WO2015083925A1 - Apparatus and method for detecting abnormal sip refer message in 4g mobile networks - Google Patents

Apparatus and method for detecting abnormal sip refer message in 4g mobile networks Download PDF

Info

Publication number
WO2015083925A1
WO2015083925A1 PCT/KR2014/008835 KR2014008835W WO2015083925A1 WO 2015083925 A1 WO2015083925 A1 WO 2015083925A1 KR 2014008835 W KR2014008835 W KR 2014008835W WO 2015083925 A1 WO2015083925 A1 WO 2015083925A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
refer message
sip refer
gtp
message
Prior art date
Application number
PCT/KR2014/008835
Other languages
French (fr)
Inventor
Chae Tae Im
Joo Hyung Oh
Se Kwon Kim
Jun Hyung Cho
Bon Min Koo
Seong Min Park
Su Jeong Woo
Original Assignee
Korea Internet & Security Agency
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Korea Internet & Security Agency filed Critical Korea Internet & Security Agency
Publication of WO2015083925A1 publication Critical patent/WO2015083925A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1101Session protocols
    • H04L65/1104Session initiation protocol [SIP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/08Upper layer protocols
    • H04W80/10Upper layer protocols adapted for application session management, e.g. SIP [Session Initiation Protocol]

Definitions

  • the invention relates to an apparatus and method for detecting an abnormal Session Initiation Protocol (SIP) REFER message, and more particularly, to an apparatus and method for detecting an abnormal SIP REFER message in a 4th Generation (4G) mobile network.
  • SIP Session Initiation Protocol
  • GTP General Packet Radio Service Tunneling Protocol
  • 3G 3rd Generation
  • 4G 4th Generation
  • a Session Initiation Protocol (SIP) message for setting a Voice over Long-Term Evolution (VoLTE) call may be included in a GTP packet and may then be transmitted.
  • the SIP message may include a SIP REFER message, which corresponds to the message body of the SIP message.
  • GTP has been designed to perform signaling and data transmission operations such as setting, updating and deleting a data call to provide various data services to user terminals (for example, smart phones), but does not consider any methods to detect an attack launched against a mobile communication network.
  • a GTP packet with a falsified User Equipment (UE) identification number in a SIP REFER message thereof may be forwarded to an external network (for example, an Internet Protocol (IP) Multimedia Subsystem (IMS) network) without being hindered.
  • IP Internet Protocol
  • IMS Internet Multimedia Subsystem
  • SIP REFER message may cause a threat, for example, by being used in an illegitimate attempt to leak information from a Call Session Control Function (CSCF) server that constitutes an IMS network.
  • CSCF Call Session Control Function
  • Exemplary embodiments of the invention provide an apparatus for detecting an abnormal Session Initiation Protocol (SIP) REFER message that can be used in an illegitimate attempt to leak information from a Call Session Control Function (CSCF) server in a 4th Generation (4G) mobile network.
  • SIP Session Initiation Protocol
  • CSCF Call Session Control Function
  • Exemplary embodiments of the invention also provide a method of detecting an abnormal SIP REFER message that can be used in an illegitimate attempt to leak information from a CSCF server in a 4G mobile network.
  • an apparatus for detecting an abnormal Session Initiation Protocol (SIP) REFER message in a 4th Generation (4G) mobile network includes: a packet information extraction unit configured to extract a first Tunnel Endpoint Identifier (TEID) from the header of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet and a first User Equipment (UE) identification number from an SIP REFER message in the payload of the GTP-U packet; a session information storage unit configured to store session information, including a second TEID and a second UE identification number; a packet analysis unit configured to perform an abnormal SIP REFER message detection operation by determining whether the SIP REFER message is an abnormal SIP REFER message based on whether the first and second TEIDs are identical and whether the first and second UE identification numbers are different; and a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SIP REFER message being an abnormal SIP REFER message,
  • a packet information extraction unit configured to
  • an apparatus for detecting an abnormal SIP REFER message in a 4G mobile network includes: a GTP-U packet information extraction unit configured to extract a first TEID from the header of a GTP-U packet and a first UE identification number from an SIP REFER message in the payload of the GTP-U packet; a GTP-C packet information extraction unit configured to extract a second TEID and a second UE identification number from the payload of a GTP-C packet; a session information storage unit configured to store session information, including the second TEID and the second UE identification number; a packet analysis unit configured to perform an abnormal SIP REFER message by determining whether the SIP REFER message is an abnormal SIP REFER message based on results of comparison of the first and second TEIDs and the first and second UE identification numbers; and a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SIP REFER message being an abnormal SIP REFER message, where
  • a system for detecting an abnormal SIP REFER message in a 4G mobile network includes: an apparatus for detecting an abnormal SIP REFER message, configured to detect an abnormal SIP REFER message by using session information; and an apparatus for collecting session information, configured to extract GTP-C packet information from a GTP-C packet and generate the session information based on the extracted GTP-C packet information, wherein the apparatus for detecting an abnormal SIP REFER message, includes: a session information storage unit configured to receive session information including a second TEID and a second UE identification number from the apparatus for collecting session information and store the received session information; a GTP-U packet information extraction unit configured to extract a first TEID from the header of a GTP-U packet and a first UE identification number from an SIP REFER message in the payload of the GTP-U packet; a packet processing unit configured to perform an abnormal SIP REFER message detection operation by determining whether the SIP REFER message is an abnormal SIP REFER message based on
  • a method of detecting an abnormal SIP REFER message in a 4G mobile network includes: extracting a first TEID from the header of a GTP-U packet and a first UE identification number from an SIP REFER message from the payload of the GTP-U packet; determining whether the first TEID is identical to a second TEID of session information; in response to a determination being made that the first TEID is identical to the second TEID, determining whether the first UE identification number is identical to a second UE identification number corresponding to the second TEID; and in response to a determination being made that the first UE identification number is different from the second UE identification number, determining the SIP REFER message as being an abnormal SIP REFER message, wherein the SIP REFER message is transmitted to receiver UE by a CSCF server where sender UE of the SIP REFER message is registered.
  • a first Tunnel Endpoint Identifier (TEID) and a first User Equipment (UE) identification number are extracted from the header of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet and a Session Initiation Protocol (SIP) REFER message in the payload of the GTP-U packet, respectively, and are then compared with a second TEID and a second UE identification number, respectively, included in session information.
  • GPRS General Packet Radio Service
  • GTP General Packet Radio Service
  • SIP Session Initiation Protocol
  • FIG. 1 is a block diagram of an apparatus for detecting an abnormal Session Initiation Protocol (SIP) REFER message, according to an exemplary embodiment of the invention.
  • SIP Session Initiation Protocol
  • FIG. 2 is a diagram illustrating the transmission of an SIP REFER message.
  • FIG. 3 is a diagram for explaining an abnormal SIP REFER message that can be transmitted in a 4th Generation (4G) mobile network.
  • FIG. 4 is a block diagram of a Call Session Control Function (CSCF) server that processes an SIP REFER message.
  • CSCF Call Session Control Function
  • FIG. 5 is a diagram illustrating how information can be leaked from a CSCF server by an abnormal SIP REFER message.
  • FIG. 6 is a diagram for explaining values included in an SIP REFER message.
  • FIG. 7 is a table for explaining session information present in a session information storage unit illustrated in FIG. 1.
  • FIG. 8 is a table for explaining abnormal SIP REFER message detection information.
  • FIG. 9 is a flowchart illustrating a method of detecting an abnormal SIP REFER message, according to an exemplary embodiment of the invention.
  • FIG. 10 is a block diagram of an apparatus for detecting an abnormal SIP REFER message, according to another exemplary embodiment of the invention.
  • FIG. 11 is a diagram illustrating the creation of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP) tunnel in a 4th Generation (4G) mobile network.
  • GPRS General Packet Radio Service
  • GTP General Packet Radio Service Tunneling Protocol
  • FIG. 12 is a block diagram of a system for detecting an abnormal SIP REFER message, according to an exemplary embodiment of the invention.
  • FIG. 13 is a diagram illustrating the structure of a 4G mobile network to which an apparatus or system for detecting an abnormal SIP REFER message according to exemplary embodiments of the invention is applied.
  • Each block represents a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the blocks may occur out of the order noted herein. For example, two blocks shown herein in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved, as will be further clarified hereinbelow.
  • first, second, and so forth are used to describe diverse constituent elements, such constituent elements are not limited by the terms. The terms are used only to discriminate a constituent element from other constituent elements. Accordingly, in the following description, a first constituent element may be a second constituent element.
  • FIG. 1 is a block diagram of an apparatus for detecting an abnormal Session Initiation Protocol (SIP) REFER message, according to an exemplary embodiment of the invention.
  • SIP Session Initiation Protocol
  • an apparatus 100 for detecting an abnormal SIP REFER message includes Network Interface Cards (NICs) 110a and 110b, a packet information extraction unit 120, a packet analysis unit 130, a session information storage unit 140, a detection information storage unit 150, and a packet processing unit 160.
  • NICs Network Interface Cards
  • the NIC 110a receives a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet, and transmits the GTP-U packet to the packet information extraction unit 120.
  • the NIC 110b forwards or drop the GTP-U packet in accordance with a control signal.
  • the NICs 110a and 110b may be typical NICs or hardware acceleration NICs.
  • the GTP-U packet is used for transmitting a user packet within a mobile communication network.
  • the GTP-U packet which is processed by the NICs 110a and 110b, may be a GTP-U packet forwarded from User Equipment (UE) to an external network (for example, the Internet).
  • UE User Equipment
  • the packet information extraction unit 120 extracts various packet information from the GTP-U packet.
  • the packet information extraction unit 120 may process the extracted packet information into structured data, and may transmit the processed packet information to the packet analysis unit 130.
  • the packet information extraction unit 120 may extract a Tunnel Endpoint Identifier (TEID) from the header of the GTP-U packet as information for detecting an abnormal SIP REFER message.
  • the TEID extracted by the packet information extraction unit 120 may be an uplink TEID.
  • uplink may indicate the transmission of a GTP-U packet from UE to an external network
  • downlink as used herein, may indicate the transmission of a GTP-U packet from an external network to UE.
