WO2015083927A1 - Apparatus and method for detecting abnormal sdp message in 4g mobile networks - Google Patents

Apparatus and method for detecting abnormal sdp message in 4g mobile networks Download PDF

Info

Publication number
WO2015083927A1
WO2015083927A1 PCT/KR2014/008842 KR2014008842W WO2015083927A1 WO 2015083927 A1 WO2015083927 A1 WO 2015083927A1 KR 2014008842 W KR2014008842 W KR 2014008842W WO 2015083927 A1 WO2015083927 A1 WO 2015083927A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
gtp
sdp message
abnormal
address
Prior art date
Application number
PCT/KR2014/008842
Other languages
French (fr)
Inventor
Chae Tae Im
Joo Hyung Oh
Se Kwon Kim
Jun Hyung Cho
Bon Min Koo
Seong Min Park
Su Jeong Woo
Original Assignee
Korea Internet & Security Agency
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Korea Internet & Security Agency filed Critical Korea Internet & Security Agency
Publication of WO2015083927A1 publication Critical patent/WO2015083927A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/102Gateways
    • H04L65/1033Signalling gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1069Session establishment or de-establishment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1101Session protocols
    • H04L65/1104Session initiation protocol [SIP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • H04L65/65Network streaming protocols, e.g. real-time transport protocol [RTP] or real-time control protocol [RTCP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation

