WO2015083926A1 - Appareil et procédé de détection d'un message d'abonnement sip anormal dans des réseaux mobiles 4g - Google Patents

Appareil et procédé de détection d'un message d'abonnement sip anormal dans des réseaux mobiles 4g Download PDF

Info

Publication number
WO2015083926A1
WO2015083926A1 PCT/KR2014/008838 KR2014008838W WO2015083926A1 WO 2015083926 A1 WO2015083926 A1 WO 2015083926A1 KR 2014008838 W KR2014008838 W KR 2014008838W WO 2015083926 A1 WO2015083926 A1 WO 2015083926A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
subscribe message
sip subscribe
gtp
identification number
Prior art date
Application number
PCT/KR2014/008838
Other languages
English (en)
Inventor
Chae Tae Im
Joo Hyung Oh
Se Kwon Kim
Jun Hyung Cho
Bon Min Koo
Seong Min Park
Su Jeong Woo
Original Assignee
Korea Internet & Security Agency
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Korea Internet & Security Agency filed Critical Korea Internet & Security Agency
Publication of WO2015083926A1 publication Critical patent/WO2015083926A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1101Session protocols
    • H04L65/1104Session initiation protocol [SIP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/102Gateways
    • H04L65/1033Signalling gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/08Upper layer protocols
    • H04W80/10Upper layer protocols adapted for application session management, e.g. SIP [Session Initiation Protocol]