  • the packet information extraction unit 120 may extract an SIP REFER message included in the payload of the GTP-U packet.
  • the packet information extraction unit 120 may extract a UE identification number from the SIP REFER message.
  • the UE identification number may be a Mobile Subscriber Integrated Service Digital Network (ISDN) Number (MSISDN), but the invention is not limited thereto.
  • ISDN Mobile Subscriber Integrated Service Digital Network
  • MSISDN Mobile Subscriber Integrated Service Digital Network
  • the packet information extraction unit 120 may determine whether an SIP REFER message exists in the payload of the GTP-U packet, and may extract information for detecting an abnormal SIP REFER message in response to a determination being made that there exists an SIP REFER message in the payload of the GTP-U packet.
  • FIG. 2 is a diagram illustrating the transmission of an SIP REFER message.
  • first UE 1100a and second UE 1100b may exchange an “INVITE” message, a “200 OK” message and an “ACK” message with each other, and as a result, a first session may be established between the first UE 1100a and the second UE 1100b.
  • the second UE 1100b may transmit a “reINVITE (hold)” message to the first UE 1100a and may thus request the first UE 1100a to stand by. Thereafter, a “200 OK” message and an “ACK” message may be transmitted between the first UE 1100a and the second UE 1100b.
  • the second UE 1100b and third UE 1100c may exchange an “INVITE” message, a “200 OK” message and an “ACK” message with each other, and as a result, a second session may be established between the second UE 1100b and the third UE 1100c.
  • the second UE 1100b may transmit a REFER message to the first UE 1100a and may thus request the first UE 1100a to connect a call to the third UE 1100c. Thereafter, the first UE 1100a may transmit a “202 Accepted” message to the second UE 1100b and an “INVITE” message to the third UE 1100c. Thereafter, the first UE 1100a and the third UE 1100c may exchange a “200 OK” message and an “ACK” message with each other, and as a result, a third session may be established between the first UE 1100a and the third UE 1100c.
  • the first UE 1100a may transmit a “NOTIFY” message to the second UE 1100b and may thus notify the second UE 1100b of the results of the connection of a call between the first UE 1100a and the third UE 1100c.
  • the second UE 1100b may transmit a “200 OK” message to the first UE 1100a and may exchange a “BYE” message and a “200 OK” message with each of the first UE 1100a and the third UE 1100c.
  • the call between the second UE 1100a and the third UE 1100c may be terminated.
  • An SIP REFER message may be a message used by one of two UEs with a VoLTE call connected therebetween to request the other UE to connect a VoLTE call to another UE.
  • the packet information extraction unit 120 may extract information from a TEID field in the header of a GTP-U packet and from an MSISDN field, a destination IP field, a destination port field, a source IP field and a source port field in the payload of a GTP-U packet.
  • An abnormal SIP REFER message may be an SIP REFER message with a falsified sender UE identification number.
  • FIG. 3 is a diagram for explaining an abnormal SIP REFER message that can be transmitted in a 4th Generation (4G) mobile network.
  • a 4G mobile network may include an evolved Node B (eNB) 1200 and a Serving Gateway (S-GW) 1400.
  • eNB evolved Node B
  • S-GW Serving Gateway
  • the eNB 1200 may be connected to the S-GW 1400, and an S1-U GTP tunnel may be created between the eNB 1200 and the S-GW 1400.
  • the S1-U GTP tunnel may be a GTP tunnel for transmitting data.
  • a GTP-U packet 10 may be transmitted from the eNB 1200 to the S-GW 1400 via the S1-U GTP tunnel.
  • the S-GW 1400 may transmit the GTP-U packet 10 received from the eNB 1200 to a Packet Data Network (PDN) Gateway (P-GW) (not illustrated).
  • PDN Packet Data Network
  • P-GW Packet Data Network Gateway
  • IP Internet Protocol
  • UDP User Datagram Protocol
  • GTP-U header for a GTP tunnel may be combined into the header of the GTP-U packet 10, and a user packet may be capsulated into the payload of the GTP-U packet 10.
  • the GTP-U header of the GTP-U packet 10 may include a TEID.
  • the user packet may include an SIP REFER message.
  • the SIP REFER message may include a UE identification number of sender UE of the SIP REFER message and a UE identification number of receiver UE of the SIP REFER message.
  • FIG. 3 illustrates an SIP REFER message with a falsified sender UE identification number.
  • FIG. 4 is a block diagram of a Call Session Control Function (CSCF) server that processes an SIP REFER message.
  • CSCF Call Session Control Function
  • a Serving Call Session Control Function (S-CSCF) server 2300b where information relating to the second UE 1100b is registered may receive and process the REFER message, and may transmit the processed REFER message to an S-CSCF server 2300a where information relating to the first UE 1100a is registered.
  • the first UE 1100a may receive the REFER message from the S-CSCF server 2300a.
  • an S-CSCF server can receive and process an REFER message.
  • a REFER message may be transmitted from sender UE to receiver UE by an S-CSCF server where information relating to the sender UE is registered.
  • an abnormal SIP REFER message with a falsified sender UE identification number may possibly be misused to leak information from a CSCF server that constitutes an IMS network.
  • FIG. 5 is a diagram illustrating how information can be leaked from a CSCF server by an abnormal SIP REFER message.
  • an attacker 1600 may enter a predetermined UE identification information into a sender UE information field and his or her UE identification number into a receiver UE information field, thereby generating an abnormal SIP REFER message, and may transmit the abnormal SIP REFER message via a CSCF band.
  • the abnormal SIP REFER message may be transmitted from a 4G network 1000 to an IMS network 2000, and particularly, to one of a plurality of S-CSCF servers 2300 in the IMS network 2000 via a Proxy-CSCF (P-CSCF) server 2100 and an Interrogating-CSCF (I-CSCF) server 2200.
  • P-CSCF Proxy-CSCF
  • I-CSCF Interrogating-CSCF
  • the attacker 1600 may transmit a plurality of abnormal SIP REFER messages and may thus attack the S-CSCF servers 2300.
  • the attacker 1600 may enter his or her UE identification number into a receiver UE information field of each of the abnormal SIP REFER messages (OK?) and may thus identify scan results. More specifically, in a case in which UE information of the attacker 1600 is not registered in an S-CSCF server 2300 receiving a first REFER message R1 transmitted by the attacker 1600, the attacker 1600 may receive a “403 FORBIDDEN” message as a response message R1_R for the first REFER message R1.
  • the attacker 1600 may receive a “500 INTERNAL SERVER ERROR” message as a response message R2_R for the second REFER message R2.
  • the attacker 1600 may receive the third REFER message R3 back as a response message R3_R for the third REFER message R3, and may thus be able to obtain information such as the IP address of the S-CSCF server 2300.
  • the apparatus 100 may store a TEID and a UE identification number that are allocated upon the creation of a GTP tunnel in advance as session information, and may compare a TEID and a UE identification number that are extracted from a GTP-U packet with the session information to detect an abnormal SIP REFER message.
  • FIG. 6 is a diagram for explaining values included in an SIP REFER message.
  • an SIP REFER message may include a message header and a message body.
  • Each of the message header and the message body of the SIP message may include various fields.
  • the message header of the SIP REFER message may include a “From” field and a “To” field, and a UE identification number may be recorded in each of the “From” field and the “To” field.
  • a sender UE identification number and a receiver UE identification number may be recorded in the “From” field and the “To” field, respectively.
  • a UE identification number of UE to be attacked may be recorded in the “From” field, and a UE identification number of attacker UE may be recorded in the “To” field.
  • the packet information extraction unit 120 may extract a UE identification number from the “From” field of the message header of the SIP REFER message.
  • the message header of an SIP REFER message may also include other fields than those set forth herein, for recording a UE identification number.
  • the packet information extraction unit 120 may also extract a UE identification number from each of the other fields.
  • a TEID and a UE identification number that are extracted from a GTP-U packet will hereinafter be referred to as a first TEID and a first UE identification number, respectively, and a TEID and a UE identification number that are included in session information will hereinafter be referred to as a second TEID and a second UE identification number, respectively.
  • the packet analysis unit 130 may perform an abnormal SIP REFER message detection operation.
  • the packet analysis unit 130 may compare first and second TEIDs with each other and first and second UE identification numbers with each other and may detect an abnormal SIP REFER message based on the results of the comparison.
  • the session information storage unit 140 may store session information including the second TEID and the second UE identification number in advance.
  • the second TEID and the second UE identification number may be extracted from a GTP-C packet.
  • the GTP-C packet may be used for signaling within a mobile communication network, such as setting, updating or deleting a call.
  • FIG. 7 is a table for explaining session information stored in a session information storage unit illustrated in FIG. 1.
  • session information includes a second TEID and a second UE identification number.
  • the second TEID may be an uplink data TEID.
  • the second TEID may be the TEID of a GTP-U packet forwarded from UE to an external network.
  • the second UE identification number may be an MSISDN.
  • the second UE identification number may be stored, mapped to the second TEID.
  • the packet analysis unit 130 may determine whether there exists a second TEID identical to the first TEID in the session information. In response to a determination being made that a second TEID identical to the first TEID exists in the session information, the packet analysis unit 130 may extract a second UE identification number corresponding to the second TEID from the session information. The packet analysis unit 130 may determine whether the first UE identification number and the extracted second UE identification number are identical to each other. In response to a determination being made that the first UE identification number and the extracted second UE identification number are different, the packet analysis unit 130 may determine an SIP REFER message included in the GTP-U packet as being an abnormal SIP REFER message.
  • FIG. 8 is a table for explaining abnormal SIP REFER message detection information.
  • the detection information storage unit 150 may create and store abnormal REFER message detection information (or an abnormal REFER message detection log) in accordance with the results of the detection of an abnormal SIP REFER message.
  • the abnormal REFER message detection information may include a detection time field, a detected item field, a UE identification number field and a detection result field, and may also include a TEID field, a destination IP field, a destination port field, a source IP/port field, and a falsified UE identification number field.
  • the packet processing unit 160 may process a GTP-U packet with a detected abnormal SIP REFER message according to a predetermined detection policy.
  • the packet processing unit 160 may control the NIC 110b to forward or drop the GTP-U packet with the detected abnormal SIP REFER message.
  • forward a GTP-U packet may indicate transmitting a GTP-U packet to its destination IP address
  • drop a GTP-U packet may indicate not transmitting the GTP-U packet to its destination IP address.
  • the NICs 110a and 110b, the packet information extraction unit 120, the packet analysis unit 130, the session information storage unit 140, the detection information storage unit 150, and the packet processing unit 160 are provided as separate elements.