Definitions

  • the invention relates to an apparatus and method for detecting an abnormal Session Description Protocol (SDP) message, and more particularly, to an apparatus and method for detecting an abnormal SDP message in a 4th Generation (4G) mobile network.
  • SDP Session Description Protocol
  • GTP General Packet Radio Service Tunneling Protocol
  • 3G 3rd Generation
  • 4G 4th Generation
  • a Session Initiation Protocol (SIP) message for setting a Voice over Long-Term Evolution (VoLTE) call may be included in a GTP packet and may then be transmitted.
  • the SIP message may include a Session Description Protocol (SDP) message, which corresponds to the message body of the SIP message.
  • SDP Session Description Protocol
  • GTP has been designed to perform signaling and data transmission operations such as setting, updating and deleting a data call to provide various data services to user terminals (for example, smart phones), but does not consider any methods to detect an attack launched against a mobile communication network.
  • a GTP packet with a falsified Internet Protocol (IP) address in an SDP message thereof may be forwarded to an external network (for example, an IP Multimedia Subsystem (IMS) network) without being hindered.
  • IP Internet Protocol
  • IMS IP Multimedia Subsystem
  • abnormal SDP message may cause erroneous transmission of a Real-time Transport Protocol (RTP) packet in a mobile communication network and may thus become a threat to a mobile communication network by being used in an illegitimate attempt to intercept a voice call between UEs in the mobile communication network.
  • RTP Real-time Transport Protocol
  • Exemplary embodiments of the invention provide an apparatus for detecting an abnormal Session Description Protocol (SDP) message with a falsified UE Internet Protocol (IP) address that can cause erroneous transmission of a Real-time Transport Protocol (RTP) packet in a 4th Generation (4G) mobile network.
  • SDP Session Description Protocol
  • IP Internet Protocol
  • RTP Real-time Transport Protocol
  • Exemplary embodiments of the invention also provide a method of detecting an abnormal SDP message with a falsified UE IP address that can cause erroneous transmission of an RTP packet in a 4G mobile network.
  • an apparatus for detecting an abnormal Session Description Protocol (SDP) message includes: a packet information extraction unit configured to extract a first Tunnel Endpoint Identifier (TEID) from the header of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet and a first User Equipment (UE) Internet Protocol (IP) address from an SDP message in the payload of the GTP-U packet; a session information storage unit configured to store session information, including a second TEID and a second UE IP address; a packet analysis unit configured to perform an abnormal SDP message detection operation by determining whether the SDP message is an abnormal SDP message based on whether the first and second TEIDs are identical and whether the first and second UE IP addresses are different; and a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SDP message being an abnormal SDP message, wherein the first and second IP addresses are UE IP addresses for transmitting a Real-time Transport Protocol (GPRS) Tunneling Protocol (GTP)
  • an apparatus for detecting an abnormal SDP message includes: a GTP-U packet information extraction unit configured to extract a first TEID from the header of a GTP-U packet and a first UE IP address from an SDP message in the payload of the GTP-U packet; a GTP-C packet information extraction unit configured to extract a second TEID and a second UE IP address from the payload of a GTP-C packet; a session information storage unit configured to store session information, including the second TEID and the second UE IP address; a packet analysis unit configured to perform an abnormal SDP message by determining whether the SDP message is an abnormal SDP message based on results of comparison of the first and second TEIDs and the first and second UE IP addresses; and a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SDP message being an abnormal SDP message, wherein the first and second IP addresses are UE IP addresses for transmitting an RTP packet.
  • a system for detecting an abnormal SDP message includes: an apparatus for detecting an abnormal SDP message, configured to detect an abnormal SDP message by using session information; and an apparatus for collecting session information, configured to extract GTP-C packet information from a GTP-C packet and generate the session information based on the extracted GTP-C packet information, wherein the apparatus for detecting an abnormal SDP message, includes: a session information storage unit configured to receive session information including a second TEID and a second UE IP address from the apparatus for collecting session information and store the received session information; a GTP-U packet information extraction unit configured to extract a first TEID from the header of a GTP-U packet and a first UE IP address from an SDP message in the payload of the GTP-U packet; a packet processing unit configured to perform an abnormal SDP message detection operation by determining whether the SDP message is an abnormal SDP message based on results of comparison of the first and second TEIDs and the first and second UE IP addresses; and
  • a method of detecting an abnormal SDP message includes: extracting a first TEID from the header of a GTP-U packet and a first UE IP address from an SDP message from the payload of the GTP-U packet; determining whether the first TEID is identical to a second TEID of session information; in response to a determination being made that the first TEID is identical to the second TEID, determining whether the first UE IP address is identical to a second UE IP address corresponding to the second TEID; and in response to a determination being made that the first UE IP address is different from the second UE IP address, determining the SDP message as being an abnormal SDP message, wherein the first and second IP addresses are UE IP addresses for transmitting an RTP packet.
  • a first Tunnel Endpoint Identifier (TEID) and a first User Equipment (UE) Internet Protocol (IP) address are extracted from the header of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet and a Session Description Protocol (SDP) message in the payload of the GTP-U packet, respectively, and are then compared with a second TEID and a second UE IP address, respectively, included in session information. Accordingly, it is possible to effectively detect and drop an abnormal Session Description Protocol (SDP) message which has a falsified UE IP address and may cause erroneous transmission of a Real-time Transport Protocol (RTP) packet.
  • SDP Session Description Protocol
  • FIG. 1 is a block diagram of an apparatus for detecting an abnormal Session Description Protocol (SDP) message, according to an exemplary embodiment of the invention.
  • SDP Session Description Protocol
  • FIG. 2 is a diagram for explaining an abnormal SDP message that can be transmitted in a 4th Generation (4G) mobile network.
  • FIG. 3 is a diagram illustrating erroneous transmission of a Real-time Transport Protocol (RTP) packet as caused by an abnormal SDP message.
  • RTP Real-time Transport Protocol
  • FIG. 4 is a diagram for explaining values included in a Session Initiation Protocol (SIP) message.
  • SIP Session Initiation Protocol
  • FIG. 5 is a table for explaining session information present in a session information storage unit illustrated in FIG. 1.
  • FIG. 6 is a table for explaining abnormal SDP message detection information.
  • FIG. 7 is a flowchart illustrating a method of detecting an abnormal SDP message, according to an exemplary embodiment of the invention.
  • FIG. 8 is a block diagram of an apparatus for detecting an abnormal SDP message, according to another exemplary embodiment of the invention.
  • FIG. 9 is a diagram illustrating the creation of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP) tunnel in a 4th Generation (4G) mobile network.
  • GPRS General Packet Radio Service
  • GTP General Packet Radio Service Tunneling Protocol
  • FIG. 10 is a block diagram of a system for detecting an abnormal SDP message, according to an exemplary embodiment of the invention.
  • FIG. 11 is a diagram illustrating the structure of a 4G mobile network to which an apparatus or system for detecting an abnormal SDP message according to exemplary embodiments of the invention is applied.
  • Each block represents a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the blocks may occur out of the order noted herein. For example, two blocks shown herein in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved, as will be further clarified hereinbelow.
  • first, second, and so forth are used to describe diverse constituent elements, such constituent elements are not limited by the terms. The terms are used only to discriminate a constituent element from other constituent elements. Accordingly, in the following description, a first constituent element may be a second constituent element.
  • FIG. 1 is a block diagram of an apparatus for detecting an abnormal Session Description Protocol (SDP) message, according to an exemplary embodiment of the invention.
  • SDP Session Description Protocol
  • an apparatus 100 for detecting an abnormal SDP message includes Network Interface Cards (NICs) 110a and 110b, a packet information extraction unit 120, a packet analysis unit 130, a session information storage unit 140, a detection information storage unit 150, and a packet processing unit 160.
  • NICs Network Interface Cards
  • the NIC 110a receives a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet, and transmits the GTP-U packet to the packet information extraction unit 120.
  • the NIC 110b forwards or drop the GTP-U packet in accordance with a control signal.
  • the NICs 110a and 110b may be typical NICs or hardware acceleration NICs.
  • the GTP-U packet is used for transmitting a user packet within a mobile communication network.
  • the GTP-U packet which is processed by the NICs 110a and 110b, may be a GTP-U packet forwarded from User Equipment (UE) to an external network (for example, the Internet).
  • UE User Equipment
  • the packet information extraction unit 120 extracts various packet information from the GTP-U packet.
  • the packet information extraction unit 120 may process the extracted packet information into structured data, and may transmit the processed packet information to the packet analysis unit 130.
  • the packet information extraction unit 120 may extract a Tunnel Endpoint Identifier (TEID) from the header of the GTP-U packet as information for detecting an abnormal SDP message.
  • the TEID extracted by the packet information extraction unit 120 may be an uplink TEID.
  • uplink as used herein, may indicate the transmission of a GTP-U packet from UE to an external network
  • downlink as used herein, may indicate the transmission of a GTP-U packet from an external network to UE.
  • the packet information extraction unit 120 may extract a Session Initiation Protocol (SIP) message included in the payload of the GTP-U packet.
  • SIP Session Initiation Protocol
  • the SIP message may be an SIP INVITE message.
  • IP Internet Protocol
  • the packet information extraction unit 120 may determine whether an SDP message exists in the payload of the GTP-U packet, and may extract information for detecting an abnormal SDP message in response to a determination being made that there exists an SDP message in the payload of the GTP-U packet.
  • FIG. 2 is a diagram for explaining an abnormal SDP message that can be transmitted in a 4th Generation (4G) mobile network.
  • a 4G mobile network may include an evolved Node B (eNB) 1200 and a Serving Gateway (S-GW) 1400.
  • eNB evolved Node B
  • S-GW Serving Gateway
  • the eNB 1200 may be connected to the S-GW 1400, and an S1-U GTP tunnel may be created between the eNB 1200 and the S-GW 1400.
  • the S1-U GTP tunnel may be a GTP tunnel for transmitting data.
  • a GTP-U packet 10 may be transmitted from the eNB 1200 to the S-GW 1400 via the S1-U GTP tunnel.
  • the S-GW 1400 may transmit the GTP-U packet 10 received from the eNB 1200 to a Packet Data Network (PDN) Gateway (P-GW) (not illustrated).
  • PDN Packet Data Network
  • P-GW Packet Data Network Gateway
  • An IP header, a User Datagram Protocol (UDP) header and a GTP-U header for a GTP tunnel may be combined into the header of the GTP-U packet 10, and a user packet may be capsulated into the payload of the GTP-U packet 10.
  • the user packet may include an SDP message for setting a Voice over Long-Term Evolution (VoLTE) call.
  • the SDP message may include a UE IP address for transmitting or receiving a Real-time Transport Protocol (RTP) packet.
  • RTP Real-time Transport Protocol
  • FIG. 2 illustrates an SDP message with a falsified UE IP address.
  • An abnormal SDP message which is an SDP message with a falsified UE IP address, may cause erroneous transmission of an RTP packet.
  • FIG. 3 is a diagram illustrating erroneous transmission of an RTP packet as caused by an abnormal SDP message.
  • a VoLTE call setting process may be completed.
  • an SIP message may be transmitted via P-GWs 1500a, 1500b, and 1500c in a 4G network 1000 and via a Proxy Call Session Control Function (P-CSCF) 2100, an Interrogating CSCF (I-CSCF) 2200, and a Serving CSCF (S-CSCF) 2300 in an IMS network 2000.
  • P-CSCF Proxy Call Session Control Function
  • I-CSCF Interrogating CSCF
  • S-CSCF Serving CSCF
  • the sender UE 1100a and the receiver UE 1100b may transmit voice traffic to or receive voice traffic from each other by using an RTP packet.
  • an SDP message which is the message body of an SIP message
  • an attacker 1600 falsified by entering an attacker 1600’s IP address as a UE IP address for transmitting or receiving an RTP packet
  • an RTP packet transmitted by the sender UE 1100a or the receiver 1100b may be received by the attacker 1600.
  • the attacker 1600 may analyze the received RTP packet, and may identify the content of a voice call between the sender UE 1100a and the receiver UE 1100b.
  • An abnormal SDP message may cause a threat by being used in, for example, an attempt to intercept a call.
  • the apparatus 100 may store a TEID and a UE IP address that are allocated upon the creation of a GTP tunnel in advance as session information, and may compare a TEID and a UE IP address that are extracted from a GTP-U packet with the session information to detect an abnormal SDP message.
  • FIG. 4 is a diagram for explaining values included in an SIP message.
  • an SIP message may include a message header and a message body. Each of the message header and the message body of the SIP message may include various fields. The message body of the SIP message may correspond to an SDP message.
  • the message body of the SIP message may include a “Connection Information” field and a “Media Description, name and address” field.
