WO2016098997A1 - Apparatus, system and method for detecting abnormal volte registration message in 4g mobile network - Google Patents

Apparatus, system and method for detecting abnormal volte registration message in 4g mobile network Download PDF

Info

Publication number
WO2016098997A1
WO2016098997A1 PCT/KR2015/009283 KR2015009283W WO2016098997A1 WO 2016098997 A1 WO2016098997 A1 WO 2016098997A1 KR 2015009283 W KR2015009283 W KR 2015009283W WO 2016098997 A1 WO2016098997 A1 WO 2016098997A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
gtp
user terminal
message
identification number
Prior art date
Application number
PCT/KR2015/009283
Other languages
French (fr)
Inventor
Chae Tae Im
Joo Hyung Oh
Se Kwon Kim
Bon Min Koo
Seong Min Park
Su Jeong Woo
Eun Hye Ko
Original Assignee
Korea Internet & Security Agency
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Korea Internet & Security Agency filed Critical Korea Internet & Security Agency
Publication of WO2016098997A1 publication Critical patent/WO2016098997A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1101Session protocols
    • H04L65/1104Session initiation protocol [SIP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity

Definitions

  • the present inventive concept relates to an apparatus, system and method for detecting an abnormal VoLTE registration message in a 4G mobile network, and, more particularly, to an apparatus, system and method for detecting an abnormal VoLTE registration message in a 4G mobile network using GTP (GPRS Tunneling Protocol).
  • GTP GPRS Tunneling Protocol
  • a GTP GPRS Tunneling Protocol
  • GTP-C GTP Control Protocol
  • GTP-U GTP User Service
  • a SIP (Session Initiation Protocol) message for setting a VoLTE call may be transmitted with it being included in a GTP packet.
  • the SIP message may include a SIP REGISTER message corresponding to a message body.
  • Such a GTP has been devised to perform signaling, such as data call setting, updating or deleting, and data transmission for the purpose of data service to user terminals (for example, smart phones), but has not considered a method of detecting attacks such as threats to the mobile communication network.
  • the GTP packet can be transmitted to an external network (for example, IMS network) without limitation even when the user terminal identification number in the SIP REGISTER message is forged. Further, such an abnormal SIP REGISTER message can arbitrarily register a third party’s terminal via CSCF (Call Session Control Function) server constituting an IMS network.
  • CSCF Common Session Control Function
  • aspects of the present inventive concept provide an apparatus for detecting an abnormal VoLTE registration message, by which an abnormal VoLTE registration message capable of arbitrarily registering a third party’s terminal can be detected in a 4G mobile network.
  • aspects of the present inventive concept also provide a system for detecting an abnormal VoLTE registration message, by which an abnormal VoLTE registration message capable of arbitrarily registering a third party’s terminal can be detected in a 4G mobile network.
  • aspects of the present inventive concept also provide a method for detecting an abnormal VoLTE registration message, by which an abnormal VoLTE registration message capable of arbitrarily registering a third party’s terminal can be detected in a 4G mobile network.
  • a first TEID may be extracted from a header of a GTP-U packet and a first user terminal identification number may be extracted from a SIP REGISTER message within a payload of the GTP-U packet, the first TEID and the first user terminal identification number may be compared with a second TEID and a second user terminal identification number stored in session information, and an abnormal VoLTE registration message, which is capable of arbitrarily registering a third party’s terminal by forging a user terminal identification number within the SIP REGISTER message, may be detected and dropped.
  • FIG. 1 is a schematic view for explaining the structure of a 4G network to which an apparatus for detecting an abnormal VoLTE registration message according to an embodiment of the present inventive concept is applied;
  • FIG. 2 is a schematic view for explaining the structure of an IMS network interlocking with the 4G network of FIG. 1;
  • FIG. 3 is a schematic view for explaining IPs assigned to the user terminal of FIG. 2;
  • FIG. 4 is a block diagram for explaining an apparatus for detecting an abnormal VoLTE registration message according to an embodiment of the present inventive concept
  • FIG. 5 is a schematic view for explaining an abnormal SIP REGISTER message transmitted in a 4G mobile network
  • FIG. 6 is a schematic view for explaining a procedure of identifying and registering a user terminal using a SIP REGISTER message
  • FIG. 7 is a schematic view showing the values included in the SIP REGISTER message for identifying a user terminal
  • FIG. 8 is a schematic view showing the values included in the SIP 401 message for identifying a user terminal
  • FIG. 9 is a schematic view showing the values included in the SIP REGISTER message for registering a user terminal
  • FIG. 10 is a schematic view showing the values included in the SIP 200 OK message for registering a user terminal
  • FIG. 11 is a table for explaining the session information stored in the session information storage unit of FIG. 4;
  • FIG. 12 is a table for explaining the detection information of an abnormal SIP REGISTER message in detail
  • FIG. 13 is a flowchart for explaining a method for detecting an abnormal VoLTE message according to an embodiment of the present inventive concept
  • FIG. 14 is a block diagram for explaining an apparatus for detecting an abnormal VoLTE registration message according to another embodiment of the present inventive concept
  • FIG. 15 is a schematic view for explaining a procedure of creating a GTP tunnel in a 4G mobile network.
  • FIG. 16 is a block diagram for explaining a system for detecting an abnormal VoLTE registration message according to an embodiment of the present inventive concept.
  • Each block in the flowcharts or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
  • first, second, etc. may be used herein to describe various elements, components and/or sections, these elements, components and/or sections should not be limited by these terms. These terms are only used to distinguish one element, component or section from another element, component or section. Thus, for example, a first element, a first component or a first section discussed below could be termed a second element, a second component or a second section without departing from the teachings of the present inventive concept.
  • FIG. 1 is a schematic view for explaining the structure of a 4G network to which an apparatus for detecting an abnormal VoLTE registration message according to an embodiment of the present inventive concept is applied.
  • a 4G network 1000 may include a 4G enterprise radio access network (4G E-RAN) for managing radio resources and a 4G evolved packet core (4G EPC) for performing the processing, certification and accounting of data.
  • 4G E-RAN 4G enterprise radio access network
  • 4G EPC 4G evolved packet core
  • the 4G E-RAN may include a user terminal 1100 and an eNB 1200.
  • the user terminal 1100 may be a portable terminal joined to a 4G network.
  • the eNB 1200 which is a base station, can provide a wireless connection between the user terminal 1100 and the 4G network.
  • the 4G EPC may include MME 1300, S-GW 1400, P-GW 1500, home subscriber server (HSS) 1600, and policy & charging rule function (PCRF) 1700.
  • the MME 1300 may receive and transmit a GTP packet through eNB 1200 and S1-MME GTP tunnel.
  • the S-GW 1400 may receive and transmit a GTP packet through eNB 1200 and S1-U GTP tunnel.
  • the MME 1300 may receive and transmit a GTP packet through S-GW 1400 and S11 GTP tunnel.
  • the P-GW 1500 may be connected with P-CSCF 2100 of IMS network and internet.
  • the S1-U GTP tunnel is a path for data traffic
  • the S11 GTP tunnel is a path for signaling
  • the S5 GTP for data traffic and signaling.
  • the system including the apparatus for detecting an abnormal VoLTE registration message according to the present inventive concept may be provided (P1) between eNB 1200 and S-GW 1400, (P2) between MME 1300 and S-GW 1400, or (P3) between S-GW 1400 and P-GW 1500. Further, the system including the apparatus for detecting an abnormal VoLTE registration message according to the present inventive concept may be provided as an internal component of S-GW 1400 or P-GW 1500. Although not clearly shown in FIG. 1, the 4G network may be connected with a 3G network or a femtocell network through S-GW 1400.
  • FIG. 2 is a schematic view for explaining the structure of an IMS network interlocking with the 4G network of FIG. 7.
  • the IMS network 2000 may include P-CSCF 2100, I-CSCF 2200, S-CSCF 2300, border gateway control function (BGCF) 2400, HSS 2500, media gateway control function (MGCF) 2700, application server (AS) 2800, and media gateway (M-GW) 2900.
  • P-CSCF P-CSCF 2100, I-CSCF 2200, S-CSCF 2300, border gateway control function (BGCF) 2400, HSS 2500, media gateway control function (MGCF) 2700, application server (AS) 2800, and media gateway (M-GW) 2900.
  • a SIP message transmitted from the user terminal 1100 in the 4G network may be transmitted to the inside of the IMS network,.
  • P-CSCF 2100 connected with P-GW 1500 may transmit the SIP message to I-CSCF 2200, and the I-CSCF 2200 may transmit the SIP message to S-CSCF 2300.
  • MGCF 2700 and M-GW 2900 may be connected with a public switching telephone network (PSTN).
  • PSTN public switching telephone network
  • FIG. 3 is a schematic view for explaining IPs assigned to the user terminal of FIG. 2.
  • an IP for an IMS network and an IP for data are respectively assigned to a first user terminal 1100a. That is, when the first user terminal 1100a is a VoLTE terminal, two IPs are assigned thereto. Further, when the first user terminal 1100a is a VoLTE terminal, a new bearer guaranteeing QoS is assigned thereto for a packet-based voice/video call.
  • the first user terminal 1100a can transmit voice/video data to an IMS network through a P-GW 1500 using an IP for an IMS network, and can transmit general data to an internet network through a P-GW 1500 using an IP for data.
  • FIG. 4 is a block diagram for explaining an apparatus for detecting an abnormal VoLTE registration message according to an embodiment of the present inventive concept.
  • the apparatus 100 for detecting an abnormal VoLTE registration message includes network interface cards (NICs) 110a and 110b, a packet information extraction unit 120, a packet analysis unit 130, a session information storage unit 140, a detection information storage unit 150, and a packet processing unit 160.
  • NICs network interface cards
  • the NIC 110a receives a GTP-U packet and transmits the GTP-U packet to the packet information extraction unit 120, and the NIC 110b transmits (forwards) or blocks (drops) this GTP-U packet in response to the control signal of the packet processing unit 160.
  • Each of the NIC 110a and the NIC 110B may be a general network interface card or a hardware acceleration network interface card.
  • the GTP-U packet is used to transmit a user packet in the 4G network.