  • Various modifications may be made to the structure of the apparatus 100 without departing from the scope of the invention.
  • some of the elements of the apparatus 100 may be incorporated into a single unit or module.
  • FIG. 9 is a flowchart illustrating a method of detecting an abnormal SIP REFER message, according to an exemplary embodiment of the invention.
  • the NIC 110a receives a GTP-U packet (S201).
  • the packet extraction unit 120 determines whether the destination port of the GTP-U packet is an SIP port (S202). For example, the packet extraction unit 120 may determine whether the destination port of the GTP-U packet has a value of “5060”, and may determine the GTP-U packet as including an SIP message in response to a determination being made that the destination port of the GTP-U packet has a value of “5060”.
  • the packet extraction unit 120 determines whether the SIP message in the payload of the GTP-U packet is an SIP REFER message (S203). In response to a determination being made that the SIP message in the payload of the GTP-U packet is not an SIP REFER message, the packet analysis unit 130 may not perform an abnormal SIP REFER message detection operation.
  • the packet extraction unit 120 extracts a first TEID from the header of the GTP-U packet and a first UE identification number from the SIP REFER message (S204).
  • the first TEID may be an uplink data TEID.
  • the packet information extraction unit 120 may process various packet information into structured data.
  • the packet analysis unit 130 determines whether a second TEID identical to the first TEID exists in session information (S205).
  • the packet analysis unit 130 extracts the first UE identification number from the processed packet information provided by the packet information extraction unit 120 (S206).
  • the first UE identification number may be an MSISDN.
  • the packet analysis unit 130 may determine whether the first UE identification number and a second UE identification number are identical (S207). As described above, the packet analysis unit 140 may extract a second UE identification number corresponding to the second TEID from the session information, and may determine whether the first UE identification number and the second UE identification number are identical.
  • the packet analysis unit 130 may determine the SIP REFER message as being an abnormal SIP REFER message, and the detection information storage unit 150 may create and store abnormal SIP REFER message detection information (S208).
  • the abnormal REFER message detection information may include a detection time field, a detected item field, a UE identification number field, a detection result field indicating whether to drop the abnormal SIP REFER message, a TEID field, a destination IP field, a destination port field, a source IP/port field, and a falsified UE identification number field.
  • the packet processing unit 160 processes the GTP-U packet with the abnormal SIP REFER message according to a predetermined detection policy (S209).
  • FIG. 10 is a block diagram of an apparatus for detecting an abnormal SIP REFER message, according to another exemplary embodiment of the invention.
  • the exemplary embodiment of FIG. 10 will hereinafter be described, focusing mainly on differences with the exemplary embodiment of FIG. 1.
  • an apparatus 300 for detecting an abnormal SIP REFER message includes NICs 310a and 310b, a packet classification unit 320, a GTP-C packet information extraction unit 330, a session information generation unit 340, a session information storage unit 350, a GTP-U packet information extraction unit 360, a packet analysis unit 370, a detection information storage unit 380, and a packet processing unit 390.
  • the NIC 310a receives a GTP packet, and transmits the GTP packet to the packet classification unit 320.
  • the NIC 310b forwards or drops the GTP packet in accordance with a control signal provided by the packet processing unit 390.
  • the packet classification unit 320 classifies the GTP packet. More specifically, the packet classification unit 370 may classify the GTP packet as a GTP-C packet or a GTP-U packet. The packet classification unit 370 may transmit a GTP-C packet to the GTP-C packet information extraction unit 330 and may transmit a GTP-U packet to the GTP-U packet information extraction unit 360.
  • the GTP-C packet information extraction unit 330 may extract various packet information from a GTP-C packet.
  • the GTP-C packet may include a “Create Session Request” message and a “Create Session Response” message.
  • the GTP-C packet information extraction unit 330 may extract a second UE identification number from the payload of the “Create Session Request” message and a second TEID from the payload of the “Create Session Response” message.
  • the session information generation unit 340 may generate session information including a second TEID and a second UE identification number.
  • the session information generation unit 340 may store the generated session information in the session information storage unit 350.
  • the packet processing unit 390 may control the NIC 310b to forward a GTP-C packet.
  • FIG. 11 is a diagram illustrating the creation of a GTP tunnel in a 4G mobile network.
  • a “Create Session Request” message and a “Create Session Response” message may be transmitted to create a GTP tunnel in a 4G mobile network.
  • the “Create Session Request” message and the “Create Session Response” message may be transmitted as GTP-C packets.
  • UE 1100 may transmit an “Attach Request” message to a Mobility Management Entity (MME) 1300, and the MME 1300 may transmit a “Create Session Request” message to an S-GW 1400.
  • the S-GW 1400 may transmit the “Create Session Request” message to a P-GW 1500.
  • the P-GW 1500 may transmit a “Create Session Response” message to the S-GW 1400 and may thus create an S5 GTP tunnel between the S-GW 1400 and the P-GW 1500.
  • the S-GW 1400 may transmit the “Create Session Response” message to the MME 1300 and may thus create an S11 GTP tunnel between the MME 1300 and the S-GW 1400.
  • the MME 1300 may transmit an “Attach Response” message to the UE 1100 and may thus create an S1-U GTP tunnel between an eNB 1200 and the S-GW 1400.
  • messages may be additionally transmitted between the eNB 1200 and the MME 1300 and between the MME 1300 and the S-GW 1400 before the creation of the S1-U GTP tunnel.
  • the GTP-C packet information extraction unit 330 may extract a second TEID and a second UE identification number from a “Create Session Request” message and a “Create Session Response” message.
  • a UE identification number used to generate session information may be compared with a UE identification number included in the SIP REFER message of a GTP-U packet after the creation of a session.
  • FIG. 12 is a block diagram of a system for detecting an abnormal SIP REFER message, according to an exemplary embodiment of the invention.
  • the exemplary embodiment of FIG. 12 will hereinafter be described, focusing mainly on differences with the exemplary embodiment of FIG. 11.
  • a system 400 for detecting an abnormal SIP REFER message includes an apparatus 410 for collecting session information and an apparatus 420 for detecting an abnormal SIP REFER message.
  • the apparatus 410 may include NICs 411a and 411b, a GTP-C packet information extraction unit 412, and a session information generation unit 413.
  • the apparatus 410 may extract GTP-C packet information from a GTP-C packet and may generate session information based on the extracted GTP-C packet information.
  • the apparatus 420 may include NICs 421a and 421b, a GTP-U packet information extraction unit 422, a packet analysis unit 423, a session information storage unit 424, a detection information generation unit 425, and a packet processing unit 425.
  • the apparatus 420 may detect an abnormal SIP REFER message by using the session information provided by the apparatus 410.
  • the system 400 is illustrated in FIG. 12 as including two physically separate elements, i.e., an element for extracting a TEID and a first UE identification number from a GTP-U packet and detecting an abnormal SIP ERFER message in accordance with the results of comparison of the first UE identification number with session information and an element for extracting a second TEID and a second UE identification number from a GTP-C packet and generating session information including the second TEID and the second UE identification number.
  • the session information storage unit 424 may store the session information provided by the apparatus 410.
  • FIG. 13 is a diagram illustrating the structure of a 4G mobile network to which an apparatus or system for detecting an abnormal SIP REFER message, according to exemplary embodiments of the invention is applied.
  • a 4G mobile network 1000 may include UE 1100, an eNB 1200, an MME 1300, an S-GW 1400 and a P-GW 1500.
  • the UE 1100 may be a subscriber mobile terminal of the 4G mobile network 1000.
  • the eNB 1200 may be a base station providing wireless connection between the UE 1100 and the 4G mobile network 1000.
  • the MME 130 and the S-GW 1400 may exchange a GTP-C packet with each other via an S11 GTP tunnel.
  • the eNB 1200 and the S-GW 1400 may exchange a GTP-U packet with each other via an S1-U GTP tunnel.
  • the S-GW 1400 and the P-GW 1500 may exchange a GTP-C packet or a GTP-U packet with each other via an S5 GTP tunnel.
  • the P-GW 1500 may be connected to an external network, for example, an IMS network 2000.
  • the P-GW 1500 may be connected to a P-CSCF 2100 in the IMS network 2000, and may transmit or receive an SIP message.
  • the S11 GTP tunnel may be a path for session control
  • the S1-U GTP tunnel may be a path for data traffic
  • the S5 GTP tunnel may be a path for both session control and data traffic.
  • the apparatus 100 or 300 of FIG. 1 or 10 may be provided at a point P1 between the eNB 1200 and the S-GW 1400, a point P2 between the MME 1300 and the S-GW 1400 or a point P3 between the S-GW 1400 and the P-GW 1500.
  • the apparatus 100 or 300 of FIG. 1 or 10 may be provided as an element of the S-GW 1400 or the P-GW 1500.
  • the apparatus 410 of the system 400 of FIG. 12 may be provided at the point P2 between the MME 1300 and the S-GW 1400, and the apparatus 420 of the system 400 of FIG. 12 may be provided at the point P1 between the eNB 1200 and the S-GW 1400.
  • the apparatus 100 or 300 or the system 400 may be provided at the point P1, P2 or P3 within the 4G mobile network 1000. Accordingly, it is possible to effectively detect and drop an abnormal SIP REFER message which has a falsified UE identification number and may be used in an illegitimate attempt to leak information from a CSCF server.
  • a software module may reside in a RAM memory, flash memory, a ROM memory, an EPROM memory, an EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
  • An exemplary storage medium may be coupled to the processor, such that the processor can read information from, and write information to, the storage medium.
  • the storage medium may be integral to the processor.
  • the processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An apparatus and method for detecting an abnormal Session Initiation Protocol (SIP) REFER message in a 4th Generation (4G) mobile network are provided. The apparatus includes: a packet information extraction unit configured to extract a first Tunnel Endpoint Identifier (TEID) from the header of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet and a first User Equipment (UE) identification number from an SIP REFER message in the payload of the GTP-U packet; a session information storage unit configured to store session information, including a second TEID and a second UE identification number; a packet analysis unit configured to perform an abnormal SIP REFER message detection operation by determining whether the SIP REFER message is an abnormal SIP REFER message based on whether the first and second TEIDs are identical and whether the first and second UE identification numbers are different; and a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SIP REFER message being an abnormal SIP REFER message, wherein the SIP REFER message is transmitted to receiver UE by a Call Session Control Function (CSCF) server where sender UE of the SIP REFER message is registered.