  • a UE IP address for transmitting or receiving an RTP packet may be recorded
  • a port for transmitting or receiving the RTP packet may be recorded.
  • the packet information extraction unit 120 may extract a UE IP address from the “Connection Information” field of the message body of an SIP message.
  • the message body of an SIP message may also include other fields than those set forth herein, in which to record a UE IP address, and the packet information extraction unit 120 may extract a UE IP address from each of these other fields.
  • a TEID and a UE IP address that are extracted from a GTP-U packet will hereinafter be referred to as a first TEID and a first UE IP address, respectively, and a TEID and a UE IP address that are included in session information will hereinafter be referred to as a second TEID and a second UE IP address, respectively.
  • the packet analysis unit 130 may perform an abnormal SDP message detection operation.
  • the packet analysis unit 130 may compare first and second TEIDs with each other and first and second UE IP addresses with each other and may detect an abnormal SDP message based on the results of the comparison.
  • the session information storage unit 140 may store session information including the second TEID and the second UE IP address in advance.
  • the second TEID and the second UE IP address may be extracted from a GTP-C packet.
  • the GTP-C packet may be used for signaling within a mobile communication network, such as setting, updating or deleting a call.
  • FIG. 5 is a table for explaining session information stored in a session information storage unit illustrated in FIG. 1.
  • session information includes a second TEID and a second UE IP address.
  • the second TEID may be an uplink data TEID.
  • the second TEID may be the TEID of a GTP-U packet forwarded from UE to an external network.
  • the second UE IP address may be an IP address for an IMS. That is, the second UE IP address may be an IP address for transmitting or receiving an RTP packet.
  • the second UE IP address may be stored, mapped to the second TEID.
  • the packet analysis unit 130 may determine whether there exists a second TEID identical to the first TEID in the session information. In response to a determination being made that a second TEID identical to the first TEID exists in the session information, the packet analysis unit 130 may extract a second UE IP address corresponding to the second TEID from the session information. The packet analysis unit 130 may determine whether the first UE IP address and the extracted second UE IP address are identical to each other. In response to a determination being made that the first UE IP address and the extracted second UE IP address are different, the packet analysis unit 130 may determine an SDP message included in the GTP-U packet as being an abnormal SDP message.
  • FIG. 6 is a table for explaining abnormal SDP message detection information.
  • the detection information storage unit 150 may create and store abnormal SDP message detection information (or an abnormal SDP message detection log) in accordance with the results of the detection of an abnormal SDP message.
  • the abnormal SDP message detection information may include a detection time field, a detected item field, a UE identification number field and a detection result field, and may also include a TEID field, a destination IP field, a destination port field, a source IP/port field, and a falsified UE identification number field.
  • the packet processing unit 160 may process a GTP-U packet with a detected abnormal SDP message according to a predetermined detection policy.
  • the packet processing unit 160 may control the NIC 110b to forward or drop the GTP-U packet with the detected abnormal SDP message.
  • the expression “forward a GTP-U packet”, as used herein, may indicate transmitting a GTP-U packet to its destination IP address
  • the expression “drop a GTP-U packet, as used herein, may indicate not transmitting the GTP-U packet to its destination IP address.
  • the NICs 110a and 110b, the packet information extraction unit 120, the packet analysis unit 130, the session information storage unit 140, the detection information storage unit 150, and the packet processing unit 160 are provided as separate elements.
  • Various modifications may be made to the structure of the apparatus 100 without departing from the scope of the invention.
  • some of the elements of the apparatus 100 may be incorporated into a single unit or module.
  • FIG. 7 is a flowchart illustrating a method of detecting an abnormal SDP message, according to an exemplary embodiment of the invention.
  • the NIC 110a receives a GTP-U packet (S201).
  • the packet extraction unit 120 determines whether the destination port of the GTP-U packet is an SIP port (S202). For example, the packet extraction unit 120 may determine whether the destination port of the GTP-U packet has a value of “5060”, and may determine the GTP-U packet as including an SIP message in response to a determination being made that the destination port of the GTP-U packet has a value of “5060”.
  • the packet extraction unit 120 determines whether there exists an SDP message in the payload of the GTP-U packet (S203). In response to a determination being made that there is no SDP message in the payload of the GTP-U packet, the packet analysis unit 130 may not perform an abnormal SDP message detection operation.
  • the packet extraction unit 120 extracts a first TEID from the header of the GTP-U packet and a first UE IP address from the SDP message (S204).
  • the first TEID may be an uplink data TEID.
  • the packet information extraction unit 120 may process various packet information into structured data.
  • the packet analysis unit 130 determines whether a second TEID identical to the first TEID exists in session information (S205).
  • the packet analysis unit 130 extracts the first UE IP address from the processed packet information provided by the packet information extraction unit 120 (S206).
  • the first UE IP address may be an IP address for an IMS.
  • the packet analysis unit 130 may determine whether the first UE IP address and a second UE IP address are identical (S207). As described above, the packet analysis unit 140 may extract a second UE IP address corresponding to the second TEID from the session information, and may determine whether the first UE IP address and the second UE IP address are identical.
  • the packet analysis unit 130 may determine the SDP message as being an abnormal SDP message, and the detection information storage unit 150 may create and store abnormal SDP message detection information (S208).
  • the abnormal SDP message detection information may include a detection time field, a detected item field, a UE IP address field, a detection result field indicating whether to drop the abnormal SDP message, a TEID field, a destination IP field, a destination port field, a source IP/port field, and a falsified UE IP address field.
  • the packet processing unit 160 processes the GTP-U packet with the abnormal SDP message according to a predetermined detection policy (S209).
  • FIG. 8 is a block diagram of an apparatus for detecting an abnormal SDP message, according to another exemplary embodiment of the invention.
  • the exemplary embodiment of FIG. 8 will hereinafter be described, focusing mainly on differences with the exemplary embodiment of FIG. 1.
  • an apparatus 300 for detecting an abnormal SDP message includes NICs 310a and 310b, a packet classification unit 320, a GTP-C packet information extraction unit 330, a session information generation unit 340, a session information storage unit 350, a GTP-U packet information extraction unit 360, a packet analysis unit 370, a detection information storage unit 380, and a packet processing unit 390.
  • the NIC 310a receives a GTP packet, and transmits the GTP packet to the packet classification unit 320.
  • the NIC 310b forwards or drops the GTP packet in accordance with a control signal provided by the packet processing unit 390.
  • the packet classification unit 320 classifies the GTP packet. More specifically, the packet classification unit 370 may classify the GTP packet as a GTP-C packet or a GTP-U packet. The packet classification unit 370 may transmit a GTP-C packet to the GTP-C packet information extraction unit 330 and may transmit a GTP-U packet to the GTP-U packet information extraction unit 360.
  • the GTP-C packet information extraction unit 330 may extract various packet information from a GTP-C packet.
  • the GTP-C packet may include a “Create Session Response” message.
  • the GTP-C packet information extraction unit 330 may extract a second TEID and a second UE IP address from the payload of the GTP-C packet.
  • the session information generation unit 340 may generate session information including a second TEID and a second UE IP address.
  • the session information generation unit 340 may store the generated session information in the session information storage unit 350.
  • the packet processing unit 390 may control the NIC 310b to forward a GTP-C packet.
  • FIG. 9 is a diagram illustrating the creation of a GTP tunnel in a 4G mobile network.
  • a “Create Session Request” message and a “Create Session Response” message may be transmitted to create a GTP tunnel in a 4G mobile network.
  • the “Create Session Request” message and the “Create Session Response” message may be transmitted as GTP-C packets.
  • UE 1100 may transmit an “Attach Request” message to a Mobility Management Entity (MME) 1300, and the MME 1300 may transmit a “Create Session Request” message to an S-GW 1400.
  • the S-GW 1400 may transmit the “Create Session Request” message to a P-GW 1500.
  • the P-GW 1500 may transmit a “Create Session Response” message to the S-GW 1400 and may thus create an S5 GTP tunnel between the S-GW 1400 and the P-GW 1500.
  • the S-GW 1400 may transmit the “Create Session Response” message to the MME 1300 and may thus create an S11 GTP tunnel between the MME 1300 and the S-GW 1400.
  • the MME 1300 may transmit an “Attach Response” message to the UE 1100 and may thus create an S1-U GTP tunnel between an eNB 1200 and the S-GW 1400.
  • messages may be additionally transmitted between the eNB 1200 and the MME 1300 and between the MME 1300 and the S-GW 1400 before the creation of the S1-U GTP tunnel.
  • the GTP-C packet information extraction unit 330 may extract a second TEID and a second UE IP address from a “Create Session Response” message.
  • An IP address allocated to the UE 1100 during the creation of a session may be compared with an IP address included in the SDP message of a GTP-U packet after the creation of the session.
  • FIG. 10 is a block diagram of a system for detecting an abnormal SDP message, according to an exemplary embodiment of the invention.
  • the exemplary embodiment of FIG. 8 will hereinafter be described, focusing mainly on differences with the exemplary embodiment of FIG. 8.
  • a system 400 for detecting an abnormal SDP message includes an apparatus 410 for collecting session information and an apparatus 420 for detecting an abnormal SDP message.
  • the apparatus 410 may include NICs 411a and 411b, a GTP-C packet information extraction unit 412, and a session information generation unit 413.
  • the apparatus 410 may extract GTP-C packet information from a GTP-C packet and may generate session information based on the extracted GTP-C packet information.
  • the apparatus 420 may include NICs 421a and 421b, a GTP-U packet information extraction unit 422, a packet analysis unit 423, a session information storage unit 424, a detection information generation unit 425, and a packet processing unit 425.
  • the apparatus 420 may detect an abnormal SDP message by using the session information provided by the apparatus 410.
  • the system 400 is illustrated in FIG. 10 as including two physically separate elements, i.e., an element for extracting a TEID and a first UE IP address from a GTP-U packet and detecting an abnormal SIP ERFER message in accordance with the results of comparison of the first UE IP address with session information and an element for extracting a second TEID and a second UE IP address from a GTP-C packet and generating session information including the second TEID and the second UE IP address.
  • the session information storage unit 424 may store the session information provided by the apparatus 410.
  • FIG. 11 is a diagram illustrating the structure of a 4G mobile network to which an apparatus or system for detecting an abnormal SDP message, according to exemplary embodiments of the invention is applied.
  • a 4G mobile network 1000 may include UE 1100, an eNB 1200, an MME 1300, an S-GW 1400 and a P-GW 1500.
  • the UE 1100 may be a subscriber mobile terminal of the 4G mobile network 1000.
  • the eNB 1200 may be a base station providing wireless connection between the UE 1100 and the 4G mobile network 1000.
  • the MME 130 and the S-GW 1400 may exchange a GTP-C packet with each other via an S11 GTP tunnel.
  • the eNB 1200 and the S-GW 1400 may exchange a GTP-U packet with each other via an S1-U GTP tunnel.
  • the S-GW 1400 and the P-GW 1500 may exchange a GTP-C packet or a GTP-U packet with each other via an S5 GTP tunnel.
  • the P-GW 1500 may be connected to an external network, for example, an IMS network 2000.
  • the P-GW 1500 may be connected to a P-CSCF 2100 in the IMS network 2000, and may transmit or receive an SIP message.
  • the S11 GTP tunnel may be a path for session control
  • the S1-U GTP tunnel may be a path for data traffic
  • the S5 GTP tunnel may be a path for both session control and data traffic.
  • the apparatus 100 or 300 of FIG. 1 or 10 may be provided at a point P1 between the eNB 1200 and the S-GW 1400, a point P2 between the MME 1300 and the S-GW 1400 or a point P3 between the S-GW 1400 and the P-GW 1500.
  • the apparatus 100 or 300 of FIG. 1 or 10 may be provided as an element of the S-GW 1400 or the P-GW 1500.
  • the apparatus 410 of the system 400 of FIG. 12 may be provided at the point P2 between the MME 1300 and the S-GW 1400, and the apparatus 420 of the system 400 of FIG. 12 may be provided at the point P1 between the eNB 1200 and the S-GW 1400.
  • the apparatus 100 or 300 or the system 400 may be provided at the point P1, P2 or P3 within the 4G mobile network 1000. Accordingly, it is possible to effectively detect and drop an abnormal SDP message which has a falsified UE IP address and may cause erroneous transmission of an RTP packet.
  • a software module may reside in a RAM memory, flash memory, a ROM memory, an EPROM memory, an EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
  • An exemplary storage medium may be coupled to the processor, such that the processor can read information from, and write information to, the storage medium.
  • the storage medium may be integral to the processor.
  • the processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