  • the GTP-U packet processed by the NIC 110a and the NIC 110B may be a GTP-U packet transmitted from a user terminal to an external network (for example, internet).
  • the packet information extraction unit 120 extracts various kinds of packet information from the GTP-U packet.
  • the information extraction unit 120 processes various kinds of packet information in the form of structure data and transmits this processed packet information to the packet analysis unit 130.
  • the packet information extraction unit 120 may extract a tunnel endpoint identifier (TEID), as information for detecting an abnormal VoLTE registration message, from the header of the GTP-U packet.
  • the TEID extracted by the packet information extraction unit 120 may be an uplink TEID.
  • uplink represents a case that the GTP-U packet is transmitted from a user terminal toward an external network
  • down link represents a case that the GTP-U packet is transmitted from an external network toward a user terminal.
  • the packet information extraction unit 120 may extract a SIP (Session Initiation Protocol) REGISTER message in the payload of the GTP-U packet.
  • the packet information extraction unit 120 may extract a user terminal identification number from the SIP REGISTE message.
  • the user terminal identification number may be a mobile station international ISDN number (MSISDN), but is not limited thereto.
  • the packet information extraction unit 120 determines whether the SIP REGISTER message exists in the payload of the GTP-U packet, and extracts the above-mentioned information for detecting an abnormal VoLTE registration message when the SIP REGISTER message exists.
  • FIG. 5 is a schematic view for explaining an abnormal SIP REGISTER message transmitted in a 4G mobile network.
  • the 4G mobile network may include eNB 1200, and a serving gateway (S-GW) 1400.
  • S-GW serving gateway
  • the eNB 1200 may be connected with the S-GW 1400, and a S1-U GTP tunnel may be formed between the eNB 1200 and the S-GW 1400.
  • the S1-U GTP tunnel may be a GTP tunnel for transmitting data.
  • the GTP-U packet 10 may be transmitted from the eNB 1200 toward the S-GW 1400.
  • the S-GW 1400 may transmit the received GTP-U packet 10 to a P-GW (PDN gateway).
  • P-GW PDN gateway
  • An IP header for a GTP tunnel, a UDP header, and a GTP-U header may be connected to the header of the GTP-U packet 10, and a user packet may be encapsulated in the payload of the GTP-U packet 10.
  • the GTP header may include the above-mentioned TEID.
  • the user packet may include the SIP REGISTER message.
  • the SIP REGISTER message may include a user terminal identification number for a caller terminal transmitting the SIP REGISTER message and a user terminal identification number for a receiver terminal receiving the SIP REGISTER message.
  • FIG. 5 shows a case that, among the user terminal identification numbers, the user terminal identification number for a caller terminal is forged.
  • FIG. 6 is a schematic view for explaining a procedure of identifying and registering a user terminal using a SIP REGISTER message.
  • the digest mechanism refers to a method of identifying a user terminal based on the ID and password of the user terminal.
  • a S5 GTP tunnel may be formed between S-GW 1400 and P-GW 1500), a S11 GTP tunnel may be formed between MME 1300 and S-GW 1400, and a S1-U GTP tunnel may be formed between eNB 1200 and S-GW 1400.
  • the user terminal 1100 transmits the SIP REGISTER message to a call session control function (CSCF) 1800, and the CSCF 1800 transmits a 401 message to the user terminal 1100.
  • CSCF call session control function
  • the user terminal 1100 is identified through the CSCF 1800.
  • the user terminal 1100 re-transmits the SIP REGISTER message to the CSCF 1800, and the CSCF 1800 transmits a 200 OK message to the user terminal 1100, so as to register the user terminal 1100.
  • FIG. 7 is a schematic view showing the values included in the SIP REGISTER message for identifying a user terminal.
  • this SIP REGISTER message is a SIP REGISTER message for identifying and registering a user terminal.
  • the abnormal SIP REGISTER message refers to a SIP REGISTER message in which a caller terminal identification number is forged. Although it is possible to identify and register a user terminal using the SIP REGISTER message, an attacker can arbitrarily register a third party’s terminal in MSS using the abnormal SIP REGISTER message.
  • the apparatus and system for detecting an abnormal VoLTE registration message according to the present inventive concept intends to detect and block such an abnormal VoLTE registration message.
  • the packet information extraction unit 120 may also extract the values of a TEID (Tunnel Endpoint Identifier) field in the header of the GTP-U packet, a MSISDN field in the payload of the GTP-U packet, a destination IP (Internet Protocol) field, a destination port field, or a source port field.
  • TEID Traffic Endpoint Identifier
  • FIG. 8 is a schematic view showing the values included in the SIP 401 message for identifying a user terminal.
  • FIG. 9 is a schematic view showing the values included in the SIP REGISTER message for registering a user terminal.
  • FIG. 10 is a schematic view showing the values included in the SIP 200 OK message for registering a user terminal.
  • a procedure of registering a user terminal 1100 between the user terminal 1100 and the CSCF 1800 using the abnormal SIP REGISTER message can be understood.
  • the abnormal SIP REGISTER message is transmitted to the CSCF 1800, and the CSCF 1800 transmits the SIP 401 message to the user terminal 1100.
  • the user terminal 1100 confirms a nonce value in the SIP 401 message, calculates a response value using the password of a third party’s terminal, and re-transmits the abnormal SIP REGISTER message to the CSCF 1800.
  • the CSCF 1800 transmit the SIP 200 OK message to register the user terminal 1100 in the CSCF 1800.
  • the SIP REGISTER message may include a message header and a message body.
  • the message header and message body of the SIP REGISTER message may include various fields.
  • the message header of the SIP REGISTER message may include a From field and a To field in each which a user terminal identification number is recorded.
  • the user terminal identification number of a caller terminal is recoded in the From field, and the user terminal identification number of a receiver terminal is recorded in the To field.
  • the user terminal identification number of a call victim terminal may be recorded in the From field.
  • the packet information extraction unit 120 may extract the user terminal identification number from the From field of the message header of the SIP REGISTER message.
  • the message header of the SIP REGISTER message may further include other fields in each which a user terminal identification number is recorded.
  • the packet information extraction unit 120 may be modified such that user terminal identification numbers are extracted from such fields.
  • the TEID and user terminal identification number extracted from the GTP-U packet is referred to as a first TEID and a first user terminal identification number
  • the TEID and user terminal identification number included in session information is referred to as a second TEID and a second user terminal identification number.
  • the packet analysis unit 130 may perform the operation of detecting an abnormal VoLTE registration message.
  • the packet analysis unit 130 compares the first TEID with the second TEID and compares the first user identification number with the second user identification number, and detects an abnormal VoLTE registration message based on the result of the comparison. That is, the packet analysis unit 130 may detect the SIP REGISTER message as an abnormal SIP REGISTER message when the first TEID and the second TEID are identical with each other and the first user identification number and the second user identification number are different from each other.
  • the session information unit 140 may previously store the session information including the second TEID and the second user terminal identification number.
  • the second TEID and the second user terminal identification number may be extracted from a GTP-C packet.
  • the GTP-C packet is used to perform signaling, such as data call setting, updating or deleting, in a mobile communication network.
  • FIG. 11 is a table for explaining the session information stored in the session information storage unit of FIG. 4.
  • the session information includes the second TEID and the second user terminal identification number.
  • the second TEID may be an uplink data TEID. That is, the second TEID relates to a GTP-U packet transmitted from a user terminal toward an external network.
  • the second user terminal identification number may be MSISDN.
  • the second user terminal identification number may be stored by the mapping with the second TEID.
  • the packet analysis unit 130 may determine whether the second TEID, which is identical with the first TEID, exists in the session information. Next, when the second TEID, which is identical with the first TEID, exists in the session information, the packet analysis unit 130 may extract the second user terminal identification number corresponding to the second TEID from the session information. Further, the packet analysis unit 130 may determine whether the first user terminal number and the second user terminal identification number are identical with each other. At this time, when the first user terminal number and the second user terminal identification number are different from each other, the packet analysis unit 130 may determine the SIP REGISTER message included in the GTP-U packet as an abnormal SIP REGISTER message.
  • FIG. 12 is a table for explaining the detection information of an abnormal SIP REGISTER message in detail.
  • the detection information storage unit 150 may create and store the detection information of an abnormal SIP REGISTER message according to the result of the detection of the abnormal SIP REGISTER message.
  • the detection information of the abnormal SIP REGISTER message may include various fields of detection time, detection item, user terminal identification number, blocking status, and the like.
  • the detection information of the abnormal SIP REGISTER message may further include other fields of TEID, source IP of detected packet, destination IP of detected packet, destination port of detected packet, stolen user terminal identification number, and the like.
  • the packet processing unit 160 may process the GTP-U packet detected as the abnormal SIP REGISTER message according to a detection policy.
  • the packet processing unit 160 may control the NIC 110b in order to transmit (forward) or block (drop) the GTP-U packet detected as the abnormal SIP REGISTER message.
  • the meaning of transmitting the GTP-U packet is that the GTP-U packet is transmitted to the destination IP
  • the meaning of blocking the GTP-U packet is that the GTP-U packet is not transmitted to the destination IP.
  • the NICs 110a and 110b, the packet information extraction unit 120, the packet analysis unit 130, the session information storage unit 140, the detection information storage unit 150, and the packet processing unit 160 have been described as separate components, but some of the components may be variously modified to be integrated with each other.