Definitions

  • the invention relates to an apparatus and method for detecting an abnormal Session Initiation Protocol (SIP) SUBSCRIBE message, and more particularly, to an apparatus and method for detecting an abnormal SIP SUBSCRIBE message in a 4th Generation (4G) mobile network.
  • SIP Session Initiation Protocol
  • GTP General Packet Radio Service Tunneling Protocol
  • 3G 3rd Generation
  • 4G 4th Generation
  • a Session Initiation Protocol (SIP) message for setting a Voice over Long-Term Evolution (VoLTE) call may be included in a GTP packet and may then be transmitted.
  • the SIP message may include an SIP SUBSCRIBE message, which corresponds to the message body of the SIP message.
  • GTP has been designed to perform signaling and data transmission operations such as setting, updating and deleting a data call to provide various data services to user terminals (for example, smart phones), but does not consider any methods to detect an attack launched against a mobile communication network.
  • an SIP SUBSCRIBE message may be forwarded to an external network (for example, an Internet Protocol (IP) Multimedia Subsystem (IMS) network) without being hindered.
  • IP Internet Protocol
  • IMS Internet Multimedia Subsystem
  • IP SUBSCRIBE message may cause a threat, for example, by being used in an illegitimate attempt to leak registration information, such as the Internet Protocol (IP) address of “victim” UE, from a Call Session Control Function (CSCF) server.
  • IP Internet Protocol
  • CSCF Call Session Control Function
  • Exemplary embodiments of the invention provide an apparatus for detecting an abnormal Session Initiation Protocol (SIP) SUBSCRIBE message that can be used in an illegitimate attempt to leak registration information, such as the Internet Protocol (IP) address of “victim” UE, from a Call Session Control Function (CSCF) server in a 4th Generation (4G) mobile network.
  • SIP Session Initiation Protocol
  • IP Internet Protocol
  • CSCF Call Session Control Function
  • Exemplary embodiments of the invention also provide a method of detecting an abnormal SIP SUBSCRIBE message that can be used in an illegitimate attempt to leak registration information, registration information, such as the IP address of “victim” UE, from a CSCF server in a 4G mobile network.
  • an apparatus for detecting an abnormal Session Initiation Protocol (SIP) SUBSCRIBE message in a 4th Generation (4G) mobile network includes: a packet information extraction unit configured to extract a first Tunnel Endpoint Identifier (TEID) from the header of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet and a first User Equipment (UE) identification number from an SIP SUBSCRIBE message in the payload of the GTP-U packet; a session information storage unit configured to store session information, including a second TEID and a second UE identification number; a packet analysis unit configured to perform an abnormal SIP SUBSCRIBE message detection operation by determining whether the SIP SUBSCRIBE message is an abnormal SIP SUBSCRIBE message based on whether the first and second TEIDs are identical and whether the first and second UE identification numbers are different; and a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to
  • an apparatus for detecting an abnormal SIP SUBSCRIBE message in a 4G mobile network includes: a GTP-U packet information extraction unit configured to extract a first TEID from the header of a GTP-U packet and a first UE identification number from an SIP SUBSCRIBE message in the payload of the GTP-U packet; a GTP-C packet information extraction unit configured to extract a second TEID and a second UE identification number from the payload of a GTP-C packet; a session information storage unit configured to store session information, including the second TEID and the second UE identification number; a packet analysis unit configured to perform an abnormal SIP SUBSCRIBE message by determining whether the SIP SUBSCRIBE message is an abnormal SIP SUBSCRIBE message based on results of comparison of the first and second TEIDs and the first and second UE identification numbers; and a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the
  • a system for detecting an abnormal SIP SUBSCRIBE message in a 4G mobile network includes: an apparatus for detecting an abnormal SIP SUBSCRIBE message, configured to detect an abnormal SIP SUBSCRIBE message by using session information; and an apparatus for collecting session information, configured to extract GTP-C packet information from a GTP-C packet and generate the session information based on the extracted GTP-C packet information, wherein the apparatus for detecting an abnormal SIP SUBSCRIBE message, includes: a session information storage unit configured to receive session information including a second TEID and a second UE identification number from the apparatus for collecting session information and store the received session information; a GTP-U packet information extraction unit configured to extract a first TEID from the header of a GTP-U packet and a first UE identification number from an SIP SUBSCRIBE message in the payload of the GTP-U packet; a packet processing unit configured to perform an abnormal SIP SUBSCRIBE message detection operation by determining
  • a method of detecting an abnormal SIP SUBSCRIBE message in a 4G mobile network includes: extracting a first TEID from the header of a GTP-U packet and a first UE identification number from an SIP SUBSCRIBE message from the payload of the GTP-U packet; determining whether the first TEID is identical to a second TEID of session information; in response to a determination being made that the first TEID is identical to the second TEID, determining whether the first UE identification number is identical to a second UE identification number corresponding to the second TEID; and in response to a determination being made that the first UE identification number is different from the second UE identification number, determining the SIP SUBSCRIBE message as being an abnormal SIP SUBSCRIBE message, wherein the SIP SUBSCRIBE message requests registration information of UE corresponding to the first UE identification number.
  • a first Tunnel Endpoint Identifier (TEID) and a first User Equipment (UE) identification number are extracted from the header of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet and a Session Initiation Protocol (SIP) SUBSCRIBE message in the payload of the GTP-U packet, respectively, and are then compared with a second TEID and a second UE identification number, respectively, included in session information.
  • GPRS General Packet Radio Service
  • GTP General Packet Radio Service
  • SIP Session Initiation Protocol
  • FIG. 1 is a block diagram of an apparatus for detecting an abnormal Session Initiation Protocol (SIP) SUBSCRIBE message, according to an exemplary embodiment of the invention.