An apparatus and method for detecting an abnormal Session Description Protocol (SDP) message are provided. The apparatus includes: a packet information extraction unit configured to extract a first Tunnel Endpoint Identifier (TEID) from the header of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet and a first User Equipment (UE) Internet Protocol (IP) address from an SDP message in the payload of the GTP-U packet; a session information storage unit configured to store session information, including a second TEID and a second UE IP address; a packet analysis unit configured to perform an abnormal SDP message detection operation by determining whether the SDP message is an abnormal SDP message based on whether the first and second TEIDs are identical and whether the first and second UE IP addresses are different; and a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SDP message being an abnormal SDP message, wherein the first and second IP addresses are UE IP addresses for transmitting a Real-time Transport Protocol (RTP) packet.

Description

APPARATUS AND METHOD FOR DETECTING ABNORMAL SDP MESSAGE IN 4G MOBILE NETWORKS
The invention relates to an apparatus and method for detecting an abnormal Session Description Protocol (SDP) message, and more particularly, to an apparatus and method for detecting an abnormal SDP message in a 4th Generation (4G) mobile network.
General Packet Radio Service (GPRS) Tunneling Protocol (GTP) is a type of protocol for use in a 3rd Generation (3G) network or a 4th Generation (4G) network, and includes GTP-C packets for signaling and GTP-U packets for data transmissions.
In a mobile communication network, a Session Initiation Protocol (SIP) message for setting a Voice over Long-Term Evolution (VoLTE) call may be included in a GTP packet and may then be transmitted. The SIP message may include a Session Description Protocol (SDP) message, which corresponds to the message body of the SIP message.
GTP has been designed to perform signaling and data transmission operations such as setting, updating and deleting a data call to provide various data services to user terminals (for example, smart phones), but does not consider any methods to detect an attack launched against a mobile communication network.
As a result, even a GTP packet with a falsified Internet Protocol (IP) address in an SDP message thereof may be forwarded to an external network (for example, an IP Multimedia Subsystem (IMS) network) without being hindered. However, such abnormal SDP message may cause erroneous transmission of a Real-time Transport Protocol (RTP) packet in a mobile communication network and may thus become a threat to a mobile communication network by being used in an illegitimate attempt to intercept a voice call between UEs in the mobile communication network.
Exemplary embodiments of the invention provide an apparatus for detecting an abnormal Session Description Protocol (SDP) message with a falsified UE Internet Protocol (IP) address that can cause erroneous transmission of a Real-time Transport Protocol (RTP) packet in a 4th Generation (4G) mobile network.
Exemplary embodiments of the invention also provide a method of detecting an abnormal SDP message with a falsified UE IP address that can cause erroneous transmission of an RTP packet in a 4G mobile network.
However, exemplary embodiments of the invention are not restricted to those set forth herein. The above and other exemplary embodiments of the invention will become more apparent to one of ordinary skill in the art to which the invention pertains by referencing the detailed description of the invention given below.
According to an exemplary embodiment of the invention, an apparatus for detecting an abnormal Session Description Protocol (SDP) message, includes: a packet information extraction unit configured to extract a first Tunnel Endpoint Identifier (TEID) from the header of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet and a first User Equipment (UE) Internet Protocol (IP) address from an SDP message in the payload of the GTP-U packet; a session information storage unit configured to store session information, including a second TEID and a second UE IP address; a packet analysis unit configured to perform an abnormal SDP message detection operation by determining whether the SDP message is an abnormal SDP message based on whether the first and second TEIDs are identical and whether the first and second UE IP addresses are different; and a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SDP message being an abnormal SDP message, wherein the first and second IP addresses are UE IP addresses for transmitting a Real-time Transport Protocol (RTP) packet.
According to another exemplary embodiment of the invention, an apparatus for detecting an abnormal SDP message, includes: a GTP-U packet information extraction unit configured to extract a first TEID from the header of a GTP-U packet and a first UE IP address from an SDP message in the payload of the GTP-U packet; a GTP-C packet information extraction unit configured to extract a second TEID and a second UE IP address from the payload of a GTP-C packet; a session information storage unit configured to store session information, including the second TEID and the second UE IP address; a packet analysis unit configured to perform an abnormal SDP message by determining whether the SDP message is an abnormal SDP message based on results of comparison of the first and second TEIDs and the first and second UE IP addresses; and a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SDP message being an abnormal SDP message, wherein the first and second IP addresses are UE IP addresses for transmitting an RTP packet.
According to another exemplary embodiment of the invention, a system for detecting an abnormal SDP message, includes: an apparatus for detecting an abnormal SDP message, configured to detect an abnormal SDP message by using session information; and an apparatus for collecting session information, configured to extract GTP-C packet information from a GTP-C packet and generate the session information based on the extracted GTP-C packet information, wherein the apparatus for detecting an abnormal SDP message, includes: a session information storage unit configured to receive session information including a second TEID and a second UE IP address from the apparatus for collecting session information and store the received session information; a GTP-U packet information extraction unit configured to extract a first TEID from the header of a GTP-U packet and a first UE IP address from an SDP message in the payload of the GTP-U packet; a packet processing unit configured to perform an abnormal SDP message detection operation by determining whether the SDP message is an abnormal SDP message based on results of comparison of the first and second TEIDs and the first and second UE IP addresses; and a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SDP message being an abnormal SDP message, and the apparatus for collecting session information, includes: a GTP-C packet information extraction unit configured to extract the second TEID and the second UE IP address from the payload of the GTP-C packet; and a session information generation unit configured to generate the session information including the second TEID and the second UE IP address, wherein the first and second IP addresses are UE IP addresses for transmitting an RTP packet.
According to another exemplary embodiment of the invention, a method of detecting an abnormal SDP message, includes: extracting a first TEID from the header of a GTP-U packet and a first UE IP address from an SDP message from the payload of the GTP-U packet; determining whether the first TEID is identical to a second TEID of session information; in response to a determination being made that the first TEID is identical to the second TEID, determining whether the first UE IP address is identical to a second UE IP address corresponding to the second TEID; and in response to a determination being made that the first UE IP address is different from the second UE IP address, determining the SDP message as being an abnormal SDP message, wherein the first and second IP addresses are UE IP addresses for transmitting an RTP packet.
According to the exemplary embodiments of the invention, in a 4th Generation (4G) mobile network, a first Tunnel Endpoint Identifier (TEID) and a first User Equipment (UE) Internet Protocol (IP) address are extracted from the header of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet and a Session Description Protocol (SDP) message in the payload of the GTP-U packet, respectively, and are then compared with a second TEID and a second UE IP address, respectively, included in session information. Accordingly, it is possible to effectively detect and drop an abnormal Session Description Protocol (SDP) message which has a falsified UE IP address and may cause erroneous transmission of a Real-time Transport Protocol (RTP) packet.
FIG. 1 is a block diagram of an apparatus for detecting an abnormal Session Description Protocol (SDP) message, according to an exemplary embodiment of the invention.
FIG. 2 is a diagram for explaining an abnormal SDP message that can be transmitted in a 4th Generation (4G) mobile network.
FIG. 3 is a diagram illustrating erroneous transmission of a Real-time Transport Protocol (RTP) packet as caused by an abnormal SDP message.
FIG. 4 is a diagram for explaining values included in a Session Initiation Protocol (SIP) message.
FIG. 5 is a table for explaining session information present in a session information storage unit illustrated in FIG. 1.
FIG. 6 is a table for explaining abnormal SDP message detection information.
FIG. 7 is a flowchart illustrating a method of detecting an abnormal SDP message, according to an exemplary embodiment of the invention.
FIG. 8 is a block diagram of an apparatus for detecting an abnormal SDP message, according to another exemplary embodiment of the invention.
FIG. 9 is a diagram illustrating the creation of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP) tunnel in a 4th Generation (4G) mobile network.
FIG. 10 is a block diagram of a system for detecting an abnormal SDP message, according to an exemplary embodiment of the invention.
FIG. 11 is a diagram illustrating the structure of a 4G mobile network to which an apparatus or system for detecting an abnormal SDP message according to exemplary embodiments of the invention is applied.
Advantages and features of the invention and methods of accomplishing the same may be understood more readily by reference to the following detailed description of exemplary embodiments and the accompanying drawings. The invention may, however, be embodied in many different provides and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete and will fully convey the concept of the invention to those skilled in the art, and the invention will only be defined by the appended claims. Like reference numerals refer to like elements throughout the specification.
Each block represents a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the blocks may occur out of the order noted herein. For example, two blocks shown herein in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved, as will be further clarified hereinbelow.
Although the terms “first, second, and so forth” are used to describe diverse constituent elements, such constituent elements are not limited by the terms. The terms are used only to discriminate a constituent element from other constituent elements. Accordingly, in the following description, a first constituent element may be a second constituent element.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting. As used herein, the singular forms “a,” “an,” and “the” are intended to include the plural forms, including “at least one,” unless the content clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” or “includes” and/or “including” when used in this specification, specify the presence of stated features, regions, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, regions, integers, steps, operations, elements, components, and/or groups thereof.