Description

APPARATUS AND METHOD FOR DETECTING ABNORMAL SIP REFER MESSAGE IN 4G MOBILE NETWORKS
The invention relates to an apparatus and method for detecting an abnormal Session Initiation Protocol (SIP) REFER message, and more particularly, to an apparatus and method for detecting an abnormal SIP REFER message in a 4th Generation (4G) mobile network.
General Packet Radio Service (GPRS) Tunneling Protocol (GTP) is a type of protocol for use in a 3rd Generation (3G) network or a 4th Generation (4G) network, and includes GTP-C packets for signaling and GTP-U packets for data transmissions.
In a mobile communication network, a Session Initiation Protocol (SIP) message for setting a Voice over Long-Term Evolution (VoLTE) call may be included in a GTP packet and may then be transmitted. The SIP message may include a SIP REFER message, which corresponds to the message body of the SIP message.
GTP has been designed to perform signaling and data transmission operations such as setting, updating and deleting a data call to provide various data services to user terminals (for example, smart phones), but does not consider any methods to detect an attack launched against a mobile communication network.
As a result, even a GTP packet with a falsified User Equipment (UE) identification number in a SIP REFER message thereof may be forwarded to an external network (for example, an Internet Protocol (IP) Multimedia Subsystem (IMS) network) without being hindered. However, such abnormal SIP REFER message may cause a threat, for example, by being used in an illegitimate attempt to leak information from a Call Session Control Function (CSCF) server that constitutes an IMS network.
Exemplary embodiments of the invention provide an apparatus for detecting an abnormal Session Initiation Protocol (SIP) REFER message that can be used in an illegitimate attempt to leak information from a Call Session Control Function (CSCF) server in a 4th Generation (4G) mobile network.
Exemplary embodiments of the invention also provide a method of detecting an abnormal SIP REFER message that can be used in an illegitimate attempt to leak information from a CSCF server in a 4G mobile network.
However, exemplary embodiments of the invention are not restricted to those set forth herein. The above and other exemplary embodiments of the invention will become more apparent to one of ordinary skill in the art to which the invention pertains by referencing the detailed description of the invention given below.
According to an exemplary embodiment of the invention, an apparatus for detecting an abnormal Session Initiation Protocol (SIP) REFER message in a 4th Generation (4G) mobile network, includes: a packet information extraction unit configured to extract a first Tunnel Endpoint Identifier (TEID) from the header of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet and a first User Equipment (UE) identification number from an SIP REFER message in the payload of the GTP-U packet; a session information storage unit configured to store session information, including a second TEID and a second UE identification number; a packet analysis unit configured to perform an abnormal SIP REFER message detection operation by determining whether the SIP REFER message is an abnormal SIP REFER message based on whether the first and second TEIDs are identical and whether the first and second UE identification numbers are different; and a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SIP REFER message being an abnormal SIP REFER message, wherein the SIP REFER message is transmitted to receiver UE by a Call Session Control Function (CSCF) server where sender UE of the SIP REFER message is registered.
According to another exemplary embodiment of the invention, an apparatus for detecting an abnormal SIP REFER message in a 4G mobile network, includes: a GTP-U packet information extraction unit configured to extract a first TEID from the header of a GTP-U packet and a first UE identification number from an SIP REFER message in the payload of the GTP-U packet; a GTP-C packet information extraction unit configured to extract a second TEID and a second UE identification number from the payload of a GTP-C packet; a session information storage unit configured to store session information, including the second TEID and the second UE identification number; a packet analysis unit configured to perform an abnormal SIP REFER message by determining whether the SIP REFER message is an abnormal SIP REFER message based on results of comparison of the first and second TEIDs and the first and second UE identification numbers; and a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SIP REFER message being an abnormal SIP REFER message, wherein the SIP REFER message is transmitted to receiver UE by a CSCF server where sender UE of the SIP REFER message is registered.
According to another exemplary embodiment of the invention, a system for detecting an abnormal SIP REFER message in a 4G mobile network, includes: an apparatus for detecting an abnormal SIP REFER message, configured to detect an abnormal SIP REFER message by using session information; and an apparatus for collecting session information, configured to extract GTP-C packet information from a GTP-C packet and generate the session information based on the extracted GTP-C packet information, wherein the apparatus for detecting an abnormal SIP REFER message, includes: a session information storage unit configured to receive session information including a second TEID and a second UE identification number from the apparatus for collecting session information and store the received session information; a GTP-U packet information extraction unit configured to extract a first TEID from the header of a GTP-U packet and a first UE identification number from an SIP REFER message in the payload of the GTP-U packet; a packet processing unit configured to perform an abnormal SIP REFER message detection operation by determining whether the SIP REFER message is an abnormal SIP REFER message based on results of comparison of the first and second TEIDs and the first and second UE identification numbers; and a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SIP REFER message being an abnormal SIP REFER message, and the apparatus for collecting session information, includes: a GTP-C packet information extraction unit configured to extract the second TEID and the second UE identification number from the payload of the GTP-C packet; and a session information generation unit configured to generate the session information including the second TEID and the second UE identification number, wherein the SIP REFER message is transmitted to receiver UE by a CSCF server where sender UE of the SIP REFER message is registered.
According to another exemplary embodiment of the invention, a method of detecting an abnormal SIP REFER message in a 4G mobile network, includes: extracting a first TEID from the header of a GTP-U packet and a first UE identification number from an SIP REFER message from the payload of the GTP-U packet; determining whether the first TEID is identical to a second TEID of session information; in response to a determination being made that the first TEID is identical to the second TEID, determining whether the first UE identification number is identical to a second UE identification number corresponding to the second TEID; and in response to a determination being made that the first UE identification number is different from the second UE identification number, determining the SIP REFER message as being an abnormal SIP REFER message, wherein the SIP REFER message is transmitted to receiver UE by a CSCF server where sender UE of the SIP REFER message is registered.
According to the exemplary embodiments of the invention, in a 4th Generation (4G) mobile network, a first Tunnel Endpoint Identifier (TEID) and a first User Equipment (UE) identification number are extracted from the header of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet and a Session Initiation Protocol (SIP) REFER message in the payload of the GTP-U packet, respectively, and are then compared with a second TEID and a second UE identification number, respectively, included in session information. Accordingly, it is possible to effectively detect and drop an abnormal SIP REFER message which has a falsified UE identification number and may be used in an illegitimate attempt to leak information from a Call Session Control Function (CSCF) server.
FIG. 1 is a block diagram of an apparatus for detecting an abnormal Session Initiation Protocol (SIP) REFER message, according to an exemplary embodiment of the invention.
FIG. 2 is a diagram illustrating the transmission of an SIP REFER message.
FIG. 3 is a diagram for explaining an abnormal SIP REFER message that can be transmitted in a 4th Generation (4G) mobile network.
FIG. 4 is a block diagram of a Call Session Control Function (CSCF) server that processes an SIP REFER message.
FIG. 5 is a diagram illustrating how information can be leaked from a CSCF server by an abnormal SIP REFER message.
FIG. 6 is a diagram for explaining values included in an SIP REFER message.
FIG. 7 is a table for explaining session information present in a session information storage unit illustrated in FIG. 1.
FIG. 8 is a table for explaining abnormal SIP REFER message detection information.
FIG. 9 is a flowchart illustrating a method of detecting an abnormal SIP REFER message, according to an exemplary embodiment of the invention.
FIG. 10 is a block diagram of an apparatus for detecting an abnormal SIP REFER message, according to another exemplary embodiment of the invention.
FIG. 11 is a diagram illustrating the creation of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP) tunnel in a 4th Generation (4G) mobile network.
FIG. 12 is a block diagram of a system for detecting an abnormal SIP REFER message, according to an exemplary embodiment of the invention.