  • SIP Session Initiation Protocol
  • FIG. 2 is a diagram illustrating the transmission of an SIP SUBSCRIBE message.
  • FIG. 3 is a diagram for explaining an abnormal SIP SUBSCRIBE message that can be transmitted in a 4th Generation (4G) mobile network.
  • FIG. 4 is a diagram illustrating how “victim” UE information can be leaked from a Call Session Control Function (CSCF) server by an abnormal SIP SUBSCRIBE message.
  • CSCF Call Session Control Function
  • FIG. 5 is a diagram for explaining values included in an SIP SUBSCRIBE message.
  • FIG. 6 is a diagram for explaining values included in an SIP NOTIFY message.
  • FIG. 7 is a table for explaining session information present in a session information storage unit illustrated in FIG. 1.
  • FIG. 8 is a table for explaining abnormal SIP SUBSCRIBE message detection information.
  • FIG. 9 is a flowchart illustrating a method of detecting an abnormal SIP SUBSCRIBE message, according to an exemplary embodiment of the invention.
  • FIG. 10 is a block diagram of an apparatus for detecting an abnormal SIP SUBSCRIBE message, according to another exemplary embodiment of the invention.
  • FIG. 11 is a diagram illustrating the creation of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP) tunnel in a 4th Generation (4G) mobile network.
  • GPRS General Packet Radio Service
  • GTP General Packet Radio Service Tunneling Protocol
  • FIG. 12 is a block diagram of a system for detecting an abnormal SIP SUBSCRIBE message, according to an exemplary embodiment of the invention.
  • FIG. 13 is a diagram illustrating the structure of a 4G mobile network to which an apparatus or system for detecting an abnormal SIP SUBSCRIBE message according to exemplary embodiments of the invention is applied.
  • Each block represents a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the blocks may occur out of the order noted herein. For example, two blocks shown herein in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved, as will be further clarified hereinbelow.
  • first, second, and so forth are used to describe diverse constituent elements, such constituent elements are not limited by the terms. The terms are used only to discriminate a constituent element from other constituent elements. Accordingly, in the following description, a first constituent element may be a second constituent element.
  • FIG. 1 is a block diagram of an apparatus for detecting an abnormal Session Initiation Protocol (SIP) SUBSCRIBE message, according to an exemplary embodiment of the invention.
  • SIP Session Initiation Protocol
  • an apparatus 100 for detecting an abnormal SIP SUBSCRIBE message includes Network Interface Cards (NICs) 110a and 110b, a packet information extraction unit 120, a packet analysis unit 130, a session information storage unit 140, a detection information storage unit 150, and a packet processing unit 160.
  • NICs Network Interface Cards
  • the NIC 110a receives a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet, and transmits the GTP-U packet to the packet information extraction unit 120.
  • the NIC 110b forwards or drop the GTP-U packet in accordance with a control signal.
  • the NICs 110a and 110b may be typical NICs or hardware acceleration NICs.
  • the GTP-U packet is used for transmitting a user packet within a mobile communication network.
  • the GTP-U packet which is processed by the NICs 110a and 110b, may be a GTP-U packet forwarded from User Equipment (UE) to an external network (for example, the Internet).
  • UE User Equipment
  • the packet information extraction unit 120 extracts various packet information from the GTP-U packet.
  • the packet information extraction unit 120 may process the extracted packet information into structured data, and may transmit the processed packet information to the packet analysis unit 130.
  • the packet information extraction unit 120 may extract a Tunnel Endpoint Identifier (TEID) from the header of the GTP-U packet as information for detecting an abnormal SIP SUBSCRIBE message.
  • the TEID extracted by the packet information extraction unit 120 may be an uplink TEID.
  • uplink may indicate the transmission of a GTP-U packet from UE to an external network
  • downlink as used herein, may indicate the transmission of a GTP-U packet from an external network to UE.
  • the packet information extraction unit 120 may extract an SIP SUBSCRIBE message included in the payload of the GTP-U packet.
  • the packet information extraction unit 120 may extract a UE identification number from the SIP SUBSCRIBE message.
  • the UE identification number may be a Mobile Subscriber Integrated Service Digital Network (ISDN) Number (MSISDN), but the invention is not limited thereto.
  • ISDN Mobile Subscriber Integrated Service Digital Network
  • the packet information extraction unit 120 may determine whether an SIP SUBSCRIBE message exists in the payload of the GTP-U packet, and may extract information for detecting an abnormal SIP SUBSCRIBE message in response to a determination being made that there exists an SIP SUBSCRIBE message in the payload of the GTP-U packet.
  • FIG. 2 is a diagram illustrating the transmission of an SIP SUBSCRIBE message.
  • an application 510 and a registrar server 520 may exchange a SUBSCRIBE message and a “200 OK” message with each other.
  • the application 510 may transmit the SUBSCRIBE message to request state information of UE 530. More specifically, the application 510 may transmit the SUBSCRIBE message to request the UE 530 to notify any update in the state information thereof upon the occurrence of an event such as the registration of the UE 530.
  • the application 510 may be executed in UE or a server.
  • a Serving Call Session Control Function (S-CSCF) server which manages state information of UE, may serve as the registrar server 520.
  • S-CSCF Serving Call Session Control Function
  • the registrar server 520 and the application 510 may exchange a NOTIFY message and a “200 OK” message with each other. More specifically, the registrar server 520 may transmit a NOTIFY message including state information of the UE 530.
  • the NOTIFY message may include initial state information Init of the UE 530.
  • the UE 530 and the registrar server 520 may exchange a REGISTER message and a “200 OK” message with each other, and as a result, the access address of the UE 530 may be registered.
  • the registrar server 520 and the application 510 may exchange a NOTIFY message and a “200 OK” message with each other. More specifically, the registrar server 520 may transmit a NOTIFY message including active state information Active of the UE 530.
  • the application 510 may transmit a message to the UE 530 by using the access address acquired from the NOTIFY message including the active state information Active of the UE 530.