Unless indicated otherwise, it is to be understood that all the terms used in the specification including technical and scientific terms have the same meanings as those as understood by a person skilled in the art. It should be understood that the terms defined by a dictionary must be identical with the meanings within the context of the related art, and they should not be ideally or excessively formally defined unless the context clearly dictates otherwise.
FIG. 1 is a block diagram of an apparatus for detecting an abnormal Session Description Protocol (SDP) message, according to an exemplary embodiment of the invention.
Referring to FIG. 1, an apparatus 100 for detecting an abnormal SDP message, includes Network Interface Cards (NICs) 110a and 110b, a packet information extraction unit 120, a packet analysis unit 130, a session information storage unit 140, a detection information storage unit 150, and a packet processing unit 160.
The NIC 110a receives a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet, and transmits the GTP-U packet to the packet information extraction unit 120. The NIC 110b forwards or drop the GTP-U packet in accordance with a control signal. The NICs 110a and 110b may be typical NICs or hardware acceleration NICs.
The GTP-U packet is used for transmitting a user packet within a mobile communication network. The GTP-U packet, which is processed by the NICs 110a and 110b, may be a GTP-U packet forwarded from User Equipment (UE) to an external network (for example, the Internet).
The packet information extraction unit 120 extracts various packet information from the GTP-U packet. The packet information extraction unit 120 may process the extracted packet information into structured data, and may transmit the processed packet information to the packet analysis unit 130.
The packet information extraction unit 120 may extract a Tunnel Endpoint Identifier (TEID) from the header of the GTP-U packet as information for detecting an abnormal SDP message. The TEID extracted by the packet information extraction unit 120 may be an uplink TEID. The term “uplink”, as used herein, may indicate the transmission of a GTP-U packet from UE to an external network, and the term “downlink”, as used herein, may indicate the transmission of a GTP-U packet from an external network to UE.
The packet information extraction unit 120 may extract a Session Initiation Protocol (SIP) message included in the payload of the GTP-U packet. For example, the SIP message may be an SIP INVITE message. The packet information extraction unit 120 may extract a UE Internet Protocol (IP) address from an SDP message, which corresponds to the message body of the SIP message.
The packet information extraction unit 120 may determine whether an SDP message exists in the payload of the GTP-U packet, and may extract information for detecting an abnormal SDP message in response to a determination being made that there exists an SDP message in the payload of the GTP-U packet.
FIG. 2 is a diagram for explaining an abnormal SDP message that can be transmitted in a 4th Generation (4G) mobile network.
Referring to FIG. 2, a 4G mobile network may include an evolved Node B (eNB) 1200 and a Serving Gateway (S-GW) 1400.
The eNB 1200 may be connected to the S-GW 1400, and an S1-U GTP tunnel may be created between the eNB 1200 and the S-GW 1400. The S1-U GTP tunnel may be a GTP tunnel for transmitting data. A GTP-U packet 10 may be transmitted from the eNB 1200 to the S-GW 1400 via the S1-U GTP tunnel.
Even though not specifically illustrated in FIG. 2, the S-GW 1400 may transmit the GTP-U packet 10 received from the eNB 1200 to a Packet Data Network (PDN) Gateway (P-GW) (not illustrated).
An IP header, a User Datagram Protocol (UDP) header and a GTP-U header for a GTP tunnel may be combined into the header of the GTP-U packet 10, and a user packet may be capsulated into the payload of the GTP-U packet 10. The user packet may include an SDP message for setting a Voice over Long-Term Evolution (VoLTE) call. The SDP message may include a UE IP address for transmitting or receiving a Real-time Transport Protocol (RTP) packet.
FIG. 2 illustrates an SDP message with a falsified UE IP address. An abnormal SDP message, which is an SDP message with a falsified UE IP address, may cause erroneous transmission of an RTP packet.
FIG. 3 is a diagram illustrating erroneous transmission of an RTP packet as caused by an abnormal SDP message.
Referring to FIG. 3, in response to an SIP INVITE message transmitted by sender UE 1100a being received by receiver UE 1100b and a “200 OK” message transmitted by the receiver UE 1100b being received by the sender UE 1100a, a VoLTE call setting process may be completed.
During the VoLTE call setting process, an SIP message may be transmitted via P- GWs 1500a, 1500b, and 1500c in a 4G network 1000 and via a Proxy Call Session Control Function (P-CSCF) 2100, an Interrogating CSCF (I-CSCF) 2200, and a Serving CSCF (S-CSCF) 2300 in an IMS network 2000.
In response to the VoLTE call setting process being complete, the sender UE 1100a and the receiver UE 1100b may transmit voice traffic to or receive voice traffic from each other by using an RTP packet.
The rest of the VoLTE call setting process is already obvious to a person skilled in the art to which the invention pertains, and thus, a detailed description thereof will be omitted.
In a case in which an SDP message, which is the message body of an SIP message, is falsified by entering an attacker 1600’s IP address as a UE IP address for transmitting or receiving an RTP packet, an RTP packet transmitted by the sender UE 1100a or the receiver 1100b may be received by the attacker 1600. The attacker 1600 may analyze the received RTP packet, and may identify the content of a voice call between the sender UE 1100a and the receiver UE 1100b. Even if the attacker 1600 forwards the received RTP packet back to the sender UE 1100a or the receiver UE 1100b, the sender UE 1100a or the receiver UE 1100b may not be able to identify whether the corresponding RTP packet has been erroneously transmitted to the attacker 1600. An abnormal SDP message may cause a threat by being used in, for example, an attempt to intercept a call.
The apparatus 100 may store a TEID and a UE IP address that are allocated upon the creation of a GTP tunnel in advance as session information, and may compare a TEID and a UE IP address that are extracted from a GTP-U packet with the session information to detect an abnormal SDP message.
FIG. 4 is a diagram for explaining values included in an SIP message.
Referring to FIG. 4, an SIP message may include a message header and a message body. Each of the message header and the message body of the SIP message may include various fields. The message body of the SIP message may correspond to an SDP message.
The message body of the SIP message may include a “Connection Information” field and a “Media Description, name and address” field. In the “Connection Information” field, a UE IP address for transmitting or receiving an RTP packet may be recorded, and in the “Media Description, name and address” field, a port for transmitting or receiving the RTP packet may be recorded.
The packet information extraction unit 120 may extract a UE IP address from the “Connection Information” field of the message body of an SIP message.
Even though not specifically illustrated in FIG. 4, the message body of an SIP message may also include other fields than those set forth herein, in which to record a UE IP address, and the packet information extraction unit 120 may extract a UE IP address from each of these other fields.
For a proper distinction between TEIDs and between UE IP addresses, a TEID and a UE IP address that are extracted from a GTP-U packet will hereinafter be referred to as a first TEID and a first UE IP address, respectively, and a TEID and a UE IP address that are included in session information will hereinafter be referred to as a second TEID and a second UE IP address, respectively.
Referring back to FIG. 1, the packet analysis unit 130 may perform an abnormal SDP message detection operation. The packet analysis unit 130 may compare first and second TEIDs with each other and first and second UE IP addresses with each other and may detect an abnormal SDP message based on the results of the comparison.
The session information storage unit 140 may store session information including the second TEID and the second UE IP address in advance. The second TEID and the second UE IP address may be extracted from a GTP-C packet. The GTP-C packet may be used for signaling within a mobile communication network, such as setting, updating or deleting a call.
FIG. 5 is a table for explaining session information stored in a session information storage unit illustrated in FIG. 1.
Referring to FIG. 5, session information includes a second TEID and a second UE IP address. The second TEID may be an uplink data TEID. The second TEID may be the TEID of a GTP-U packet forwarded from UE to an external network. The second UE IP address may be an IP address for an IMS. That is, the second UE IP address may be an IP address for transmitting or receiving an RTP packet. The second UE IP address may be stored, mapped to the second TEID.
Referring back to FIG. 1, to compare the first TEID and the first UE IP address extracted from a GTP-U packet with session information, the packet analysis unit 130 may determine whether there exists a second TEID identical to the first TEID in the session information. In response to a determination being made that a second TEID identical to the first TEID exists in the session information, the packet analysis unit 130 may extract a second UE IP address corresponding to the second TEID from the session information. The packet analysis unit 130 may determine whether the first UE IP address and the extracted second UE IP address are identical to each other. In response to a determination being made that the first UE IP address and the extracted second UE IP address are different, the packet analysis unit 130 may determine an SDP message included in the GTP-U packet as being an abnormal SDP message.
FIG. 6 is a table for explaining abnormal SDP message detection information.
Referring to FIG. 6, the detection information storage unit 150 may create and store abnormal SDP message detection information (or an abnormal SDP message detection log) in accordance with the results of the detection of an abnormal SDP message.
For example, the abnormal SDP message detection information may include a detection time field, a detected item field, a UE identification number field and a detection result field, and may also include a TEID field, a destination IP field, a destination port field, a source IP/port field, and a falsified UE identification number field.
Referring back to FIG. 1, the packet processing unit 160 may process a GTP-U packet with a detected abnormal SDP message according to a predetermined detection policy. The packet processing unit 160 may control the NIC 110b to forward or drop the GTP-U packet with the detected abnormal SDP message. The expression “forward a GTP-U packet”, as used herein, may indicate transmitting a GTP-U packet to its destination IP address, and the expression “drop a GTP-U packet, as used herein, may indicate not transmitting the GTP-U packet to its destination IP address.