FIG. 13 is a diagram illustrating the structure of a 4G mobile network to which an apparatus or system for detecting an abnormal SIP REFER message according to exemplary embodiments of the invention is applied.
Advantages and features of the invention and methods of accomplishing the same may be understood more readily by reference to the following detailed description of exemplary embodiments and the accompanying drawings. The invention may, however, be embodied in many different provides and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete and will fully convey the concept of the invention to those skilled in the art, and the invention will only be defined by the appended claims. Like reference numerals refer to like elements throughout the specification.
Each block represents a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the blocks may occur out of the order noted herein. For example, two blocks shown herein in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved, as will be further clarified hereinbelow.
Although the terms “first, second, and so forth” are used to describe diverse constituent elements, such constituent elements are not limited by the terms. The terms are used only to discriminate a constituent element from other constituent elements. Accordingly, in the following description, a first constituent element may be a second constituent element.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting. As used herein, the singular forms “a,” “an,” and “the” are intended to include the plural forms, including “at least one,” unless the content clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” or “includes” and/or “including” when used in this specification, specify the presence of stated features, regions, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, regions, integers, steps, operations, elements, components, and/or groups thereof.
Unless indicated otherwise, it is to be understood that all the terms used in the specification including technical and scientific terms have the same meanings as those as understood by a person skilled in the art. It should be understood that the terms defined by a dictionary must be identical with the meanings within the context of the related art, and they should not be ideally or excessively formally defined unless the context clearly dictates otherwise.
FIG. 1 is a block diagram of an apparatus for detecting an abnormal Session Initiation Protocol (SIP) REFER message, according to an exemplary embodiment of the invention.
Referring to FIG. 1, an apparatus 100 for detecting an abnormal SIP REFER message, includes Network Interface Cards (NICs) 110a and 110b, a packet information extraction unit 120, a packet analysis unit 130, a session information storage unit 140, a detection information storage unit 150, and a packet processing unit 160.
The NIC 110a receives a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet, and transmits the GTP-U packet to the packet information extraction unit 120. The NIC 110b forwards or drop the GTP-U packet in accordance with a control signal. The NICs 110a and 110b may be typical NICs or hardware acceleration NICs.
The GTP-U packet is used for transmitting a user packet within a mobile communication network. The GTP-U packet, which is processed by the NICs 110a and 110b, may be a GTP-U packet forwarded from User Equipment (UE) to an external network (for example, the Internet).
The packet information extraction unit 120 extracts various packet information from the GTP-U packet. The packet information extraction unit 120 may process the extracted packet information into structured data, and may transmit the processed packet information to the packet analysis unit 130.
The packet information extraction unit 120 may extract a Tunnel Endpoint Identifier (TEID) from the header of the GTP-U packet as information for detecting an abnormal SIP REFER message. The TEID extracted by the packet information extraction unit 120 may be an uplink TEID. The term “uplink”, as used herein, may indicate the transmission of a GTP-U packet from UE to an external network, and the term “downlink”, as used herein, may indicate the transmission of a GTP-U packet from an external network to UE.
The packet information extraction unit 120 may extract an SIP REFER message included in the payload of the GTP-U packet. The packet information extraction unit 120 may extract a UE identification number from the SIP REFER message. For example, the UE identification number may be a Mobile Subscriber Integrated Service Digital Network (ISDN) Number (MSISDN), but the invention is not limited thereto.
The packet information extraction unit 120 may determine whether an SIP REFER message exists in the payload of the GTP-U packet, and may extract information for detecting an abnormal SIP REFER message in response to a determination being made that there exists an SIP REFER message in the payload of the GTP-U packet.
FIG. 2 is a diagram illustrating the transmission of an SIP REFER message.
Referring to FIG. 2, first UE 1100a and second UE 1100b may exchange an “INVITE” message, a “200 OK” message and an “ACK” message with each other, and as a result, a first session may be established between the first UE 1100a and the second UE 1100b.
Thereafter, the second UE 1100b may transmit a “reINVITE (hold)” message to the first UE 1100a and may thus request the first UE 1100a to stand by. Thereafter, a “200 OK” message and an “ACK” message may be transmitted between the first UE 1100a and the second UE 1100b.
The second UE 1100b and third UE 1100c may exchange an “INVITE” message, a “200 OK” message and an “ACK” message with each other, and as a result, a second session may be established between the second UE 1100b and the third UE 1100c.
The second UE 1100b may transmit a REFER message to the first UE 1100a and may thus request the first UE 1100a to connect a call to the third UE 1100c. Thereafter, the first UE 1100a may transmit a “202 Accepted” message to the second UE 1100b and an “INVITE” message to the third UE 1100c. Thereafter, the first UE 1100a and the third UE 1100c may exchange a “200 OK” message and an “ACK” message with each other, and as a result, a third session may be established between the first UE 1100a and the third UE 1100c.
Thereafter, the first UE 1100a may transmit a “NOTIFY” message to the second UE 1100b and may thus notify the second UE 1100b of the results of the connection of a call between the first UE 1100a and the third UE 1100c. Thereafter, the second UE 1100b may transmit a “200 OK” message to the first UE 1100a and may exchange a “BYE” message and a “200 OK” message with each of the first UE 1100a and the third UE 1100c. As a result, the call between the second UE 1100a and the third UE 1100c may be terminated.
An SIP REFER message may be a message used by one of two UEs with a VoLTE call connected therebetween to request the other UE to connect a VoLTE call to another UE.
To generate abnormal SIP REFER message detection information, the packet information extraction unit 120 may extract information from a TEID field in the header of a GTP-U packet and from an MSISDN field, a destination IP field, a destination port field, a source IP field and a source port field in the payload of a GTP-U packet.
An abnormal SIP REFER message may be an SIP REFER message with a falsified sender UE identification number.
FIG. 3 is a diagram for explaining an abnormal SIP REFER message that can be transmitted in a 4th Generation (4G) mobile network.
Referring to FIG. 3, a 4G mobile network may include an evolved Node B (eNB) 1200 and a Serving Gateway (S-GW) 1400.
The eNB 1200 may be connected to the S-GW 1400, and an S1-U GTP tunnel may be created between the eNB 1200 and the S-GW 1400. The S1-U GTP tunnel may be a GTP tunnel for transmitting data. A GTP-U packet 10 may be transmitted from the eNB 1200 to the S-GW 1400 via the S1-U GTP tunnel.
Even though not specifically illustrated in FIG. 3, the S-GW 1400 may transmit the GTP-U packet 10 received from the eNB 1200 to a Packet Data Network (PDN) Gateway (P-GW) (not illustrated).
An Internet Protocol (IP) header, a User Datagram Protocol (UDP) header and a GTP-U header for a GTP tunnel may be combined into the header of the GTP-U packet 10, and a user packet may be capsulated into the payload of the GTP-U packet 10. The GTP-U header of the GTP-U packet 10 may include a TEID. The user packet may include an SIP REFER message. The SIP REFER message may include a UE identification number of sender UE of the SIP REFER message and a UE identification number of receiver UE of the SIP REFER message.
FIG. 3 illustrates an SIP REFER message with a falsified sender UE identification number.
FIG. 4 is a block diagram of a Call Session Control Function (CSCF) server that processes an SIP REFER message.
Referring to FIG. 4, in response to the second UE 1100b transmitting a REFER message to the first UE 1100a, a Serving Call Session Control Function (S-CSCF) server 2300b where information relating to the second UE 1100b is registered may receive and process the REFER message, and may transmit the processed REFER message to an S-CSCF server 2300a where information relating to the first UE 1100a is registered. The first UE 1100a may receive the REFER message from the S-CSCF server 2300a.
No logic for processing a REFER message exists in UE. Instead, an S-CSCF server can receive and process an REFER message. A REFER message may be transmitted from sender UE to receiver UE by an S-CSCF server where information relating to the sender UE is registered.
For this reason, an abnormal SIP REFER message with a falsified sender UE identification number may possibly be misused to leak information from a CSCF server that constitutes an IMS network.
FIG. 5 is a diagram illustrating how information can be leaked from a CSCF server by an abnormal SIP REFER message.
