A1 (en) Apparatus, system and method for detecting abnormal volte registration message in 4g mobile network
EP2978277B1 (en) Data transmission methods and gateways
KR101228089B1 (en) Ip spoofing detection apparatus
WO2017057955A1 (en) Methods and devices for supporting release of sipto bearer or lipa bearer in dual-connectivity architecture
WO2015083927A1 (en) Apparatus and method for detecting abnormal sdp message in 4g mobile networks
US9510377B2 (en) Method and apparatus for managing session based on general packet radio service tunneling protocol network
WO2014185720A1 (en) Method and apparatus for enhancing voice service performance in communication system
WO2016108509A1 (en) Method and apparatus for allocating server in wireless communication system
WO2016114476A1 (en) Apparatus and method for volte session managemet in 4g mobile network
WO2016068475A1 (en) Apparatus and method for user session management in 4g mobile network
KR101499022B1 (en) Apparatus and method for detecting abnormal MMS message in 4G mobile network
KR101501670B1 (en) User identification method of attack/anomaly traffic in mobile communication network
WO2015083926A1 (en) Apparatus and method for detecting abnormal sip subscribe message in 4g mobile networks
WO2015083925A1 (en) Apparatus and method for detecting abnormal sip refer message in 4g mobile networks
WO2016098990A1 (en) Apparatus, system and method for detecting abnormal message for obtaining location information based on volte service in 4g mobile networks
KR101541119B1 (en) APPARATUS, SYSTEM AND METHOD FOR DETECTING ABNORMAL VoLTE DE-REGISTRATION MESSAGE IN 4G MOBILE NETWORKS

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14839083

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14839083

Country of ref document: EP

Kind code of ref document: A1