  • FIG. 13 is a flowchart for explaining a method for detecting an abnormal VoLTE message according to an embodiment of the present inventive concept.
  • the NIC 110a receives a GTP-U packet (S201).
  • the packet information extraction unit 120 determines whether the destination port of the GTP-U packet is a SIP port (S202). For example, the packet information extraction unit 120 whether the value of the destination port of the GTP-U packet is “5060”. At this time, when the value of the destination port thereof is “5060”, the packet information extraction unit 120 may determine that the GTP-U packet includes a SIP message.
  • the packet information extraction unit 120 determines whether the SIP message in the payload of the GTP-U packet is a SIP REGISTER message (S203). At this time, when the SIP message is not a SIP REGISTER message, the packet analysis unit 130 may not perform the following step of detecting an abnormal SIP REGISTER message.
  • the packet information extraction unit 120 determines whether the value of the expire field of the SIP REGISTER message is a non-zero real number (S204). At this time, when the value of the expire field of the SIP REGISTER message is a non-zero real number, the SIP REGISTER message is a registration request message. In order to detect and block the SIP REGISTER message requested to be abnormally registered, the packet information extraction unit 120 determines whether the value of the expire field in the SIP REGISTER message is a non-zero real number.
  • the packet information extraction unit 120 extracts a first TEID from the header of the GTP-U packet, and extracts a first user terminal identification number from the SIP REGISTER message (S205).
  • the first TEID may be an uplink data TEID.
  • the packet information extraction unit 120 may process various kinds of packet information in the form of structured data.
  • the packet analysis unit 130 determines whether a second TEID, which is identical with the first TEID, exists in session information (S206).
  • the packet analysis unit 130 extracts a second user terminal identification number corresponding to the second TEID from the session information (S207).
  • the second user terminal identification number may be MSISND.
  • the pack analysis unit 130 determines whether the first user terminal identification number and the second user terminal identification number are matched each other (S208). As described above, the pack analysis unit 130 may extract the second user terminal identification number corresponding to the second TEID from the session information, and may be determined whether the first user terminal identification number and the second user terminal identification number are identical with each other.
  • the packet analysis unit 130 detects the SIP REGISTER message as an abnormal SIP REGISTER message, and the detection information storage unit 150 creates and stores the detection information of the abnormal SIP REGISTER message (S209).
  • the detection information of the abnormal SIP REGISTER message may include various fields of detection time, detection item, user terminal identification number, blocking status, TEID, source IP of detected packet, destination IP of detected packet, destination port of detected packet, stolen user terminal identification number, and the like.
  • the packet processing unit 160 processes the GTP-U packet detected as the abnormal SIP REGISTER message according to a detection policy (S210).
  • FIG. 14 is a block diagram for explaining an apparatus for detecting an abnormal VoLTE registration message according to another embodiment of the present inventive concept.
  • FIG. 14 is a block diagram for explaining an apparatus for detecting an abnormal VoLTE registration message according to another embodiment of the present inventive concept.
  • detailed description thereof which is substantially identical to that of the above-mentioned apparatus for detecting an abnormal VoLTE registration message according to an embodiment of the present inventive concept, will be omitted.
  • an apparatus 300 for detecting an abnormal VoLTE registration message includes NICs 310a and 310b, a packet classification unit 320, a GTP-C packet information extraction unit 330, a session information creation unit 340, a session information storage unit 350, a GTP-U packet information extraction unit 360, a packet analysis unit 370, a detection information storage unit 380, and a packet processing unit 390.
  • the NIC 310a may receive GTP packets and transmit these GTP packets to the packet classification unit 320, and the NIC 310b may transmit (forward) or block (drop) the GTP packets in response to the control signal of the packet processing unit 390.
  • the packet classification unit 320 may classify the GTP packets.
  • the packet classification unit 320 may classify the GTP packets into GTP-C packets and GTP-U packets.
  • the packet classification unit 320 may transmit the GTP-C packets to the GTP-C packet information extraction unit 330 and transmit the GTP-U packets to the GTP-U packet information extraction unit 360 according to the result of the classification.
  • the GTP-C packet information extraction unit 330 may extract various kinds of packet information from the GTP-C packet.
  • the GTP packet may include a create session request message and a create session response message.
  • the GTP-C packet information extraction unit 330 may extract a second user terminal identification number from the payload of the create session request message, and may extract a second TEID from the payload of the create session response message.
  • the session information creation unit 340 may create session information including the second TEID and the second user terminal identification number.
  • the session information creation unit 340 may store the session information in the session information storage unit 350.
  • the packet processing unit 390 may control the NIC 310b to transmit the GTP-C packet.
  • FIG. 15 is a schematic view for explaining a procedure of creating a GTP tunnel in a 4G mobile network.
  • a create session request message and a create session response message may be transmitted.
  • the create session request message and the create session response message may be transmitted with the GTP-C packet.
  • a user terminal 1100 may transmit an attach request message to MME 1300, the MME 1300 may transmit a create session request message to S-GW 1400, and the S-GW 1400 may transmit a create session request message to P-GW 1500.
  • the P-GW 1500 may transmit a create session response message to the S-GW 1400 to create a S5 GTP tunnel between the S-GW 1400 and the P-GW 1500.
  • the S-GW 1400 may transmit a create session response message to the MME 1300 to create a S11 GTP tunnel between the MME 1300 and the S-GW 1400.
  • the MME 1300 may transmit an attach response message to the user terminal 1100 to create a S1-U GTP tunnel between the eNB 1200 and the S-GW 1400.
  • additional messages may be transmitted and received between the eNB 1200 and the MME 1300 and between the MME 1300 and the S-GW 1400.
  • the GTP-C packet information extraction unit 330 may extract the second TEID and the second user terminal identification number from the create session request message and the create session response message. Accordingly, the GTP-C packet information extraction unit 330 can determine whether the user terminal identification number used at the time of the creation of the session matches the user terminal identification number included in the SIP REGISTER message of the GTP-U packet after the creation of the session.
  • FIG. 16 is a block diagram for explaining a system for detecting an abnormal VoLTE registration message according to an embodiment of the present inventive concept.
  • FIG. 16 is a block diagram for explaining a system for detecting an abnormal VoLTE registration message according to an embodiment of the present inventive concept.
  • detailed description thereof which is substantially identical to that of the above-mentioned apparatus for detecting an abnormal VoLTE registration message according to some embodiments of the present inventive concept, will be omitted.
  • a system 400 for detecting an abnormal VoLTE registration message includes a session information collecting apparatus 410 and an abnormal VoLTE registration message detecting apparatus 420.
  • the session information collecting apparatus 410 includes NICs 411a and 411b, a GTP-C packet information extraction unit 412, and a session information creation unit 413, and can extract and create session information from a GEP-C packet.
  • the abnormal VoLTE registration message detecting apparatus 420 includes NICs 421a and 421b, a GTP-U packet information extraction unit 422, a packet analysis unit 423, a session information storage unit 424, a detection information creation unit 425, and a packet processing unit 426, and can detect an abnormal VoLTE registration message using the session information.
  • the system 400 for detecting an abnormal VoLTE registration message is configured such that a component of extracting a first TEID and a first user terminal identification number from the GTP-U packet and detecting an abnormal VoLTE registration message according the result of comparison with session information and a component of extracting a second TEID and a second user terminal identification number from the GTP-U packet and creating session information including the second TEID and the second user terminal identification number are physically separated.
  • the session information storage unit 424 can store the session information received from the session information collecting apparatus.
  • the steps of a method or algorithm described in relation to the embodiments of the present inventive concept can be directly realized by a hardware module executed by a processor, a software module, or a combination thereof.
  • the software module may reside in RAM, flash memory, ROM, EPROM, EEPROM, a register, a hard disk, a detachable disk, or a recording medium readable by any computer well known in the art.
  • An exemplary recording medium is connected to a processor, and this processor can read out information from the recording medium and can write information into the recording medium. Meanwhile, the recording medium may be integrated with the processor.
  • the processor and the recording medium may reside in an application specific integrated circuit (ASIC). Moreover, the processor and the recording medium may also reside in a user terminal as individual components.
  • ASIC application specific integrated circuit
  • a first TEID is extracted from a header of a GTP-U packet
  • a first user terminal identification number is extracted from a SIP REGISTER message in the payload of the GTP-U packet
  • whether the extracted first TEID and first user terminal identification number are identical with the second TEID and second user terminal identification number is compared, so as to detect and block the abnormal VoLTE registration message in which a third party’s terminal can be arbitrarily registered by forging the user identification number in the SIP REGISTER message.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