Referring to FIG. 5, an attacker 1600 may enter a predetermined UE identification information into a sender UE information field and his or her UE identification number into a receiver UE information field, thereby generating an abnormal SIP REFER message, and may transmit the abnormal SIP REFER message via a CSCF band. The abnormal SIP REFER message may be transmitted from a 4G network 1000 to an IMS network 2000, and particularly, to one of a plurality of S-CSCF servers 2300 in the IMS network 2000 via a Proxy-CSCF (P-CSCF) server 2100 and an Interrogating-CSCF (I-CSCF) server 2200.
The attacker 1600 may transmit a plurality of abnormal SIP REFER messages and may thus attack the S-CSCF servers 2300. The attacker 1600 may enter his or her UE identification number into a receiver UE information field of each of the abnormal SIP REFER messages (OK?) and may thus identify scan results. More specifically, in a case in which UE information of the attacker 1600 is not registered in an S-CSCF server 2300 receiving a first REFER message R1 transmitted by the attacker 1600, the attacker 1600 may receive a “403 FORBIDDEN” message as a response message R1_R for the first REFER message R1. In a case in which an S-CSCF server 2300 receiving a second REFER message R2 transmitted by the attacker 1600 cannot process an SIP message, the attacker 1600 may receive a “500 INTERNAL SERVER ERROR” message as a response message R2_R for the second REFER message R2. In a case in which the UE information of the attacker 1600 is registered in an S-CSCF server 2300 receiving a third REFER message R3 transmitted by the attacker 1600, the attacker 1600 may receive the third REFER message R3 back as a response message R3_R for the third REFER message R3, and may thus be able to obtain information such as the IP address of the S-CSCF server 2300.
The apparatus 100 may store a TEID and a UE identification number that are allocated upon the creation of a GTP tunnel in advance as session information, and may compare a TEID and a UE identification number that are extracted from a GTP-U packet with the session information to detect an abnormal SIP REFER message.
FIG. 6 is a diagram for explaining values included in an SIP REFER message.
Referring to FIG. 6, an SIP REFER message may include a message header and a message body. Each of the message header and the message body of the SIP message may include various fields.
For example, the message header of the SIP REFER message may include a “From” field and a “To” field, and a UE identification number may be recorded in each of the “From” field and the “To” field. Normally, a sender UE identification number and a receiver UE identification number may be recorded in the “From” field and the “To” field, respectively.
However, in response to the SIP REFER message being an abnormal SIP REFER message, a UE identification number of UE to be attacked may be recorded in the “From” field, and a UE identification number of attacker UE may be recorded in the “To” field.
To detect any falsified sender UE identification number from an SIP REFER message, the packet information extraction unit 120 may extract a UE identification number from the “From” field of the message header of the SIP REFER message.
Even though not specifically illustrated in FIG. 6, the message header of an SIP REFER message may also include other fields than those set forth herein, for recording a UE identification number. In this exemplary embodiment, the packet information extraction unit 120 may also extract a UE identification number from each of the other fields.
For a proper distinction between TEIDs and between UE identification numbers, a TEID and a UE identification number that are extracted from a GTP-U packet will hereinafter be referred to as a first TEID and a first UE identification number, respectively, and a TEID and a UE identification number that are included in session information will hereinafter be referred to as a second TEID and a second UE identification number, respectively.
Referring back to FIG. 1, the packet analysis unit 130 may perform an abnormal SIP REFER message detection operation. The packet analysis unit 130 may compare first and second TEIDs with each other and first and second UE identification numbers with each other and may detect an abnormal SIP REFER message based on the results of the comparison.
The session information storage unit 140 may store session information including the second TEID and the second UE identification number in advance. The second TEID and the second UE identification number may be extracted from a GTP-C packet. The GTP-C packet may be used for signaling within a mobile communication network, such as setting, updating or deleting a call.
FIG. 7 is a table for explaining session information stored in a session information storage unit illustrated in FIG. 1.
Referring to FIG. 7, session information includes a second TEID and a second UE identification number. The second TEID may be an uplink data TEID. The second TEID may be the TEID of a GTP-U packet forwarded from UE to an external network. The second UE identification number may be an MSISDN. The second UE identification number may be stored, mapped to the second TEID.
Referring back to FIG. 1, to compare the first TEID and the first UE identification number extracted from a GTP-U packet with session information, the packet analysis unit 130 may determine whether there exists a second TEID identical to the first TEID in the session information. In response to a determination being made that a second TEID identical to the first TEID exists in the session information, the packet analysis unit 130 may extract a second UE identification number corresponding to the second TEID from the session information. The packet analysis unit 130 may determine whether the first UE identification number and the extracted second UE identification number are identical to each other. In response to a determination being made that the first UE identification number and the extracted second UE identification number are different, the packet analysis unit 130 may determine an SIP REFER message included in the GTP-U packet as being an abnormal SIP REFER message.
FIG. 8 is a table for explaining abnormal SIP REFER message detection information.
Referring to FIG. 8, the detection information storage unit 150 may create and store abnormal REFER message detection information (or an abnormal REFER message detection log) in accordance with the results of the detection of an abnormal SIP REFER message.
For example, the abnormal REFER message detection information may include a detection time field, a detected item field, a UE identification number field and a detection result field, and may also include a TEID field, a destination IP field, a destination port field, a source IP/port field, and a falsified UE identification number field.
Referring back to FIG. 1, the packet processing unit 160 may process a GTP-U packet with a detected abnormal SIP REFER message according to a predetermined detection policy. The packet processing unit 160 may control the NIC 110b to forward or drop the GTP-U packet with the detected abnormal SIP REFER message. The expression “forward a GTP-U packet”, as used herein, may indicate transmitting a GTP-U packet to its destination IP address, and the expression “drop a GTP-U packet, as used herein, may indicate not transmitting the GTP-U packet to its destination IP address.
In the apparatus 100, the NICs 110a and 110b, the packet information extraction unit 120, the packet analysis unit 130, the session information storage unit 140, the detection information storage unit 150, and the packet processing unit 160 are provided as separate elements. Various modifications may be made to the structure of the apparatus 100 without departing from the scope of the invention. For example, in an alternative exemplary embodiment, some of the elements of the apparatus 100 may be incorporated into a single unit or module.
FIG. 9 is a flowchart illustrating a method of detecting an abnormal SIP REFER message, according to an exemplary embodiment of the invention.
Referring to FIG. 9, the NIC 110a receives a GTP-U packet (S201).
The packet extraction unit 120 determines whether the destination port of the GTP-U packet is an SIP port (S202). For example, the packet extraction unit 120 may determine whether the destination port of the GTP-U packet has a value of “5060”, and may determine the GTP-U packet as including an SIP message in response to a determination being made that the destination port of the GTP-U packet has a value of “5060”.
The packet extraction unit 120 determines whether the SIP message in the payload of the GTP-U packet is an SIP REFER message (S203). In response to a determination being made that the SIP message in the payload of the GTP-U packet is not an SIP REFER message, the packet analysis unit 130 may not perform an abnormal SIP REFER message detection operation.
In response to a determination being made that there exists an SIP REFER message in the payload of the GTP-U packet, the packet extraction unit 120 extracts a first TEID from the header of the GTP-U packet and a first UE identification number from the SIP REFER message (S204). As described above, the first TEID may be an uplink data TEID. The packet information extraction unit 120 may process various packet information into structured data.
The packet analysis unit 130 determines whether a second TEID identical to the first TEID exists in session information (S205).
In response to a determination being made that there exists a second TEID identical to the first TEID in the session information, the packet analysis unit 130 extracts the first UE identification number from the processed packet information provided by the packet information extraction unit 120 (S206). As described above, the first UE identification number may be an MSISDN.