  • An SIP SUBSCRIBE message may be a message used by UE to send a request for state information of another UE to a registrar server.
  • An SIP SUBSCRIBE message may provide registration information of UE, and may thus be used by UE to request a registrar server to make a call to another UE.
  • the packet information extraction unit 120 may extract values from a TEID field in the header of a GTP-U packet and from an MSISDN field, a destination Internet Protocol (IP) field, a destination port field, a source IP field and a source port field in the payload of the GTP-U packet.
  • IP Internet Protocol
  • An abnormal SIP SUBSCRIBE message may be an SIP SUBSCRIBE message with a falsified sender UE identification number.
  • FIG. 3 is a diagram for explaining an abnormal SIP SUBSCRIBE message that can be transmitted in a 4th Generation (4G) mobile network.
  • a 4G mobile network may include an evolved Node B (eNB) 1200 and a Serving Gateway (S-GW) 1400.
  • eNB evolved Node B
  • S-GW Serving Gateway
  • the eNB 1200 may be connected to the S-GW 1400, and an S1-U GTP tunnel may be created between the eNB 1200 and the S-GW 1400.
  • the S1-U GTP tunnel may be a GTP tunnel for transmitting data.
  • a GTP-U packet 10 may be transmitted from the eNB 1200 to the S-GW 1400 via the S1-U GTP tunnel.
  • the S-GW 1400 may transmit the GTP-U packet 10 received from the eNB 1200 to a Packet Data Network (PDN) Gateway (P-GW) (not illustrated).
  • PDN Packet Data Network
  • P-GW Packet Data Network Gateway
  • An IP header, a User Datagram Protocol (UDP) header and a GTP-U header for a GTP tunnel may be combined into the header of the GTP-U packet 10, and a user packet may be capsulated into the payload of the GTP-U packet 10.
  • the GTP-U header of the GTP-U packet 10 may include a TEID.
  • the user packet may include an SIP SUBSCRIBE message.
  • the SIP SUBSCRIBE message may include a UE identification number of sender UE of the SIP SUBSCRIBE message and a UE identification number of receiver UE of the SIP SUBSCRIBE message.
  • FIG. 3 illustrates an SIP SUBSCRIBE message with a falsified sender UE identification number.
  • FIG. 4 is a diagram illustrating how “victim” UE information can be leaked from a CSCF server by an abnormal SIP SUBSCRIBE message.
  • an attacker 1600 may enter a predetermined UE identification information into a sender UE information field and the IP address of his or her UE into a receiver UE information field, thereby generating an abnormal SIP SUBSCRIBE message, and may transmit the abnormal SIP SUBSCRIBE message via a CSCF band.
  • the abnormal SIP SUBSCRIBE message may be transmitted from a 4G network 1000 to an IP Multimedia Subsystem (IMS) network 2000, and particularly, to an S-CSCF server 2300 in the IMS network 2000 via a Proxy-CSCF (P-CSCF) server 2100 and an Interrogating-CSCF (I-CSCF) server 2200.
  • IMS IP Multimedia Subsystem
  • the attacker 1600 may transmit an abnormal SIP SUBSCRIBE message to a CSCF band that is already known.
  • the S-CSCF server 2300 may store registration information of “victim” UE 1700.
  • the S-CSCF server 2300 may transmit an SIP NOTIFY message including the registration information of the “victim” UE 1700 to the attacker 1600 without notifying the “victim” UE 1700.
  • an abnormal SIP SUBSCRIBE message which has a falsified UE identification number, may be used in an illegitimate attempt to leak registration information of “victim” UE from a CSCF server.
  • the apparatus 100 may store a TEID and a UE identification number that are allocated upon the creation of a GTP tunnel in advance as session information, and may compare a TEID and a UE identification number that are extracted from a GTP-U packet with the session information to detect an abnormal SIP SUBSCRIBE message.
  • FIG. 5 is a diagram for explaining values included in an SIP SUBSCRIBE message.
  • an SIP SUBSCRIBE message may include a message header and a message body.
  • the message header of the SIP SUBSCRIBE message may include various fields.
  • the message header of the SIP SUBCRIBE message may include an “Event” field in which an event is recorded, a “Route” field in which an IP address is recorded, and a “From” field in which a UE identification number is recorded. More specifically, in the “Event” field, “reg” for requesting registration information of UE may be recorded, and in the “Route” field, the IP address of an S-CSCF server in which the registration information of the UE is stored may be recorded. In the “From” field of a normal SIP SUBSCRIBE message, a sender UE identification number may be recorded.
  • a UE identification number of “victim” UE may be recorded.
  • the packet information extraction unit 120 may extract a UE identification number from the “From” field of the message header of the SIP SUBSCRIBE message.
  • the message header of an SIP SUBSCRIBE message may also include other fields than those set forth herein, in which to record a UE identification number, and the packet information extraction unit 120 may extract a UE identification number from each of these other fields.
  • a TEID and a UE identification number that are extracted from a GTP-U packet will hereinafter be referred to as a first TEID and a first UE identification number, respectively, and a TEID and a UE identification number that are included in session information will hereinafter be referred to as a second TEID and a second UE identification number, respectively.
  • FIG. 6 is a diagram for explaining values included in an SIP NOTIFY message.
  • an SIP NOTIFY message may include a message header and a message body.
  • the message body of the SIP NOTIFY message may include registration information “reginfo” of UE.
  • the registration information “reginfo” may include a UE identification number, current state information and the IP address of UE.
  • the UE identification number may be an MSISDN, but the invention is not limited thereto.
  • the packet analysis unit 130 may perform an abnormal SIP SUBSCRIBE message detection operation.
  • the packet analysis unit 130 may compare first and second TEIDs with each other and first and second UE identification numbers with each other and may detect an abnormal SIP SUBSCRIBE message based on the results of the comparison.
  • the session information storage unit 140 may store session information including the second TEID and the second UE identification number in advance.
  • the second TEID and the second UE identification number may be extracted from a GTP-C packet.
  • the GTP-C packet may be used for signaling within a mobile communication network, such as setting, updating or deleting a call.
  • FIG. 7 is a table for explaining session information stored in a session information storage unit illustrated in FIG. 1.
  • session information includes a second TEID and a second UE identification number.
  • the second TEID may be an uplink data TEID.