An apparatus for detecting an abnormal VoLTE registration message in a 4G mobile network includes a packet information extraction unit, a session information storage unit, a packet analysis unit, and a packet processing unit which processes the GTP-U packet according to a detection policy when the SIP REGISTER message is the abnormal ISP REGISTER message.

Description

APPARATUS, SYSTEM AND METHOD FOR DETECTING ABNORMAL VOLTE REGISTRATION MESSAGE IN 4G MOBILE NETWORK
The present inventive concept relates to an apparatus, system and method for detecting an abnormal VoLTE registration message in a 4G mobile network, and, more particularly, to an apparatus, system and method for detecting an abnormal VoLTE registration message in a 4G mobile network using GTP (GPRS Tunneling Protocol).
A GTP (GPRS Tunneling Protocol) is a protocol used in a mobile communication network, particularly, a 3G or 4G network, and includes a GTP-C packet for signaling and GTP-U packet for transmitting data.
In a mobile communication network, a SIP (Session Initiation Protocol) message for setting a VoLTE call may be transmitted with it being included in a GTP packet. The SIP message may include a SIP REGISTER message corresponding to a message body.
Such a GTP has been devised to perform signaling, such as data call setting, updating or deleting, and data transmission for the purpose of data service to user terminals (for example, smart phones), but has not considered a method of detecting attacks such as threats to the mobile communication network.
Therefore, the GTP packet can be transmitted to an external network (for example, IMS network) without limitation even when the user terminal identification number in the SIP REGISTER message is forged. Further, such an abnormal SIP REGISTER message can arbitrarily register a third party’s terminal via CSCF (Call Session Control Function) server constituting an IMS network.
Aspects of the present inventive concept provide an apparatus for detecting an abnormal VoLTE registration message, by which an abnormal VoLTE registration message capable of arbitrarily registering a third party’s terminal can be detected in a 4G mobile network.
Aspects of the present inventive concept also provide a system for detecting an abnormal VoLTE registration message, by which an abnormal VoLTE registration message capable of arbitrarily registering a third party’s terminal can be detected in a 4G mobile network.
Aspects of the present inventive concept also provide a method for detecting an abnormal VoLTE registration message, by which an abnormal VoLTE registration message capable of arbitrarily registering a third party’s terminal can be detected in a 4G mobile network.
However, aspects of the present inventive concept are not restricted to the one set forth herein. The above and other aspects of the present inventive concept will become more apparent to one of ordinary skill in the art to which the present inventive concept pertains by referencing the detailed description of the present inventive concept given below.
According to the apparatus, the system and the method for detecting an abnormal VoLTE registration message, a first TEID may be extracted from a header of a GTP-U packet and a first user terminal identification number may be extracted from a SIP REGISTER message within a payload of the GTP-U packet, the first TEID and the first user terminal identification number may be compared with a second TEID and a second user terminal identification number stored in session information, and an abnormal VoLTE registration message, which is capable of arbitrarily registering a third party’s terminal by forging a user terminal identification number within the SIP REGISTER message, may be detected and dropped.
The above and other aspects and features of the present inventive concept will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings, in which:
FIG. 1 is a schematic view for explaining the structure of a 4G network to which an apparatus for detecting an abnormal VoLTE registration message according to an embodiment of the present inventive concept is applied;
FIG. 2 is a schematic view for explaining the structure of an IMS network interlocking with the 4G network of FIG. 1;
FIG. 3 is a schematic view for explaining IPs assigned to the user terminal of FIG. 2;
FIG. 4 is a block diagram for explaining an apparatus for detecting an abnormal VoLTE registration message according to an embodiment of the present inventive concept;
FIG. 5 is a schematic view for explaining an abnormal SIP REGISTER message transmitted in a 4G mobile network;
FIG. 6 is a schematic view for explaining a procedure of identifying and registering a user terminal using a SIP REGISTER message;
FIG. 7 is a schematic view showing the values included in the SIP REGISTER message for identifying a user terminal;
FIG. 8 is a schematic view showing the values included in the SIP 401 message for identifying a user terminal;
FIG. 9 is a schematic view showing the values included in the SIP REGISTER message for registering a user terminal;
FIG. 10 is a schematic view showing the values included in the SIP 200 OK message for registering a user terminal;
FIG. 11 is a table for explaining the session information stored in the session information storage unit of FIG. 4;
FIG. 12 is a table for explaining the detection information of an abnormal SIP REGISTER message in detail;
FIG. 13 is a flowchart for explaining a method for detecting an abnormal VoLTE message according to an embodiment of the present inventive concept;
FIG. 14 is a block diagram for explaining an apparatus for detecting an abnormal VoLTE registration message according to another embodiment of the present inventive concept;
FIG. 15 is a schematic view for explaining a procedure of creating a GTP tunnel in a 4G mobile network; and
FIG. 16 is a block diagram for explaining a system for detecting an abnormal VoLTE registration message according to an embodiment of the present inventive concept.
Advantages and features of the present inventive concept and methods of accomplishing the same may be understood more readily by reference to the following detailed description of preferred embodiments and the accompanying drawings. The present inventive concept may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete and will fully convey the concept of the inventive concept to those skilled in the art, and the present inventive concept will only be defined by the appended claims. Like numbers refer to like elements throughout the specification.
Each block in the flowcharts or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
It will be understood that, although the terms first, second, etc. may be used herein to describe various elements, components and/or sections, these elements, components and/or sections should not be limited by these terms. These terms are only used to distinguish one element, component or section from another element, component or section. Thus, for example, a first element, a first component or a first section discussed below could be termed a second element, a second component or a second section without departing from the teachings of the present inventive concept.
Terms used in this disclosure are to explain embodiments, not to limit the present inventive concept. The terms of a singular form may include plural forms unless referred to the contrary. Terms “comprises' and/or “comprising” do not exclude existence or addition of one or more than one components, steps, movements and/or apparatus.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this inventive concept belongs. It is noted that the use of any and all examples, or exemplary terms provided herein is intended merely to better illuminate the inventive concept and is not a limitation on the scope of the inventive concept unless otherwise specified. Further, unless defined otherwise, all terms defined in generally used dictionaries may not be overly interpreted.
Hereinafter, preferred embodiments of the present inventive concept will be described in detail with reference to the attached drawings.
FIG. 1 is a schematic view for explaining the structure of a 4G network to which an apparatus for detecting an abnormal VoLTE registration message according to an embodiment of the present inventive concept is applied.
Referring to FIG. 1, a 4G network 1000 may include a 4G enterprise radio access network (4G E-RAN) for managing radio resources and a 4G evolved packet core (4G EPC) for performing the processing, certification and accounting of data.
The 4G E-RAN may include a user terminal 1100 and an eNB 1200. For example, the user terminal 1100 may be a portable terminal joined to a 4G network. The eNB 1200, which is a base station, can provide a wireless connection between the user terminal 1100 and the 4G network.
The 4G EPC may include MME 1300, S-GW 1400, P-GW 1500, home subscriber server (HSS) 1600, and policy & charging rule function (PCRF) 1700. The MME 1300 may receive and transmit a GTP packet through eNB 1200 and S1-MME GTP tunnel. The S-GW 1400 may receive and transmit a GTP packet through eNB 1200 and S1-U GTP tunnel. The MME 1300 may receive and transmit a GTP packet through S-GW 1400 and S11 GTP tunnel. The P-GW 1500 may be connected with P-CSCF 2100 of IMS network and internet.
In the 4G network, the S1-U GTP tunnel is a path for data traffic, the S11 GTP tunnel is a path for signaling, and the S5 GTP for data traffic and signaling.