In the apparatus 100, the NICs 110a and 110b, the packet information extraction unit 120, the packet analysis unit 130, the session information storage unit 140, the detection information storage unit 150, and the packet processing unit 160 are provided as separate elements. Various modifications may be made to the structure of the apparatus 100 without departing from the scope of the invention. For example, in an alternative exemplary embodiment, some of the elements of the apparatus 100 may be incorporated into a single unit or module.
FIG. 7 is a flowchart illustrating a method of detecting an abnormal SDP message, according to an exemplary embodiment of the invention.
Referring to FIG. 7, the NIC 110a receives a GTP-U packet (S201).
The packet extraction unit 120 determines whether the destination port of the GTP-U packet is an SIP port (S202). For example, the packet extraction unit 120 may determine whether the destination port of the GTP-U packet has a value of “5060”, and may determine the GTP-U packet as including an SIP message in response to a determination being made that the destination port of the GTP-U packet has a value of “5060”.
The packet extraction unit 120 determines whether there exists an SDP message in the payload of the GTP-U packet (S203). In response to a determination being made that there is no SDP message in the payload of the GTP-U packet, the packet analysis unit 130 may not perform an abnormal SDP message detection operation.
In response to a determination being made that there exists an SDP message in the payload of the GTP-U packet, the packet extraction unit 120 extracts a first TEID from the header of the GTP-U packet and a first UE IP address from the SDP message (S204). As described above, the first TEID may be an uplink data TEID. The packet information extraction unit 120 may process various packet information into structured data.
The packet analysis unit 130 determines whether a second TEID identical to the first TEID exists in session information (S205).
In response to a determination being made that there exists a second TEID identical to the first TEID in the session information, the packet analysis unit 130 extracts the first UE IP address from the processed packet information provided by the packet information extraction unit 120 (S206). As described above, the first UE IP address may be an IP address for an IMS.
The packet analysis unit 130 may determine whether the first UE IP address and a second UE IP address are identical (S207). As described above, the packet analysis unit 140 may extract a second UE IP address corresponding to the second TEID from the session information, and may determine whether the first UE IP address and the second UE IP address are identical.
In response to a determination being made that the first UE IP address and the second UE IP address are different, the packet analysis unit 130 may determine the SDP message as being an abnormal SDP message, and the detection information storage unit 150 may create and store abnormal SDP message detection information (S208). As described above, the abnormal SDP message detection information may include a detection time field, a detected item field, a UE IP address field, a detection result field indicating whether to drop the abnormal SDP message, a TEID field, a destination IP field, a destination port field, a source IP/port field, and a falsified UE IP address field.
The packet processing unit 160 processes the GTP-U packet with the abnormal SDP message according to a predetermined detection policy (S209).
FIG. 8 is a block diagram of an apparatus for detecting an abnormal SDP message, according to another exemplary embodiment of the invention. For convenience, the exemplary embodiment of FIG. 8 will hereinafter be described, focusing mainly on differences with the exemplary embodiment of FIG. 1.
Referring to FIG. 10, an apparatus 300 for detecting an abnormal SDP message, includes NICs 310a and 310b, a packet classification unit 320, a GTP-C packet information extraction unit 330, a session information generation unit 340, a session information storage unit 350, a GTP-U packet information extraction unit 360, a packet analysis unit 370, a detection information storage unit 380, and a packet processing unit 390.
The NIC 310a receives a GTP packet, and transmits the GTP packet to the packet classification unit 320. The NIC 310b forwards or drops the GTP packet in accordance with a control signal provided by the packet processing unit 390.
The packet classification unit 320 classifies the GTP packet. More specifically, the packet classification unit 370 may classify the GTP packet as a GTP-C packet or a GTP-U packet. The packet classification unit 370 may transmit a GTP-C packet to the GTP-C packet information extraction unit 330 and may transmit a GTP-U packet to the GTP-U packet information extraction unit 360.
The GTP-C packet information extraction unit 330 may extract various packet information from a GTP-C packet. For example, the GTP-C packet may include a “Create Session Response” message. The GTP-C packet information extraction unit 330 may extract a second TEID and a second UE IP address from the payload of the GTP-C packet.
The session information generation unit 340 may generate session information including a second TEID and a second UE IP address. The session information generation unit 340 may store the generated session information in the session information storage unit 350.
The packet processing unit 390 may control the NIC 310b to forward a GTP-C packet.
FIG. 9 is a diagram illustrating the creation of a GTP tunnel in a 4G mobile network.
Referring to FIG. 9, a “Create Session Request” message and a “Create Session Response” message may be transmitted to create a GTP tunnel in a 4G mobile network. The “Create Session Request” message and the “Create Session Response” message may be transmitted as GTP-C packets.
More specifically, UE 1100 may transmit an “Attach Request” message to a Mobility Management Entity (MME) 1300, and the MME 1300 may transmit a “Create Session Request” message to an S-GW 1400. The S-GW 1400 may transmit the “Create Session Request” message to a P-GW 1500. In reply to the “Create Session Request” message, the P-GW 1500 may transmit a “Create Session Response” message to the S-GW 1400 and may thus create an S5 GTP tunnel between the S-GW 1400 and the P-GW 1500. The S-GW 1400 may transmit the “Create Session Response” message to the MME 1300 and may thus create an S11 GTP tunnel between the MME 1300 and the S-GW 1400. The MME 1300 may transmit an “Attach Response” message to the UE 1100 and may thus create an S1-U GTP tunnel between an eNB 1200 and the S-GW 1400.
Even though not specifically illustrated in FIG. 9, messages may be additionally transmitted between the eNB 1200 and the MME 1300 and between the MME 1300 and the S-GW 1400 before the creation of the S1-U GTP tunnel.
During the creation of a GTP tunnel, the GTP-C packet information extraction unit 330 may extract a second TEID and a second UE IP address from a “Create Session Response” message. An IP address allocated to the UE 1100 during the creation of a session may be compared with an IP address included in the SDP message of a GTP-U packet after the creation of the session.
FIG. 10 is a block diagram of a system for detecting an abnormal SDP message, according to an exemplary embodiment of the invention. For convenience, the exemplary embodiment of FIG. 8 will hereinafter be described, focusing mainly on differences with the exemplary embodiment of FIG. 8.
Referring to FIG. 10, a system 400 for detecting an abnormal SDP message, includes an apparatus 410 for collecting session information and an apparatus 420 for detecting an abnormal SDP message.
The apparatus 410 may include NICs 411a and 411b, a GTP-C packet information extraction unit 412, and a session information generation unit 413. The apparatus 410 may extract GTP-C packet information from a GTP-C packet and may generate session information based on the extracted GTP-C packet information.
The apparatus 420 may include NICs 421a and 421b, a GTP-U packet information extraction unit 422, a packet analysis unit 423, a session information storage unit 424, a detection information generation unit 425, and a packet processing unit 425. The apparatus 420 may detect an abnormal SDP message by using the session information provided by the apparatus 410.
The system 400 is illustrated in FIG. 10 as including two physically separate elements, i.e., an element for extracting a TEID and a first UE IP address from a GTP-U packet and detecting an abnormal SIP ERFER message in accordance with the results of comparison of the first UE IP address with session information and an element for extracting a second TEID and a second UE IP address from a GTP-C packet and generating session information including the second TEID and the second UE IP address.
The session information storage unit 424 may store the session information provided by the apparatus 410.
FIG. 11 is a diagram illustrating the structure of a 4G mobile network to which an apparatus or system for detecting an abnormal SDP message, according to exemplary embodiments of the invention is applied.
Referring to FIG. 11, a 4G mobile network 1000 may include UE 1100, an eNB 1200, an MME 1300, an S-GW 1400 and a P-GW 1500.
The UE 1100 may be a subscriber mobile terminal of the 4G mobile network 1000. The eNB 1200 may be a base station providing wireless connection between the UE 1100 and the 4G mobile network 1000. The MME 130 and the S-GW 1400 may exchange a GTP-C packet with each other via an S11 GTP tunnel. The eNB 1200 and the S-GW 1400 may exchange a GTP-U packet with each other via an S1-U GTP tunnel. The S-GW 1400 and the P-GW 1500 may exchange a GTP-C packet or a GTP-U packet with each other via an S5 GTP tunnel. The P-GW 1500 may be connected to an external network, for example, an IMS network 2000.
The P-GW 1500 may be connected to a P-CSCF 2100 in the IMS network 2000, and may transmit or receive an SIP message.
In the 4G mobile network 1000, the S11 GTP tunnel may be a path for session control, the S1-U GTP tunnel may be a path for data traffic, and the S5 GTP tunnel may be a path for both session control and data traffic.
The apparatus 100 or 300 of FIG. 1 or 10 may be provided at a point P1 between the eNB 1200 and the S-GW 1400, a point P2 between the MME 1300 and the S-GW 1400 or a point P3 between the S-GW 1400 and the P-GW 1500. The apparatus 100 or 300 of FIG. 1 or 10 may be provided as an element of the S-GW 1400 or the P-GW 1500. The apparatus 410 of the system 400 of FIG. 12 may be provided at the point P2 between the MME 1300 and the S-GW 1400, and the apparatus 420 of the system 400 of FIG. 12 may be provided at the point P1 between the eNB 1200 and the S-GW 1400.
The apparatus 100 or 300 or the system 400 may be provided at the point P1, P2 or P3 within the 4G mobile network 1000. Accordingly, it is possible to effectively detect and drop an abnormal SDP message which has a falsified UE IP address and may cause erroneous transmission of an RTP packet.
The steps and/or actions of a method or algorithm described in connection with the aspects disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in a RAM memory, flash memory, a ROM memory, an EPROM memory, an EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium may be coupled to the processor, such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. Further, in some aspects, the processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
While the invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those of ordinary skill in the art that various changes in provide and detail may be made therein without departing from the spirit and scope of the invention as defined by the following claims. The exemplary embodiments should be considered in a descriptive sense only and not for purposes of limitation.