  • the second TEID may be the TEID of a GTP-U packet forwarded from UE to an external network.
  • the second UE identification number may be an MSISDN.
  • the second UE identification number may be stored, mapped to the second TEID.
  • the packet analysis unit 130 may determine whether there exists a second TEID identical to the first TEID in the session information. In response to a determination being made that a second TEID identical to the first TEID exists in the session information, the packet analysis unit 130 may extract a second UE identification number corresponding to the second TEID from the session information. The packet analysis unit 130 may determine whether the first UE identification number and the extracted second UE identification number are identical to each other. In response to a determination being made that the first UE identification number and the extracted second UE identification number are different, the packet analysis unit 130 may determine an SIP SUBSCRIBE message included in the GTP-U packet as being an abnormal SIP SUBSCRIBE message.
  • FIG. 8 is a table for explaining abnormal SIP SUBSCRIBE message detection information.
  • the detection information storage unit 150 may create and store abnormal SUBSCRIBE message detection information (or an abnormal SUBSCRIBE message detection log) in accordance with the results of the detection of an abnormal SIP SUBSCRIBE message.
  • the abnormal SUBSCRIBE message detection information may include a detection time field, a detected item field, a UE identification number field and a detection result field, and may also include a TEID field, a destination IP field, a destination port field, a source IP/port field, and a falsified UE identification number field.
  • the packet processing unit 160 may process a GTP-U packet with a detected abnormal SIP SUBSCRIBE message according to a predetermined detection policy.
  • the packet processing unit 160 may control the NIC 110b to forward or drop the GTP-U packet with the detected abnormal SIP SUBSCRIBE message.
  • forward a GTP-U packet may indicate transmitting a GTP-U packet to its destination IP address
  • drop a GTP-U packet may indicate not transmitting the GTP-U packet to its destination IP address.
  • the NICs 110a and 110b, the packet information extraction unit 120, the packet analysis unit 130, the session information storage unit 140, the detection information storage unit 150, and the packet processing unit 160 are provided as separate elements.
  • Various modifications may be made to the structure of the apparatus 100 without departing from the scope of the invention.
  • some of the elements of the apparatus 100 may be incorporated into a single unit or module.
  • FIG. 9 is a flowchart illustrating a method of detecting an abnormal SIP SUBSCRIBE message, according to an exemplary embodiment of the invention.
  • the NIC 110a receives a GTP-U packet (S201).
  • the packet extraction unit 120 determines whether the destination port of the GTP-U packet is an SIP port (S202). For example, the packet extraction unit 120 may determine whether the destination port of the GTP-U packet has a value of “5060”, and may determine the GTP-U packet as including an SIP message in response to a determination being made that the destination port of the GTP-U packet has a value of “5060”.
  • the packet extraction unit 120 determines whether the SIP message in the payload of the GTP-U packet is an SIP SUBSCRIBE message (S203). In response to a determination being made that the SIP message in the payload of the GTP-U packet is not an SIP SUBSCRIBE message, the packet analysis unit 130 may not perform an abnormal SIP SUBSCRIBE message detection operation.
  • the packet extraction unit 120 extracts a first TEID from the header of the GTP-U packet and a first UE identification number from the SIP SUBSCRIBE message (S204).
  • the first TEID may be an uplink data TEID.
  • the packet information extraction unit 120 may process various packet information into structured data.
  • the packet analysis unit 130 determines whether a second TEID identical to the first TEID exists in session information (S205).
  • the packet analysis unit 130 extracts the first UE identification number from the processed packet information provided by the packet information extraction unit 120 (S206).
  • the first UE identification number may be an MSISDN.
  • the packet analysis unit 130 may determine whether the first UE identification number and a second UE identification number are identical (S207). As described above, the packet analysis unit 140 may extract a second UE identification number corresponding to the second TEID from the session information, and may determine whether the first UE identification number and the second UE identification number are identical.
  • the packet analysis unit 130 may determine the SIP SUBSCRIBE message as being an abnormal SIP SUBSCRIBE message, and the detection information storage unit 150 may create and store abnormal SIP SUBSCRIBE message detection information (S208).
  • the abnormal SUBSCRIBE message detection information may include a detection time field, a detected item field, a UE identification number field, a detection result field indicating whether to drop the abnormal SIP SUBSCRIBE message, a TEID field, a destination IP field, a destination port field, a source IP/port field, and a falsified UE identification number field.
  • the packet processing unit 160 processes the GTP-U packet with the abnormal SIP SUBSCRIBE message according to a predetermined detection policy (S209).
  • FIG. 10 is a block diagram of an apparatus for detecting an abnormal SIP SUBSCRIBE message, according to another exemplary embodiment of the invention.
  • the exemplary embodiment of FIG. 10 will hereinafter be described, focusing mainly on differences with the exemplary embodiment of FIG. 1.
  • an apparatus 300 for detecting an abnormal SIP SUBSCRIBE message includes NICs 310a and 310b, a packet classification unit 320, a GTP-C packet information extraction unit 330, a session information generation unit 340, a session information storage unit 350, a GTP-U packet information extraction unit 360, a packet analysis unit 370, a detection information storage unit 380, and a packet processing unit 390.
  • the NIC 310a receives a GTP packet, and transmits the GTP packet to the packet classification unit 320.
  • the NIC 310b forwards or drops the GTP packet in accordance with a control signal provided by the packet processing unit 390.
  • the packet classification unit 320 classifies the GTP packet. More specifically, the packet classification unit 370 may classify the GTP packet as a GTP-C packet or a GTP-U packet. The packet classification unit 370 may transmit a GTP-C packet to the GTP-C packet information extraction unit 330 and may transmit a GTP-U packet to the GTP-U packet information extraction unit 360.