The system including the apparatus for detecting an abnormal VoLTE registration message according to the present inventive concept may be provided (P1) between eNB 1200 and S-GW 1400, (P2) between MME 1300 and S-GW 1400, or (P3) between S-GW 1400 and P-GW 1500. Further, the system including the apparatus for detecting an abnormal VoLTE registration message according to the present inventive concept may be provided as an internal component of S-GW 1400 or P-GW 1500. Although not clearly shown in FIG. 1, the 4G network may be connected with a 3G network or a femtocell network through S-GW 1400.
FIG. 2 is a schematic view for explaining the structure of an IMS network interlocking with the 4G network of FIG. 7.
Referring to FIG. 2, the IMS network 2000 may include P-CSCF 2100, I-CSCF 2200, S-CSCF 2300, border gateway control function (BGCF) 2400, HSS 2500, media gateway control function (MGCF) 2700, application server (AS) 2800, and media gateway (M-GW) 2900.
A SIP message transmitted from the user terminal 1100 in the 4G network may be transmitted to the inside of the IMS network,. P-CSCF 2100 connected with P-GW 1500 may transmit the SIP message to I-CSCF 2200, and the I-CSCF 2200 may transmit the SIP message to S-CSCF 2300. MGCF 2700 and M-GW 2900 may be connected with a public switching telephone network (PSTN).
FIG. 3 is a schematic view for explaining IPs assigned to the user terminal of FIG. 2.
Referring to FIG. 3, an IP for an IMS network and an IP for data are respectively assigned to a first user terminal 1100a. That is, when the first user terminal 1100a is a VoLTE terminal, two IPs are assigned thereto. Further, when the first user terminal 1100a is a VoLTE terminal, a new bearer guaranteeing QoS is assigned thereto for a packet-based voice/video call.
The first user terminal 1100a can transmit voice/video data to an IMS network through a P-GW 1500 using an IP for an IMS network, and can transmit general data to an internet network through a P-GW 1500 using an IP for data.
Hereinafter, an apparatus and system for detecting an abnormal VoLTE registration message according to several embodiments of the present inventive concept will be described.
FIG. 4 is a block diagram for explaining an apparatus for detecting an abnormal VoLTE registration message according to an embodiment of the present inventive concept.
Referring to FIG. 4, the apparatus 100 for detecting an abnormal VoLTE registration message according to an embodiment of the present inventive concept includes network interface cards (NICs) 110a and 110b, a packet information extraction unit 120, a packet analysis unit 130, a session information storage unit 140, a detection information storage unit 150, and a packet processing unit 160.
The NIC 110a receives a GTP-U packet and transmits the GTP-U packet to the packet information extraction unit 120, and the NIC 110b transmits (forwards) or blocks (drops) this GTP-U packet in response to the control signal of the packet processing unit 160. Each of the NIC 110a and the NIC 110B may be a general network interface card or a hardware acceleration network interface card.
The GTP-U packet is used to transmit a user packet in the 4G network. The GTP-U packet processed by the NIC 110a and the NIC 110B may be a GTP-U packet transmitted from a user terminal to an external network (for example, internet).
The packet information extraction unit 120 extracts various kinds of packet information from the GTP-U packet. The information extraction unit 120 processes various kinds of packet information in the form of structure data and transmits this processed packet information to the packet analysis unit 130.
The packet information extraction unit 120 may extract a tunnel endpoint identifier (TEID), as information for detecting an abnormal VoLTE registration message, from the header of the GTP-U packet. The TEID extracted by the packet information extraction unit 120 may be an uplink TEID. Here, uplink represents a case that the GTP-U packet is transmitted from a user terminal toward an external network, and down link represents a case that the GTP-U packet is transmitted from an external network toward a user terminal.
Further, the packet information extraction unit 120 may extract a SIP (Session Initiation Protocol) REGISTER message in the payload of the GTP-U packet. The packet information extraction unit 120 may extract a user terminal identification number from the SIP REGISTE message. For example, the user terminal identification number may be a mobile station international ISDN number (MSISDN), but is not limited thereto.
The packet information extraction unit 120 determines whether the SIP REGISTER message exists in the payload of the GTP-U packet, and extracts the above-mentioned information for detecting an abnormal VoLTE registration message when the SIP REGISTER message exists.
FIG. 5 is a schematic view for explaining an abnormal SIP REGISTER message transmitted in a 4G mobile network.
Referring to FIG. 5, the 4G mobile network may include eNB 1200, and a serving gateway (S-GW) 1400.
The eNB 1200 may be connected with the S-GW 1400, and a S1-U GTP tunnel may be formed between the eNB 1200 and the S-GW 1400. The S1-U GTP tunnel may be a GTP tunnel for transmitting data. Through the S1-U GTP tunnel, the GTP-U packet 10 may be transmitted from the eNB 1200 toward the S-GW 1400.
Although not clearly shown in FIG. 5, the S-GW 1400 may transmit the received GTP-U packet 10 to a P-GW (PDN gateway).
An IP header for a GTP tunnel, a UDP header, and a GTP-U header may be connected to the header of the GTP-U packet 10, and a user packet may be encapsulated in the payload of the GTP-U packet 10. The GTP header may include the above-mentioned TEID. The user packet may include the SIP REGISTER message. The SIP REGISTER message may include a user terminal identification number for a caller terminal transmitting the SIP REGISTER message and a user terminal identification number for a receiver terminal receiving the SIP REGISTER message.
FIG. 5 shows a case that, among the user terminal identification numbers, the user terminal identification number for a caller terminal is forged.
FIG. 6 is a schematic view for explaining a procedure of identifying and registering a user terminal using a SIP REGISTER message.
Referring to FIG. 6, there is shown a procedure of identifying and registering a user terminal using a digest mechanism. The digest mechanism refers to a method of identifying a user terminal based on the ID and password of the user terminal.
Although not clearly shown in FIG. 6, a S5 GTP tunnel may be formed between S-GW 1400 and P-GW 1500), a S11 GTP tunnel may be formed between MME 1300 and S-GW 1400, and a S1-U GTP tunnel may be formed between eNB 1200 and S-GW 1400.
The user terminal 1100 transmits the SIP REGISTER message to a call session control function (CSCF) 1800, and the CSCF 1800 transmits a 401 message to the user terminal 1100. In this procedure, the user terminal 1100 is identified through the CSCF 1800.
Subsequently, the user terminal 1100 re-transmits the SIP REGISTER message to the CSCF 1800, and the CSCF 1800 transmits a 200 OK message to the user terminal 1100, so as to register the user terminal 1100.
FIG. 7 is a schematic view showing the values included in the SIP REGISTER message for identifying a user terminal.
Referring to FIG. 7, it can be seen that the value of the expire field of the SIP REGISTER message is a non-zero real number. Therefore, it is ascertained that this SIP REGISTER message is a SIP REGISTER message for identifying and registering a user terminal.
Here, the abnormal SIP REGISTER message refers to a SIP REGISTER message in which a caller terminal identification number is forged. Although it is possible to identify and register a user terminal using the SIP REGISTER message, an attacker can arbitrarily register a third party’s terminal in MSS using the abnormal SIP REGISTER message. The apparatus and system for detecting an abnormal VoLTE registration message according to the present inventive concept intends to detect and block such an abnormal VoLTE registration message.
In order to create the detection information of the abnormal SIP REGISTER message, the packet information extraction unit 120 may also extract the values of a TEID (Tunnel Endpoint Identifier) field in the header of the GTP-U packet, a MSISDN field in the payload of the GTP-U packet, a destination IP (Internet Protocol) field, a destination port field, or a source port field.
FIG. 8 is a schematic view showing the values included in the SIP 401 message for identifying a user terminal. FIG. 9 is a schematic view showing the values included in the SIP REGISTER message for registering a user terminal. FIG. 10 is a schematic view showing the values included in the SIP 200 OK message for registering a user terminal.
Referring to FIGS. 8 to 10, a procedure of registering a user terminal 1100 between the user terminal 1100 and the CSCF 1800 using the abnormal SIP REGISTER message can be understood. In the procedure, first, the abnormal SIP REGISTER message is transmitted to the CSCF 1800, and the CSCF 1800 transmits the SIP 401 message to the user terminal 1100. At this time, the user terminal 1100 confirms a nonce value in the SIP 401 message, calculates a response value using the password of a third party’s terminal, and re-transmits the abnormal SIP REGISTER message to the CSCF 1800. Thereafter, the CSCF 1800 transmit the SIP 200 OK message to register the user terminal 1100 in the CSCF 1800.