The packet analysis unit 130 may determine whether the first UE identification number and a second UE identification number are identical (S207). As described above, the packet analysis unit 140 may extract a second UE identification number corresponding to the second TEID from the session information, and may determine whether the first UE identification number and the second UE identification number are identical.
In response to a determination being made that the first UE identification number and the second UE identification number are different, the packet analysis unit 130 may determine the SIP REFER message as being an abnormal SIP REFER message, and the detection information storage unit 150 may create and store abnormal SIP REFER message detection information (S208). As described above, the abnormal REFER message detection information may include a detection time field, a detected item field, a UE identification number field, a detection result field indicating whether to drop the abnormal SIP REFER message, a TEID field, a destination IP field, a destination port field, a source IP/port field, and a falsified UE identification number field.
The packet processing unit 160 processes the GTP-U packet with the abnormal SIP REFER message according to a predetermined detection policy (S209).
FIG. 10 is a block diagram of an apparatus for detecting an abnormal SIP REFER message, according to another exemplary embodiment of the invention. For convenience, the exemplary embodiment of FIG. 10 will hereinafter be described, focusing mainly on differences with the exemplary embodiment of FIG. 1.
Referring to FIG. 10, an apparatus 300 for detecting an abnormal SIP REFER message, includes NICs 310a and 310b, a packet classification unit 320, a GTP-C packet information extraction unit 330, a session information generation unit 340, a session information storage unit 350, a GTP-U packet information extraction unit 360, a packet analysis unit 370, a detection information storage unit 380, and a packet processing unit 390.
The NIC 310a receives a GTP packet, and transmits the GTP packet to the packet classification unit 320. The NIC 310b forwards or drops the GTP packet in accordance with a control signal provided by the packet processing unit 390.
The packet classification unit 320 classifies the GTP packet. More specifically, the packet classification unit 370 may classify the GTP packet as a GTP-C packet or a GTP-U packet. The packet classification unit 370 may transmit a GTP-C packet to the GTP-C packet information extraction unit 330 and may transmit a GTP-U packet to the GTP-U packet information extraction unit 360.
The GTP-C packet information extraction unit 330 may extract various packet information from a GTP-C packet. For example, the GTP-C packet may include a “Create Session Request” message and a “Create Session Response” message. The GTP-C packet information extraction unit 330 may extract a second UE identification number from the payload of the “Create Session Request” message and a second TEID from the payload of the “Create Session Response” message.
The session information generation unit 340 may generate session information including a second TEID and a second UE identification number. The session information generation unit 340 may store the generated session information in the session information storage unit 350.
The packet processing unit 390 may control the NIC 310b to forward a GTP-C packet.
FIG. 11 is a diagram illustrating the creation of a GTP tunnel in a 4G mobile network.
Referring to FIG. 11, a “Create Session Request” message and a “Create Session Response” message may be transmitted to create a GTP tunnel in a 4G mobile network. The “Create Session Request” message and the “Create Session Response” message may be transmitted as GTP-C packets.
More specifically, UE 1100 may transmit an “Attach Request” message to a Mobility Management Entity (MME) 1300, and the MME 1300 may transmit a “Create Session Request” message to an S-GW 1400. The S-GW 1400 may transmit the “Create Session Request” message to a P-GW 1500. In reply to the “Create Session Request” message, the P-GW 1500 may transmit a “Create Session Response” message to the S-GW 1400 and may thus create an S5 GTP tunnel between the S-GW 1400 and the P-GW 1500. The S-GW 1400 may transmit the “Create Session Response” message to the MME 1300 and may thus create an S11 GTP tunnel between the MME 1300 and the S-GW 1400. The MME 1300 may transmit an “Attach Response” message to the UE 1100 and may thus create an S1-U GTP tunnel between an eNB 1200 and the S-GW 1400.
Even though not specifically illustrated in FIG. 11, messages may be additionally transmitted between the eNB 1200 and the MME 1300 and between the MME 1300 and the S-GW 1400 before the creation of the S1-U GTP tunnel.
During the creation of a GTP tunnel, the GTP-C packet information extraction unit 330 may extract a second TEID and a second UE identification number from a “Create Session Request” message and a “Create Session Response” message. A UE identification number used to generate session information may be compared with a UE identification number included in the SIP REFER message of a GTP-U packet after the creation of a session.
FIG. 12 is a block diagram of a system for detecting an abnormal SIP REFER message, according to an exemplary embodiment of the invention. For convenience, the exemplary embodiment of FIG. 12 will hereinafter be described, focusing mainly on differences with the exemplary embodiment of FIG. 11.
Referring to FIG. 12, a system 400 for detecting an abnormal SIP REFER message, includes an apparatus 410 for collecting session information and an apparatus 420 for detecting an abnormal SIP REFER message.
The apparatus 410 may include NICs 411a and 411b, a GTP-C packet information extraction unit 412, and a session information generation unit 413. The apparatus 410 may extract GTP-C packet information from a GTP-C packet and may generate session information based on the extracted GTP-C packet information.
The apparatus 420 may include NICs 421a and 421b, a GTP-U packet information extraction unit 422, a packet analysis unit 423, a session information storage unit 424, a detection information generation unit 425, and a packet processing unit 425. The apparatus 420 may detect an abnormal SIP REFER message by using the session information provided by the apparatus 410.
The system 400 is illustrated in FIG. 12 as including two physically separate elements, i.e., an element for extracting a TEID and a first UE identification number from a GTP-U packet and detecting an abnormal SIP ERFER message in accordance with the results of comparison of the first UE identification number with session information and an element for extracting a second TEID and a second UE identification number from a GTP-C packet and generating session information including the second TEID and the second UE identification number.
The session information storage unit 424 may store the session information provided by the apparatus 410.
FIG. 13 is a diagram illustrating the structure of a 4G mobile network to which an apparatus or system for detecting an abnormal SIP REFER message, according to exemplary embodiments of the invention is applied.
Referring to FIG. 13, a 4G mobile network 1000 may include UE 1100, an eNB 1200, an MME 1300, an S-GW 1400 and a P-GW 1500.
The UE 1100 may be a subscriber mobile terminal of the 4G mobile network 1000. The eNB 1200 may be a base station providing wireless connection between the UE 1100 and the 4G mobile network 1000. The MME 130 and the S-GW 1400 may exchange a GTP-C packet with each other via an S11 GTP tunnel. The eNB 1200 and the S-GW 1400 may exchange a GTP-U packet with each other via an S1-U GTP tunnel. The S-GW 1400 and the P-GW 1500 may exchange a GTP-C packet or a GTP-U packet with each other via an S5 GTP tunnel. The P-GW 1500 may be connected to an external network, for example, an IMS network 2000.
The P-GW 1500 may be connected to a P-CSCF 2100 in the IMS network 2000, and may transmit or receive an SIP message.
In the 4G mobile network 1000, the S11 GTP tunnel may be a path for session control, the S1-U GTP tunnel may be a path for data traffic, and the S5 GTP tunnel may be a path for both session control and data traffic.
The apparatus 100 or 300 of FIG. 1 or 10 may be provided at a point P1 between the eNB 1200 and the S-GW 1400, a point P2 between the MME 1300 and the S-GW 1400 or a point P3 between the S-GW 1400 and the P-GW 1500. The apparatus 100 or 300 of FIG. 1 or 10 may be provided as an element of the S-GW 1400 or the P-GW 1500. The apparatus 410 of the system 400 of FIG. 12 may be provided at the point P2 between the MME 1300 and the S-GW 1400, and the apparatus 420 of the system 400 of FIG. 12 may be provided at the point P1 between the eNB 1200 and the S-GW 1400.
The apparatus 100 or 300 or the system 400 may be provided at the point P1, P2 or P3 within the 4G mobile network 1000. Accordingly, it is possible to effectively detect and drop an abnormal SIP REFER message which has a falsified UE identification number and may be used in an illegitimate attempt to leak information from a CSCF server.
The steps and/or actions of a method or algorithm described in connection with the aspects disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in a RAM memory, flash memory, a ROM memory, an EPROM memory, an EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium may be coupled to the processor, such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. Further, in some aspects, the processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
While the invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those of ordinary skill in the art that various changes in provide and detail may be made therein without departing from the spirit and scope of the invention as defined by the following claims. The exemplary embodiments should be considered in a descriptive sense only and not for purposes of limitation.