  • the GTP-C packet information extraction unit 330 may extract various packet information from a GTP-C packet.
  • the GTP-C packet may include a “Create Session Request” message and a “Create Session Response” message.
  • the GTP-C packet information extraction unit 330 may extract a second UE identification number from the payload of the “Create Session Request” message and a second TEID from the payload of the “Create Session Response” message.
  • the session information generation unit 340 may generate session information including a second TEID and a second UE identification number.
  • the session information generation unit 340 may store the generated session information in the session information storage unit 350.
  • the packet processing unit 390 may control the NIC 310b to forward a GTP-C packet.
  • FIG. 11 is a diagram illustrating the creation of a GTP tunnel in a 4G mobile network.
  • a “Create Session Request” message and a “Create Session Response” message may be transmitted to create a GTP tunnel in a 4G mobile network.
  • the “Create Session Request” message and the “Create Session Response” message may be transmitted as GTP-C packets.
  • UE 1100 may transmit an “Attach Request” message to a Mobility Management Entity (MME) 1300, and the MME 1300 may transmit a “Create Session Request” message to an S-GW 1400.
  • the S-GW 1400 may transmit the “Create Session Request” message to a P-GW 1500.
  • the P-GW 1500 may transmit a “Create Session Response” message to the S-GW 1400 and may thus create an S5 GTP tunnel between the S-GW 1400 and the P-GW 1500.
  • the S-GW 1400 may transmit the “Create Session Response” message to the MME 1300 and may thus create an S11 GTP tunnel between the MME 1300 and the S-GW 1400.
  • the MME 1300 may transmit an “Attach Response” message to the UE 1100 and may thus create an S1-U GTP tunnel between an eNB 1200 and the S-GW 1400.
  • messages may be additionally transmitted between the eNB 1200 and the MME 1300 and between the MME 1300 and the S-GW 1400 before the creation of the S1-U GTP tunnel.
  • the GTP-C packet information extraction unit 330 may extract a second TEID and a second UE identification number from a “Create Session Request” message and a “Create Session Response” message.
  • a UE identification number used to generate session information may be compared with a UE identification number included in the SIP SUBSCRIBE message of a GTP-U packet after the creation of a session.
  • FIG. 12 is a block diagram of a system for detecting an abnormal SIP SUBSCRIBE message, according to an exemplary embodiment of the invention.
  • the exemplary embodiment of FIG. 12 will hereinafter be described, focusing mainly on differences with the exemplary embodiment of FIG. 11.
  • a system 400 for detecting an abnormal SIP SUBSCRIBE message includes an apparatus 410 for collecting session information and an apparatus 420 for detecting an abnormal SIP SUBSCRIBE message.
  • the apparatus 410 may include NICs 411a and 411b, a GTP-C packet information extraction unit 412, and a session information generation unit 413.
  • the apparatus 410 may extract GTP-C packet information from a GTP-C packet and may generate session information based on the extracted GTP-C packet information.
  • the apparatus 420 may include NICs 421a and 421b, a GTP-U packet information extraction unit 422, a packet analysis unit 423, a session information storage unit 424, a detection information generation unit 425, and a packet processing unit 425.
  • the apparatus 420 may detect an abnormal SIP SUBSCRIBE message by using the session information provided by the apparatus 410.
  • the system 400 is illustrated in FIG. 12 as including two physically separate elements, i.e., an element for extracting a TEID and a first UE identification number from a GTP-U packet and detecting an abnormal SIP ERFER message in accordance with the results of comparison of the first UE identification number with session information and an element for extracting a second TEID and a second UE identification number from a GTP-C packet and generating session information including the second TEID and the second UE identification number.
  • the session information storage unit 424 may store the session information provided by the apparatus 410.
  • FIG. 13 is a diagram illustrating the structure of a 4G mobile network to which an apparatus or system for detecting an abnormal SIP SUBSCRIBE message, according to exemplary embodiments of the invention is applied.
  • a 4G mobile network 1000 may include UE 1100, an eNB 1200, an MME 1300, an S-GW 1400 and a P-GW 1500.
  • the UE 1100 may be a subscriber mobile terminal of the 4G mobile network 1000.
  • the eNB 1200 may be a base station providing wireless connection between the UE 1100 and the 4G mobile network 1000.
  • the MME 130 and the S-GW 1400 may exchange a GTP-C packet with each other via an S11 GTP tunnel.
  • the eNB 1200 and the S-GW 1400 may exchange a GTP-U packet with each other via an S1-U GTP tunnel.
  • the S-GW 1400 and the P-GW 1500 may exchange a GTP-C packet or a GTP-U packet with each other via an S5 GTP tunnel.
  • the P-GW 1500 may be connected to an external network, for example, an IMS network 2000.
  • the P-GW 1500 may be connected to a P-CSCF 2100 in the IMS network 2000, and may transmit or receive an SIP message.
  • the S11 GTP tunnel may be a path for session control
  • the S1-U GTP tunnel may be a path for data traffic
  • the S5 GTP tunnel may be a path for both session control and data traffic.
  • the apparatus 100 or 300 of FIG. 1 or 10 may be provided at a point P1 between the eNB 1200 and the S-GW 1400, a point P2 between the MME 1300 and the S-GW 1400 or a point P3 between the S-GW 1400 and the P-GW 1500.
  • the apparatus 100 or 300 of FIG. 1 or 10 may be provided as an element of the S-GW 1400 or the P-GW 1500.
  • the apparatus 410 of the system 400 of FIG. 12 may be provided at the point P2 between the MME 1300 and the S-GW 1400, and the apparatus 420 of the system 400 of FIG. 12 may be provided at the point P1 between the eNB 1200 and the S-GW 1400.
  • the apparatus 100 or 300 or the system 400 may be provided at the point P1, P2 or P3 within the 4G mobile network 1000. Accordingly, it is possible to effectively detect and drop an abnormal SIP SUBSCRIBE message which has a falsified UE identification number and may be used in an illegitimate attempt to leak information from a CSCF server.
  • a software module may reside in a RAM memory, flash memory, a ROM memory, an EPROM memory, an EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
  • An exemplary storage medium may be coupled to the processor, such that the processor can read information from, and write information to, the storage medium.
  • the storage medium may be integral to the processor.
  • the processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.