Referring to FIGS. 7 and 9, the SIP REGISTER message may include a message header and a message body. The message header and message body of the SIP REGISTER message may include various fields.
For example, the message header of the SIP REGISTER message may include a From field and a To field in each which a user terminal identification number is recorded. In the case of a normal SIP REGISTER message, the user terminal identification number of a caller terminal is recoded in the From field, and the user terminal identification number of a receiver terminal is recorded in the To field.
As described above, in the case of an abnormal SIP REGISTER message, the user terminal identification number of a call victim terminal may be recorded in the From field.
As described above, in order to determine whether the user terminal identification number of a caller terminal is forged, the packet information extraction unit 120 may extract the user terminal identification number from the From field of the message header of the SIP REGISTER message.
Although not clearly shown in FIGS. 7 and 9, the message header of the SIP REGISTER message may further include other fields in each which a user terminal identification number is recorded. According to an embodiment of the present inventive concept, the packet information extraction unit 120 may be modified such that user terminal identification numbers are extracted from such fields.
Hereinafter, in order to respectively distinguish TEIDs and user terminal identification numbers from each other, the TEID and user terminal identification number extracted from the GTP-U packet is referred to as a first TEID and a first user terminal identification number, and the TEID and user terminal identification number included in session information is referred to as a second TEID and a second user terminal identification number.
Referring to FIG. 4, the packet analysis unit 130 may perform the operation of detecting an abnormal VoLTE registration message. The packet analysis unit 130 compares the first TEID with the second TEID and compares the first user identification number with the second user identification number, and detects an abnormal VoLTE registration message based on the result of the comparison. That is, the packet analysis unit 130 may detect the SIP REGISTER message as an abnormal SIP REGISTER message when the first TEID and the second TEID are identical with each other and the first user identification number and the second user identification number are different from each other.
The session information unit 140 may previously store the session information including the second TEID and the second user terminal identification number. The second TEID and the second user terminal identification number may be extracted from a GTP-C packet. The GTP-C packet is used to perform signaling, such as data call setting, updating or deleting, in a mobile communication network.
FIG. 11 is a table for explaining the session information stored in the session information storage unit of FIG. 4.
Referring to FIG. 11, the session information includes the second TEID and the second user terminal identification number. The second TEID may be an uplink data TEID. That is, the second TEID relates to a GTP-U packet transmitted from a user terminal toward an external network. The second user terminal identification number may be MSISDN. The second user terminal identification number may be stored by the mapping with the second TEID.
Referring to FIG. 4 again, in order to compare the first TEID with the second TEID and compare the first user identification number with the second user identification number, first, the packet analysis unit 130 may determine whether the second TEID, which is identical with the first TEID, exists in the session information. Next, when the second TEID, which is identical with the first TEID, exists in the session information, the packet analysis unit 130 may extract the second user terminal identification number corresponding to the second TEID from the session information. Further, the packet analysis unit 130 may determine whether the first user terminal number and the second user terminal identification number are identical with each other. At this time, when the first user terminal number and the second user terminal identification number are different from each other, the packet analysis unit 130 may determine the SIP REGISTER message included in the GTP-U packet as an abnormal SIP REGISTER message.
FIG. 12 is a table for explaining the detection information of an abnormal SIP REGISTER message in detail.
Referring to FIG. 12, the detection information storage unit 150 may create and store the detection information of an abnormal SIP REGISTER message according to the result of the detection of the abnormal SIP REGISTER message.
For example, the detection information of the abnormal SIP REGISTER message may include various fields of detection time, detection item, user terminal identification number, blocking status, and the like. In addition, the detection information of the abnormal SIP REGISTER message may further include other fields of TEID, source IP of detected packet, destination IP of detected packet, destination port of detected packet, stolen user terminal identification number, and the like.
Referring to FIG. 4 again, the packet processing unit 160 may process the GTP-U packet detected as the abnormal SIP REGISTER message according to a detection policy. The packet processing unit 160 may control the NIC 110b in order to transmit (forward) or block (drop) the GTP-U packet detected as the abnormal SIP REGISTER message. Here, the meaning of transmitting the GTP-U packet is that the GTP-U packet is transmitted to the destination IP, and the meaning of blocking the GTP-U packet is that the GTP-U packet is not transmitted to the destination IP.
In the apparatus 100 for detecting an abnormal VoLTE registration message shown in FIG. 4, the NICs 110a and 110b, the packet information extraction unit 120, the packet analysis unit 130, the session information storage unit 140, the detection information storage unit 150, and the packet processing unit 160 have been described as separate components, but some of the components may be variously modified to be integrated with each other.
FIG. 13 is a flowchart for explaining a method for detecting an abnormal VoLTE message according to an embodiment of the present inventive concept.
Referring to FIG. 13, in the method for detecting an abnormal VoLTE message according to an embodiment of the present inventive concept, first, the NIC 110a receives a GTP-U packet (S201).
Next, the packet information extraction unit 120 determines whether the destination port of the GTP-U packet is a SIP port (S202). For example, the packet information extraction unit 120 whether the value of the destination port of the GTP-U packet is “5060”. At this time, when the value of the destination port thereof is “5060”, the packet information extraction unit 120 may determine that the GTP-U packet includes a SIP message.
Next, the packet information extraction unit 120 determines whether the SIP message in the payload of the GTP-U packet is a SIP REGISTER message (S203). At this time, when the SIP message is not a SIP REGISTER message, the packet analysis unit 130 may not perform the following step of detecting an abnormal SIP REGISTER message.
Next, when a SIP REGISTER message exists in the payload of the GTP-U packet, the packet information extraction unit 120 determines whether the value of the expire field of the SIP REGISTER message is a non-zero real number (S204). At this time, when the value of the expire field of the SIP REGISTER message is a non-zero real number, the SIP REGISTER message is a registration request message. In order to detect and block the SIP REGISTER message requested to be abnormally registered, the packet information extraction unit 120 determines whether the value of the expire field in the SIP REGISTER message is a non-zero real number.
Next, the packet information extraction unit 120 extracts a first TEID from the header of the GTP-U packet, and extracts a first user terminal identification number from the SIP REGISTER message (S205). As described above, the first TEID may be an uplink data TEID. The packet information extraction unit 120 may process various kinds of packet information in the form of structured data.
Next, the packet analysis unit 130 determines whether a second TEID, which is identical with the first TEID, exists in session information (S206).
Next, when the second TEID, which is identical with the first TEID, exists in the session information, the packet analysis unit 130 extracts a second user terminal identification number corresponding to the second TEID from the session information (S207). As described, the second user terminal identification number may be MSISND.
Next, the pack analysis unit 130 determines whether the first user terminal identification number and the second user terminal identification number are matched each other (S208). As described above, the pack analysis unit 130 may extract the second user terminal identification number corresponding to the second TEID from the session information, and may be determined whether the first user terminal identification number and the second user terminal identification number are identical with each other.