Claims (22)

  1. An apparatus for detecting an abnormal Session Description Protocol (SDP) message, the apparatus comprising:
    a packet information extraction unit configured to extract a first Tunnel Endpoint Identifier (TEID) from the header of a General Packet Radio Service (GPRS) Tunneling Protocol (GTP)-U packet and a first User Equipment (UE) Internet Protocol (IP) address from an SDP message in the payload of the GTP-U packet;
    a session information storage unit configured to store session information, including a second TEID and a second UE IP address;
    a packet analysis unit configured to perform an abnormal SDP message detection operation by determining whether the SDP message is an abnormal SDP message based on whether the first and second TEIDs are identical and whether the first and second UE IP addresses are different; and
    a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SDP message being an abnormal SDP message,
    wherein the first and second IP addresses are UE IP addresses for transmitting a Real-time Transport Protocol (RTP) packet.
  2. The apparatus of claim 1, wherein the packet information extraction unit is further configured to extract the first UE IP address from a “Connection Information” field of the SDP message.
  3. The apparatus of claim 2, wherein the GTP-U packet includes a Session Initiation Protocol (SIP) INVITE message and the SDP message corresponds to a message body of the SIP INVITE message.
  4. The apparatus of claim 1, wherein the packet information extraction unit is further configured to determine whether the SDP message exists in the payload of the GTP-U packet and extract the first TEID and the first UE IP address in response to a determination being made that the SDP message exists in the payload of the GTP-U packet.
  5. The apparatus of claim 1, further comprising:
    a detection information storage unit configured to store abnormal SDP message detection information relating to the abnormal SDP message.
  6. The apparatus of claim 5, wherein the abnormal SDP message detection information includes a detection time field, a detected item field, a UE IP address field, a detection result field indicating whether to drop the abnormal SDP message, a TEID field, a destination IP field, a destination port field, a source IP field, and a source port field.
  7. An apparatus for detecting an abnormal SDP message, the apparatus comprising:
    a GTP-U packet information extraction unit configured to extract a first TEID from the header of a GTP-U packet and a first UE IP address from an SDP message in the payload of the GTP-U packet;
    a GTP-C packet information extraction unit configured to extract a second TEID and a second UE IP address from the payload of a GTP-C packet;
    a session information storage unit configured to store session information, including the second TEID and the second UE IP address;
    a packet analysis unit configured to perform an abnormal SDP message by determining whether the SDP message is an abnormal SDP message based on results of comparison of the first and second TEIDs and the first and second UE IP addresses; and
    a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SDP message being an abnormal SDP message,
    wherein the first and second IP addresses are UE IP addresses for transmitting an RTP packet.
  8. The apparatus of claim 7, wherein the packet information extraction unit is further configured to extract the first UE IP address from a “Connection Information” field of the SDP message.
  9. The apparatus of claim 7, wherein the GTP-C packet includes a “Create Session Response” message and the GTP-C packet information extraction unit is further configured to extract the second TEID and the second UE IP address from the payload of the “Create Session Response” message.
  10. The apparatus of claim 7, further comprising:
    a detection information storage unit configured to store abnormal SDP message detection information relating to the abnormal SDP message.
  11. The apparatus of claim 7, wherein the GTP-C packet and the GTP-U packet are transmitted via an S5 tunnel established between a Serving Gateway (S-GW) and a Packet Data Network (PDN) Gateway (P-GW).
  12. A system for detecting an abnormal SDP message, the system comprising:
    an apparatus for detecting an abnormal SDP message, configured to detect an abnormal SDP message by using session information; and
    an apparatus for collecting session information, configured to extract GTP-C packet information from a GTP-C packet and generate the session information based on the extracted GTP-C packet information,
    wherein the apparatus for detecting an abnormal SDP message, comprises:
    a session information storage unit configured to receive session information including a second TEID and a second UE IP address from the apparatus for collecting session information and store the received session information;
    a GTP-U packet information extraction unit configured to extract a first TEID from the header of a GTP-U packet and a first UE IP address from an SDP message in the payload of the GTP-U packet;
    a packet processing unit configured to perform an abnormal SDP message detection operation by determining whether the SDP message is an abnormal SDP message Based on results of comparison of the first and second TEIDs and the first and second UE IP addresses; and
    a packet processing unit configured to process the GTP-U packet according to a predetermined detection policy in response to the SDP message being an abnormal SDP message, and
    the apparatus for collecting session information, comprises:
    a GTP-C packet information extraction unit configured to extract the second TEID and the second UE IP address from the payload of the GTP-C packet; and
    a session information generation unit configured to generate the session information including the second TEID and the second UE IP address,
    wherein the first and second IP addresses are UE IP addresses for transmitting an RTP packet.
  13. The system of claim 12, wherein the packet information extraction unit is further configured to extract the first UE IP address from a “Connection Information” field of the SDP message.
  14. The system of claim 12, wherein the packet information extraction unit is further configured to determine whether the SDP message exists in the payload of the GTP-U packet and extract the first TEID and the first UE IP address in response to a determination being made that the SDP message exists in the payload of the GTP-U packet.
  15. The system of claim 12, wherein the GTP-C packet includes a “Create Session Response” message and the GTP-C packet information extraction unit is further configured to extract the second TEID and the second UE IP address from the payload of the “Create Session Response” message.
  16. The system of claim 12, further comprising:
    a detection information storage unit configured to store abnormal SDP message detection information relating to the abnormal SDP message.
  17. The system of claim 12, wherein the GTP-C packet is transmitted via an S11 tunnel established between a Mobility Management Entity (MME) and an S-GW and the GTP-U packet is transmitted via an S1-U tunnel established between an evolved Node B (eNB) and the S-GW.
  18. A method of detecting an abnormal SDP message, the method comprising:
    extracting a first TEID from the header of a GTP-U packet and a first UE IP address from an SDP message from the payload of the GTP-U packet;
    determining whether the first TEID is identical to a second TEID of session information;
    in response to a determination being made that the first TEID is identical to the second TEID, determining whether the first UE IP address is identical to a second UE IP address corresponding to the second TEID; and
    in response to a determination being made that the first UE IP address is different from the second UE IP address, determining the SDP message as being an abnormal SDP message,
    wherein the first and second IP addresses are UE IP addresses for transmitting an RTP packet.
  19. The method of claim 18, further comprising:
    in response to a determination being made that the SDP message is an abnormal SDP message, processing the GTP-U packet according to a predetermined detection policy.
  20. The method of claim 19, wherein the extracting the first TEID and the first UE IP address, comprises extracting the first UE IP address from a “Connection Information” field of the SDP message.
  21. The method of claim 18, further comprising:
    determining whether the SDP message exists in the payload of the GTP-U packet,
    wherein the extracting the first TEID and the first UE IP address, comprises extracting the first TEID from the header of the GTP-U packet and the first UE IP address from the SDP message in the payload of the GTP-U packet in response to a determination being made that the SDP message exists in the payload of the GTP-U packet.
  22. The method of claim 18, further comprising:
    storing abnormal SDP message detection information relating to the abnormal SDP message.
PCT/KR2014/008842 2013-12-06 2014-09-23 Apparatus and method for detecting abnormal sdp message in 4g mobile networks WO2015083927A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2013-0151553 2013-12-06
KR1020130151553A KR101536178B1 (en) 2013-12-06 2013-12-06 Apparatus and method for detecting abnormal sdp message in 4g mobile networks