Claims (22)

  1. An apparatus for detecting an abnormal Session Initiation Protocol (SIP) REFER message in a 4th Generation (4G) mobile network, the apparatus comprising:
    a packet information extraction unit configured to extract a first Tunnel Endpoint Identifier (TEID) from the header of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet and a first User Equipment (UE) identification number from an SIP REFER message in the payload of the GTP-U packet;
    a session information storage unit configured to store session information, including a second TEID and a second UE identification number;
    a packet analysis unit configured to perform an abnormal SIP REFER message detection operation by determining whether the SIP REFER message is an abnormal SIP REFER message based on whether the first and second TEIDs are identical and whether the first and second UE identification numbers are different; and
    a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SIP REFER message being an abnormal SIP REFER message,
    wherein the SIP REFER message is transmitted to receiver UE by a Call Session Control Function (CSCF) server where sender UE of the SIP REFER message is registered.
  2. The apparatus of claim 1, wherein the packet information extraction unit is further configured to extract the first UE identification number from a “From” field of the SIP REFER message.
  3. The apparatus of claim 1, wherein the packet analysis unit is further configured to perform the abnormal SIP REFER message detection operation in response to a destination port of the GTP-U packet being an SIP port.
  4. The apparatus of claim 1, wherein the packet information extraction unit is further configured to determine whether the SIP REFER message exists in the payload of the GTP-U packet and extract the first TEID and the first UE identification in response to a determination being made that the SIP REFER message exists in the payload of the GTP-U packet.
  5. The apparatus of claim 1, further comprising:
    a detection information storage unit configured to store abnormal SIP REFER message detection information relating to the abnormal SIP REFER message.
  6. The apparatus of claim 5, wherein the abnormal SIP REFER message detection information includes a detection time field, a detected item field, a UE identification number field, a detection result field indicating whether to drop the abnormal SIP REFER message, a TEID field, a destination Internet Protocol (IP) field, a destination port field, a source IP field, and a source port field.
  7. An apparatus for detecting an abnormal SIP REFER message in a 4G mobile network, the apparatus comprising:
    a GTP-U packet information extraction unit configured to extract a first TEID from the header of a GTP-U packet and a first UE identification number from an SIP REFER message in the payload of the GTP-U packet;
    a GTP-C packet information extraction unit configured to extract a second TEID and a second UE identification number from the payload of a GTP-C packet;
    a session information storage unit configured to store session information, including the second TEID and the second UE identification number;
    a packet analysis unit configured to perform an abnormal SIP REFER message by determining whether the SIP REFER message is an abnormal SIP REFER message based on results of comparison of the first and second TEIDs and the first and second UE identification numbers; and
    a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SIP REFER message being an abnormal SIP REFER message,
    wherein the SIP REFER message is transmitted to receiver UE by a CSCF server where sender UE of the SIP REFER message is registered.
  8. The apparatus of claim 7, wherein the packet information extraction unit is further configured to extract the first UE identification number from a “From” field of the SIP REFER message.
  9. The apparatus of claim 7, wherein the GTP-C packet includes a “Create Session Request” message and a “Create Session Response” message and the GTP-C packet information extraction unit is further configured to extract the second UE identification number from the “Create Session Request” message and the second TEID from the “Create Session Response” message.
  10. The apparatus of claim 7, further comprising:
    a detection information storage unit configured to store abnormal SIP REFER message detection information relating to the abnormal SIP REFER message.
  11. The apparatus of claim 7, wherein the GTP-C packet and the GTP-U packet are transmitted via an S5 tunnel established between a Serving Gateway (S-GW) and a Packet Data Network (PDN) Gateway (P-GW).
  12. A system for detecting an abnormal SIP REFER message in a 4G mobile network, the system comprising:
    an apparatus for detecting an abnormal SIP REFER message, configured to detect an abnormal SIP REFER message by using session information; and
    an apparatus for collecting session information, configured to extract GTP-C packet information from a GTP-C packet and generate the session information based on the extracted GTP-C packet information,
    wherein the apparatus for detecting an abnormal SIP REFER message, comprises:
    a session information storage unit configured to receive session information including a second TEID and a second UE identification number from the apparatus for collecting session information and store the received session information;
    a GTP-U packet information extraction unit configured to extract a first TEID from the header of a GTP-U packet and a first UE identification number from an SIP REFER message in the payload of the GTP-U packet;
    a packet processing unit configured to perform an abnormal SIP REFER message detection operation by determining whether the SIP REFER message is an abnormal SIP REFER message based on results of comparison of the first and second TEIDs and the first and second UE identification numbers; and
    a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SIP REFER message being an abnormal SIP REFER message, and
    the apparatus for collecting session information, comprises:
    a GTP-C packet information extraction unit configured to extract the second TEID and the second UE identification number from the payload of the GTP-C packet; and
    a session information generation unit configured to generate the session information including the second TEID and the second UE identification number,
    wherein the SIP REFER message is transmitted to receiver UE by a CSCF server where sender UE of the SIP REFER message is registered.
  13. The system of claim 12, wherein the packet information extraction unit is further configured to extract the first UE identification number from a “From” field of the SIP REFER message.
  14. The system of claim 12, wherein the packet analysis unit is further configured to perform the abnormal SIP REFER message detection operation in response to a destination port of the GTP-U packet being an SIP port.
  15. The system of claim 12, wherein the GTP-C packet includes a “Create Session Request” message and a “Create Session Response” message and the GTP-C packet information extraction unit is further configured to extract the second UE identification number from the “Create Session Request” message and the second TEID from the “Create Session Response” message.
  16. The system of claim 12, further comprising:
    a detection information storage unit configured to store abnormal SIP REFER message detection information relating to the abnormal SIP REFER message.
  17. The system of claim 12, wherein the GTP-C packet is transmitted via an S11 tunnel established between a Mobility Management Entity (MME) and an S-GW and the GTP-U packet is transmitted via an S1-U tunnel established between an evolved Node B (eNB) and the S-GW.
  18. A method of detecting an abnormal SIP REFER message in a 4G mobile network, the method comprising:
    extracting a first TEID from the header of a GTP-U packet and a first UE identification number from an SIP REFER message from the payload of the GTP-U packet;
    determining whether the first TEID is identical to a second TEID of session information;
    in response to a determination being made that the first TEID is identical to the second TEID, determining whether the first UE identification number is identical to a second UE identification number corresponding to the second TEID; and
    in response to a determination being made that the first UE identification number is different from the second UE identification number, determining the SIP REFER message as being an abnormal SIP REFER message,
    wherein the SIP REFER message is transmitted to receiver UE by a CSCF server where sender UE of the SIP REFER message is registered.
  19. The method of claim 18, further comprising:
    in response to the SIP REFER message being determined to be an abnormal SIP REFER message, processing the GTP-U packet according to a predetermined detection policy.
  20. The method of claim 19, wherein the extracting the first TEID and the first UE identification number, comprises extracting the first UE identification number from a “From” field of the SIP REFER message.
  21. The method of claim 18, further comprising:
    Determining whether the SIP REFER message exists in the payload of the GTP-U packet,
    wherein the extracting the first TEID and the first UE identification number, comprises extracting the first TEID from the header of the GTP-U packet and the first UE identification number from the SIP REFER message in the payload of the GTP-U packet in response to a determination being made that the SIP REFER message exists in the payload of the GTP-U packet.
  22. The method of claim 18, further comprising:
    storing abnormal SIP REFER message detection information relating to the abnormal SIP REFER message.
PCT/KR2014/008835 2013-12-06 2014-09-23 Apparatus and method for detecting abnormal sip refer message in 4g mobile networks WO2015083925A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020130151530A KR101516233B1 (en) 2013-12-06 2013-12-06 Apparatus and method for detecting abnormal sip refer message in 4g mobile networks
KR10-2013-0151530 2013-12-06

Publications (1)

Publication Number Publication Date
WO2015083925A1 true WO2015083925A1 (en) 2015-06-11

Family

ID=53273647

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2014/008835 WO2015083925A1 (en) 2013-12-06 2014-09-23 Apparatus and method for detecting abnormal sip refer message in 4g mobile networks

Country Status (2)

Country Link
KR (1) KR101516233B1 (en)
WO (1) WO2015083925A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019133913A1 (en) * 2017-12-29 2019-07-04 Arista Networks, Inc. System for network event detection and analysis

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110003086A (en) * 2009-07-03 2011-01-11 한국해양연구원 Session initiation protocol sever and session transfer method based network and the recording media storing the program performing the said method
KR20120100872A (en) * 2012-08-13 2012-09-12 한국인터넷진흥원 Apparatus and method for ip spoofing detectng in mobile environment using gtp
JP5220131B2 (en) * 2008-01-28 2013-06-26 リサーチ イン モーション リミテッド Method and system for providing session initiation protocol request content

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5220131B2 (en) * 2008-01-28 2013-06-26 リサーチ イン モーション リミテッド Method and system for providing session initiation protocol request content
KR20110003086A (en) * 2009-07-03 2011-01-11 한국해양연구원 Session initiation protocol sever and session transfer method based network and the recording media storing the program performing the said method
KR20120100872A (en) * 2012-08-13 2012-09-12 한국인터넷진흥원 Apparatus and method for ip spoofing detectng in mobile environment using gtp

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
NMC CONSULTING GROUP.: "LTE network architecture", Retrieved from the Internet <URL:www.netmanias.com> *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019133913A1 (en) * 2017-12-29 2019-07-04 Arista Networks, Inc. System for network event detection and analysis

Also Published As

Publication number Publication date
KR101516233B1 (en) 2015-05-04

Similar Documents

Publication Publication Date Title
WO2015030458A1 (en) Apparatus and method for detecting abnormal call
WO2012074198A1 (en) Terminal and intermediate node in content oriented networking environment and communication method of terminal and intermediate node
WO2012033383A2 (en) Nas communication method and apparatus in mobile telecommunication system
WO2014137136A1 (en) Method and system for parallelizing packet processing in wireless communication
WO2014142390A1 (en) Method and apparatus for paging terminated call in mobile communication system
WO2011037395A2 (en) Apparatus and method for multi-hop relay communication in broadband wireless communication system
WO2010002208A2 (en) Method for supporting an emergency call in a mobile communication system
US9992109B2 (en) Data transmission method, apparatus and system
WO2015083927A1 (en) Apparatus and method for detecting abnormal sdp message in 4g mobile networks
KR101228089B1 (en) Ip spoofing detection apparatus
WO2018128226A1 (en) Method for transmitting content on heterogeneous network and apparatus therefor
EP2815521A1 (en) Method and apparatus for supporting device-to-device communications
WO2016098997A1 (en) Apparatus, system and method for detecting abnormal volte registration message in 4g mobile network
WO2014038737A1 (en) Network traffic management system using monitoring policy and filtering policy, and method thereof
WO2017057955A1 (en) Methods and devices for supporting release of sipto bearer or lipa bearer in dual-connectivity architecture
WO2016108509A1 (en) Method and apparatus for allocating server in wireless communication system
WO2013094920A1 (en) Method and apparatus for dynamic policy interworking between pcrf and nat
WO2015083925A1 (en) Apparatus and method for detecting abnormal sip refer message in 4g mobile networks
EP3198928A2 (en) Call processing method and apparatus for use in lte system
WO2015083926A1 (en) Apparatus and method for detecting abnormal sip subscribe message in 4g mobile networks
WO2014098461A1 (en) Method and device for sms processing through ims network
WO2013115586A1 (en) Method and apparatus for transmitting and receiving packet in broadcasting system
WO2016114476A1 (en) Apparatus and method for volte session managemet in 4g mobile network
WO2016068475A1 (en) Apparatus and method for user session management in 4g mobile network
KR101499022B1 (en) Apparatus and method for detecting abnormal MMS message in 4G mobile network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14868234

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14868234

Country of ref document: EP

Kind code of ref document: A1