Next, when the first user terminal identification number and the second user terminal identification number are not matched each other, that is, when the first user terminal identification number and the second user terminal identification number are different from each other, the packet analysis unit 130 detects the SIP REGISTER message as an abnormal SIP REGISTER message, and the detection information storage unit 150 creates and stores the detection information of the abnormal SIP REGISTER message (S209). As described above, the detection information of the abnormal SIP REGISTER message may include various fields of detection time, detection item, user terminal identification number, blocking status, TEID, source IP of detected packet, destination IP of detected packet, destination port of detected packet, stolen user terminal identification number, and the like.
Next, the packet processing unit 160 processes the GTP-U packet detected as the abnormal SIP REGISTER message according to a detection policy (S210).
FIG. 14 is a block diagram for explaining an apparatus for detecting an abnormal VoLTE registration message according to another embodiment of the present inventive concept. For the convenience of explanation, detailed description thereof, which is substantially identical to that of the above-mentioned apparatus for detecting an abnormal VoLTE registration message according to an embodiment of the present inventive concept, will be omitted.
Referring to FIG. 14, an apparatus 300 for detecting an abnormal VoLTE registration message according to another embodiment of the present inventive concept includes NICs 310a and 310b, a packet classification unit 320, a GTP-C packet information extraction unit 330, a session information creation unit 340, a session information storage unit 350, a GTP-U packet information extraction unit 360, a packet analysis unit 370, a detection information storage unit 380, and a packet processing unit 390.
The NIC 310a may receive GTP packets and transmit these GTP packets to the packet classification unit 320, and the NIC 310b may transmit (forward) or block (drop) the GTP packets in response to the control signal of the packet processing unit 390.
The packet classification unit 320 may classify the GTP packets. The packet classification unit 320 may classify the GTP packets into GTP-C packets and GTP-U packets. The packet classification unit 320 may transmit the GTP-C packets to the GTP-C packet information extraction unit 330 and transmit the GTP-U packets to the GTP-U packet information extraction unit 360 according to the result of the classification.
The GTP-C packet information extraction unit 330 may extract various kinds of packet information from the GTP-C packet. For example, the GTP packet may include a create session request message and a create session response message. The GTP-C packet information extraction unit 330 may extract a second user terminal identification number from the payload of the create session request message, and may extract a second TEID from the payload of the create session response message.
The session information creation unit 340 may create session information including the second TEID and the second user terminal identification number. The session information creation unit 340 may store the session information in the session information storage unit 350.
The packet processing unit 390 may control the NIC 310b to transmit the GTP-C packet.
FIG. 15 is a schematic view for explaining a procedure of creating a GTP tunnel in a 4G mobile network.
Referring to FIG. 15, in order to create a GTP tunnel in a 4G mobile network, a create session request message and a create session response message may be transmitted. The create session request message and the create session response message may be transmitted with the GTP-C packet.
First, a user terminal 1100 may transmit an attach request message to MME 1300, the MME 1300 may transmit a create session request message to S-GW 1400, and the S-GW 1400 may transmit a create session request message to P-GW 1500. In response thereto, the P-GW 1500 may transmit a create session response message to the S-GW 1400 to create a S5 GTP tunnel between the S-GW 1400 and the P-GW 1500. Further, the S-GW 1400 may transmit a create session response message to the MME 1300 to create a S11 GTP tunnel between the MME 1300 and the S-GW 1400. Furthermore, the MME 1300 may transmit an attach response message to the user terminal 1100 to create a S1-U GTP tunnel between the eNB 1200 and the S-GW 1400.
Although not clearly shown in FIG. 15, before the creation of the S1-U GTP tunnel, additional messages may be transmitted and received between the eNB 1200 and the MME 1300 and between the MME 1300 and the S-GW 1400.
In the procedure of creating the GTP tunnel, the GTP-C packet information extraction unit 330 may extract the second TEID and the second user terminal identification number from the create session request message and the create session response message. Accordingly, the GTP-C packet information extraction unit 330 can determine whether the user terminal identification number used at the time of the creation of the session matches the user terminal identification number included in the SIP REGISTER message of the GTP-U packet after the creation of the session.
FIG. 16 is a block diagram for explaining a system for detecting an abnormal VoLTE registration message according to an embodiment of the present inventive concept. For the convenience of explanation, detailed description thereof, which is substantially identical to that of the above-mentioned apparatus for detecting an abnormal VoLTE registration message according to some embodiments of the present inventive concept, will be omitted.
Referring to FIG. 16, a system 400 for detecting an abnormal VoLTE registration message according to an embodiment of the present inventive concept includes a session information collecting apparatus 410 and an abnormal VoLTE registration message detecting apparatus 420.
The session information collecting apparatus 410 includes NICs 411a and 411b, a GTP-C packet information extraction unit 412, and a session information creation unit 413, and can extract and create session information from a GEP-C packet.
The abnormal VoLTE registration message detecting apparatus 420 includes NICs 421a and 421b, a GTP-U packet information extraction unit 422, a packet analysis unit 423, a session information storage unit 424, a detection information creation unit 425, and a packet processing unit 426, and can detect an abnormal VoLTE registration message using the session information.
The system 400 for detecting an abnormal VoLTE registration message, shown in FIG. 6, is configured such that a component of extracting a first TEID and a first user terminal identification number from the GTP-U packet and detecting an abnormal VoLTE registration message according the result of comparison with session information and a component of extracting a second TEID and a second user terminal identification number from the GTP-U packet and creating session information including the second TEID and the second user terminal identification number are physically separated.
The session information storage unit 424 can store the session information received from the session information collecting apparatus.
The steps of a method or algorithm described in relation to the embodiments of the present inventive concept can be directly realized by a hardware module executed by a processor, a software module, or a combination thereof. The software module may reside in RAM, flash memory, ROM, EPROM, EEPROM, a register, a hard disk, a detachable disk, or a recording medium readable by any computer well known in the art. An exemplary recording medium is connected to a processor, and this processor can read out information from the recording medium and can write information into the recording medium. Meanwhile, the recording medium may be integrated with the processor. The processor and the recording medium may reside in an application specific integrated circuit (ASIC). Moreover, the processor and the recording medium may also reside in a user terminal as individual components.
As described above, according to the apparatus, system and method for detecting an abnormal VoLTE registration message of the present inventive concept, a first TEID is extracted from a header of a GTP-U packet, a first user terminal identification number is extracted from a SIP REGISTER message in the payload of the GTP-U packet, and whether the extracted first TEID and first user terminal identification number are identical with the second TEID and second user terminal identification number is compared, so as to detect and block the abnormal VoLTE registration message in which a third party’s terminal can be arbitrarily registered by forging the user identification number in the SIP REGISTER message.
Although the preferred embodiments of the present inventive concept have been disclosed for illustrative purposes, those skilled in the art will appreciate that various modifications, additions and substitutions are possible, without departing from the scope and spirit of the inventive concept as disclosed in the accompanying claims.