Publications (1)

Publication Number Publication Date
WO2015083927A1 true WO2015083927A1 (en) 2015-06-11

Family

ID=53273649

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2014/008842 WO2015083927A1 (en) 2013-12-06 2014-09-23 Apparatus and method for detecting abnormal sdp message in 4g mobile networks

Country Status (2)

Country Link
KR (1) KR101536178B1 (en)
WO (1) WO2015083927A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111859036A (en) * 2020-08-19 2020-10-30 深圳市富之富信息科技有限公司 Short message data detection method and device, computer equipment and storage medium

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101711074B1 (en) * 2015-12-24 2017-02-28 한국인터넷진흥원 Apparatus, system and method for detecting a sip tunneling packet in 4g mobile networks
KR102116307B1 (en) 2019-11-26 2020-05-29 한국인터넷진흥원 Method and apparatus for detecting diameter protocol idr message spoofing attack on mobile communication network
CN114039788B (en) * 2021-11-15 2023-05-26 绿盟科技集团股份有限公司 Policy transmission method, gateway system, electronic equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100150014A1 (en) * 2008-12-15 2010-06-17 Fujitsu Limited Network quality monitoring device and method for internet services involving signaling
KR20120100872A (en) * 2012-08-13 2012-09-12 한국인터넷진흥원 Apparatus and method for ip spoofing detectng in mobile environment using gtp

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100150014A1 (en) * 2008-12-15 2010-06-17 Fujitsu Limited Network quality monitoring device and method for internet services involving signaling
KR20120100872A (en) * 2012-08-13 2012-09-12 한국인터넷진흥원 Apparatus and method for ip spoofing detectng in mobile environment using gtp

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CONSTRUCTURE OF LTE NETWORK, NMC CONSULTING GROUP, 8 August 2012 (2012-08-08) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111859036A (en) * 2020-08-19 2020-10-30 深圳市富之富信息科技有限公司 Short message data detection method and device, computer equipment and storage medium
CN111859036B (en) * 2020-08-19 2024-02-13 深圳市富之富信息科技有限公司 Short message data detection method and device, computer equipment and storage medium

Also Published As

Publication number Publication date
KR20150066239A (en) 2015-06-16
KR101536178B1 (en) 2015-07-13

Similar Documents

Publication Publication Date Title
WO2015030458A1 (en) Apparatus and method for detecting abnormal call
WO2015083927A1 (en) Apparatus and method for detecting abnormal sdp message in 4g mobile networks
WO2014038737A1 (en) Network traffic management system using monitoring policy and filtering policy, and method thereof
WO2014142390A1 (en) Method and apparatus for paging terminated call in mobile communication system
US9992109B2 (en) Data transmission method, apparatus and system
KR101228089B1 (en) Ip spoofing detection apparatus
WO2016098997A1 (en) Apparatus, system and method for detecting abnormal volte registration message in 4g mobile network
US20090138959A1 (en) DEVICE, SYSTEM AND METHOD FOR DROPPING ATTACK MULTIMEDIA PACKET IN THE VoIP SERVICE
WO2017131332A1 (en) Method for transmitting downlink packet in function-separated core network
US20100002701A1 (en) System and method for media communication through network address translation
WO2013094920A1 (en) Method and apparatus for dynamic policy interworking between pcrf and nat
WO2016108509A1 (en) Method and apparatus for allocating server in wireless communication system
WO2015083925A1 (en) Apparatus and method for detecting abnormal sip refer message in 4g mobile networks
WO2016068475A1 (en) Apparatus and method for user session management in 4g mobile network
WO2015083926A1 (en) Apparatus and method for detecting abnormal sip subscribe message in 4g mobile networks
WO2016114476A1 (en) Apparatus and method for volte session managemet in 4g mobile network
KR101499022B1 (en) Apparatus and method for detecting abnormal MMS message in 4G mobile network
JP2015204538A (en) Call processing sequence analyzer and communication system
CN102143147A (en) Multi-control protocol association method and multi-control protocol association device for interworking IMS network and 2G/3G network
WO2016098990A1 (en) Apparatus, system and method for detecting abnormal message for obtaining location information based on volte service in 4g mobile networks
CN113055217B (en) Equipment offline repair method and device
WO2012018190A2 (en) Traffic-based communication system and method
US7400579B2 (en) Method and apparatus for per-call filtering of H.323 packets
KR101785680B1 (en) Apparatus, system and method for detecting a rtp tunneling packet in 4g mobile networks
KR20090030642A (en) Method and system to analyze call quality in wcdma using ip multimedia subsystems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14868340

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14868340

Country of ref document: EP

Kind code of ref document: A1