Abstract

L'invention concerne un appareil et un procédé de détection d'un message d'abonnement (SUBSCRIBE) anormal de protocole d'ouverture de session (SIP, Session Initiation Protocol) dans un réseau mobile de 4ème génération (4G). L'appareil comprend : une unité d'extraction d'informations de paquets configurée pour extraire un premier identifiant de point d'extrémité de tunnel (TEID, Tunnel Endpoint Identifier) de l'en-tête d'un paquet GTP-U de protocole de tunnelisation GPRS (General Packet Radio Service, Service Général de Radiocommunication par Paquets) (GTP, GPRS Tunneling Protocol) et un premier numéro d'identification d'équipement d'utilisateur (UE, User Equipment) d'un message SIP SUBSCRIBE contenu dans la charge utile du paquet GTP-U ; une unité de stockage d'informations de session configurée pour stocker des informations de session, comprenant un second TEID et un second numéro d'identification d'UE ; une unité d'analyse de paquets configurée pour exécuter une opération de détection de message SIP SUBSCRIBE anormal en déterminant si le message SIP SUBSCRIBE est un message SIP SUBSCRIBE anormal sur la base du fait de savoir si les premier et second TEID sont identiques et si les premier et second numéros d'identification d'UE sont différents ; et une unité de traitement de paquets configurée pour traiter le paquet GTP-U conformément à une politique de détection prédéterminée en réponse au fait que le message SIP SUBSCRIBE est un message SIP SUBSCRIBE anormal, le message SIP SUBSCRIBE nécessitant des informations d'enregistrement d'UE correspondant au premier numéro d'identification d'UE.
PCT/KR2014/008838 2013-12-06 2014-09-23 Appareil et procédé de détection d'un message d'abonnement sip anormal dans des réseaux mobiles 4g WO2015083926A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2013-0151548 2013-12-06
KR1020130151548A KR101516234B1 (ko) 2013-12-06 2013-12-06 4g 모바일 네트워크에서의 비정상 sip subscribe 메시지 탐지 장치 및 방법

Publications (1)

Publication Number Publication Date
WO2015083926A1 true WO2015083926A1 (fr) 2015-06-11

Family

ID=53273648

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2014/008838 WO2015083926A1 (fr) 2013-12-06 2014-09-23 Appareil et procédé de détection d'un message d'abonnement sip anormal dans des réseaux mobiles 4g

Country Status (2)

Country Link
KR (1) KR101516234B1 (fr)
WO (1) WO2015083926A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109819126A (zh) * 2017-11-21 2019-05-28 中移(杭州)信息技术有限公司 一种异常号码识别方法及装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007267151A (ja) * 2006-03-29 2007-10-11 Nippon Telegr & Teleph Corp <Ntt> 異常トラフィック検知装置、異常トラフィック検知方法および異常トラフィック検知プログラム
US20090052365A1 (en) * 2007-08-20 2009-02-26 Telefonaktiebolaget Lm Ericsson (Publ) Method and Communication Node for Optimising Time Sensitive Communications
JP2010141855A (ja) * 2008-12-15 2010-06-24 Fujitsu Ltd シグナリングを伴うインターネットサービスにおけるネットワーク品質監視装置及び方法
KR101107742B1 (ko) * 2008-12-16 2012-01-20 한국인터넷진흥원 에스아이피(sip) 기반 서비스의 보호를 위한 sip 침입 탐지 및 대응 시스템

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101201546B1 (ko) * 2012-08-13 2012-11-15 한국인터넷진흥원 Gtp를 사용하는 모바일 환경에서의 ip 스푸핑 탐지 장치 및 방법

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007267151A (ja) * 2006-03-29 2007-10-11 Nippon Telegr & Teleph Corp <Ntt> 異常トラフィック検知装置、異常トラフィック検知方法および異常トラフィック検知プログラム
US20090052365A1 (en) * 2007-08-20 2009-02-26 Telefonaktiebolaget Lm Ericsson (Publ) Method and Communication Node for Optimising Time Sensitive Communications
JP2010141855A (ja) * 2008-12-15 2010-06-24 Fujitsu Ltd シグナリングを伴うインターネットサービスにおけるネットワーク品質監視装置及び方法
KR101107742B1 (ko) * 2008-12-16 2012-01-20 한국인터넷진흥원 에스아이피(sip) 기반 서비스의 보호를 위한 sip 침입 탐지 및 대응 시스템

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109819126A (zh) * 2017-11-21 2019-05-28 中移(杭州)信息技术有限公司 一种异常号码识别方法及装置

Also Published As

Publication number Publication date
KR101516234B1 (ko) 2015-05-04

Similar Documents

Publication Publication Date Title
WO2015030458A1 (fr) Appareil et procédé pour détecter un appel anormal
WO2010019005A2 (fr) Procédé et système de gestion d&#39;une libération d&#39;adresse protocole internet version 4 par protocole de configuration d&#39;hôte dynamique
WO2012074198A1 (fr) Terminal et nœud intermédiaire dans un environnement de réseautage orienté contenu et procédé de communication de terminal et de nœud intermédiaire
WO2011046348A2 (fr) Procédé de communication à destination d&#39;un mobile et dispositifs correspondants
WO2012033383A2 (fr) Procédé et appareil de communication nas dans un système de télécommunication mobile
WO2011087239A2 (fr) Procédé et système destinés à transmettre un message
WO2010035971A2 (fr) Procede pour supporter la gestion de contexte par noeud b d&#39;accueil
WO2010002208A2 (fr) Procede de soutien d’appel d’urgence dans un systeme de communication mobile
EP2974486A1 (fr) Procédé et appareil de radiomessagerie d&#39;appel terminé dans un système de communication mobile
WO2015068914A1 (fr) Procédé et système de gestion de paquets audio durant un appel volte
WO2017057955A1 (fr) Procédés et dispositifs de prise en charge de libération de porteuse de sipto ou de porteuse de lipa dans une architecture à double connectivité
EP2978277B1 (fr) Procédés de transmission de données et passerelles
WO2018128226A1 (fr) Procédé de transmission de contenu sur un réseau hétérogène et appareil associé
WO2015083927A1 (fr) Appareil et procédé de détection de message sdp anormal dans des réseaux mobiles 4g
WO2016098997A1 (fr) Appareil, système et procédé de détection de message d&#39;enregistrement volte anormal dans un réseau mobile 4g
WO2017131332A1 (fr) Procédé de transmission de paquet de liaison descendante dans un réseau central à séparation de fonctions
WO2016108509A1 (fr) Procédé et appareil d&#39;attribution d&#39;un serveur dans un système de communications sans fil
WO2013094920A1 (fr) Procédé et appareil pour un interfonctionnement de politiques dynamiques entre un pcrf et un nat
WO2017123059A1 (fr) Procédé et appareil d&#39;émission de message de commande dans un système de communication mobile en réseau défini par logiciel
WO2014185720A1 (fr) Méthode et appareil d&#39;amélioration de performance de service vocal dans un système de communication
WO2015083926A1 (fr) Appareil et procédé de détection d&#39;un message d&#39;abonnement sip anormal dans des réseaux mobiles 4g
WO2014098461A1 (fr) Procédé et dispositif de traitement de sms dans un réseau ims
WO2015083925A1 (fr) Appareil et procédé de détection d&#39;un message d&#39;abonnement sip anormal dans des réseaux mobiles 4g
WO2016114476A1 (fr) Appareil et procédé de gestion de sessions volte dans un réseau mobile 4g
WO2016068475A1 (fr) Appareil et procédé de gestion de session d&#39;utilisateur dans un réseau mobile 4g

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14868226

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14868226

Country of ref document: EP

Kind code of ref document: A1