Claims (26)

  1. An apparatus for detecting an abnormal VoLTE registration message in a 4G mobile network, comprising:
    a packet information extraction unit in which, when a SIP (Session Initiation Protocol) REGISTER message in the payload of a GTP (GPRS Tunneling Protocol)-U packet is a registration request message, a first TEID is extracted from a header of the GTP-U packet, and a first user terminal identification number is extracted from the SIP REGISTER message;
    a session information storage unit which stores session information including a second TEID and a second user terminal identification number;
    a packet analysis unit which detects the SIP REGISTER message as an abnormal SIP REGISTER message when the first TEID and the second TEID are identical with each other, and the first user terminal identification number and the second user terminal identification number are different from each other; and
    a packet processing unit which processes the GTP-U packet according to a detection policy when the SIP REGISTER message is the abnormal ISP REGISTER message.
  2. The apparatus of claim 1, wherein the value of an expire field in the SIP REGISTER message is a non-zero real number.
  3. The apparatus of claim 1, wherein the packet information extraction unit extracts the first user terminal identification number from a From field of the SIP REGISTER message.
  4. The apparatus of claim 1, wherein the packet analysis unit performs an operation of detecting the abnormal VoLTE registration message when a destination port of the GTP-U packet is a SIP port.
  5. The apparatus of claim 1, wherein the packet information extraction unit determines whether the SIP REGISTER message exists in the payload of the GTP-U packet, and extracts the first TEID and the first user terminal identification number when the SIP REGISTER message exists.
  6. The apparatus of claim 1, further comprising:
    a detection information storage unit which stores detection information about the abnormal SIP REGISTER message.
  7. The apparatus of claim 6, wherein the detection information includes detection time, a detection ID, a user terminal identification number, a blocking status, a TEID (Tunnel Endpoint Identifier), a destination IP (Internet Protocol), a destination port, a source IP, and a stolen user terminal identification number.
  8. An apparatus for detecting an abnormal VoLTE registration message in a 4G mobile network, comprising:
    a GTP-U packet information extraction unit in which, when a SIP REGISTER message in the payload of a GTP-U packet is a registration request message, a first TEID is extracted from a header of the GTP-U packet, and a first user terminal identification number is extracted from the SIP REGISTER message;
    a GTP-C packet information extraction unit which extracts a second TEID and a second user terminal identification number from the payload of a GTP-C packet;
    a session information storage unit which stores session information including a second TEID and a second user terminal identification number;
    a packet analysis unit which detects the SIP REGISTER message as an abnormal SIP REGISTER message when the first TEID and the second TEID are identical with each other, and the first user terminal identification number and the second user terminal identification number are different from each other; and
    a packet processing unit which processes the GTP-U packet according to a detection policy when the SIP REGISTER message is the abnormal ISP REGISTER message.
  9. The apparatus of claim 8, wherein the value of an expire field in the SIP REGISTER message is a non-zero real number.
  10. The apparatus of claim 8, wherein the GTP-U packet information extraction unit extracts the first user terminal identification number from a From field of the SIP REGISTER message.
  11. The apparatus of claim 8, wherein the GTP-C packet includes a create session request message and a create session response message, and the GTP-C packet information extraction unit extracts the second user terminal identification number from the create session request message and extracts the second TEID from the create session response message.
  12. The apparatus of claim 8, further comprising:
    a detection information storage unit which stores detection information about the abnormal SIP REGISTER message.
  13. The apparatus of claim 8, wherein the GTP-C packet and the GTP-U packet are transmitted through a S5 tunnel formed between a S-GW (Serving Gateway) and a P-GW (PDN Gateway).
  14. A system for detecting an abnormal VoLTE registration message in a 4G mobile network, comprising:
    an abnormal VoLTE registration message detecting apparatus which detects an abnormal VoLTE registration message using session information; and
    a session information collecting apparatus which extracts packet information from a GTP-C packet,
    wherein abnormal VoLTE registration message detecting apparatus comprises:
    a session information storage unit which receives the session information including a first TEID and a first user terminal identification number from the session information collecting apparatus and stores the received session information;
    a GTP-U packet information extraction unit in which, when a SIP REGISTER message in the payload of a GTP-U packet is a registration request message, a second TEID is extracted from a header of the GTP-U packet, and a second user terminal identification number is extracted from the SIP REGISTER message;
    a packet analysis unit which detects the SIP REGISTER message as an abnormal SIP REGISTER message when the first TEID and the second TEID are identical with each other, and the first user terminal identification number and the second user terminal identification number are different from each other; and
    a packet processing unit which processes the GTP-U packet according to a detection policy when the SIP REGISTER message is the abnormal ISP REGISTER message, and
    wherein session information collecting apparatus comprises:
    a GTP-C packet information extraction unit which extracts the first TEID and the first user terminal identification number from the payload of the GTP-C packet; and
    a session information creation unit which creates the session information including the first TEID and the first user terminal identification number.
  15. The system of claim 14, wherein the value of an expire field in the SIP REGISTER message is a non-zero real number.
  16. The system of claim 14, wherein the GTP-U packet information extraction unit extracts the second user terminal identification number from a From field of the SIP REGISTER message.
  17. The system of claim 14, wherein the packet analysis unit performs an operation of detecting the abnormal VoLTE registration message when a destination port of the GTP-U packet is a SIP port.
  18. The system of claim 14, wherein the GTP-C packet includes a create session request message and a create session response message, and the GTP-C packet information extraction unit extracts the first user terminal identification number from the create session request message and extracts the first TEID from the create session response message.
  19. The system of claim 14, further comprising:
    a detection information storage unit which stores detection information about the abnormal SIP REGISTER message.
  20. The system of claim 14, wherein the GTP-C packet is transmitted through a S11 tunnel formed between a MME (Mobility Management Entity) and a S-GW (Serving Gateway), and the GTP-U packet is transmitted through a S1-U tunnel formed between an eNodeB and the S-GW.
  21. A method for detecting an abnormal VoLTE message in a 4G mobile network, comprising the steps of:
    determining whether a SIP REGISTER message in the payload of a GTP-U packet is a registration request message;
    extracting a first TEID from a header of the GTP-U packet and extracting a first user terminal identification number from the SIP REGISTER message when the SIP REGISTER message is a registration request message;
    determining whether the first TEID is identical with a second TEID of session information;
    determining whether the first user terminal identification number is identical with a second user terminal identification number corresponding to the second TEID when the first TEID is identical with the second TEID; and
    detecting the SIP REGISTER message as an abnormal SIP REGISTER message when the first user terminal identification number is different from the second user terminal identification number.
  22. The method of claim 21, wherein the value of an expire field in the SIP REGISTER message is a non-zero real number.
  23. The method of claim 21, further comprising the step of: processing the GTP-U packet according to a detection policy when the SIP REGISTER message is the abnormal SIP REGISTER message.
  24. The method of claim 21, wherein, in the step of extracting the first user terminal identification number, the first user terminal identification number is extracted from a From field of the SIP REGISTER message.
  25. The method of claim 21, further comprising the step of:
    determining whether the SIP REGIGSTER message exists in the payload of the GTP-U packet,
    wherein, in the step of extracting the first TEID and the first user terminal identification number, when the SIP REGIGSTER message exists, the first TEID is extracted from the header of the GTP-U packet, and the first user terminal identification number is extracted from the SIP REGISTER message in the payload of the GTP-U packet.
  26. The method of claim 21, further comprising the step of: storing detection information about the abnormal SIP REGISTER message.
PCT/KR2015/009283 2014-12-17 2015-09-03 Apparatus, system and method for detecting abnormal volte registration message in 4g mobile network WO2016098997A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020140182380A KR101538309B1 (en) 2014-12-17 2014-12-17 APPARATUS, SYSTEM AND METHOD FOR DETECTING ABNORMAL VoLTE REGISTRATION MESSAGE IN 4G MOBILE NETWORKS
KR10-2014-0182380 2014-12-17

Publications (1)

Publication Number Publication Date
WO2016098997A1 true WO2016098997A1 (en) 2016-06-23

Family

ID=53875529

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2015/009283 WO2016098997A1 (en) 2014-12-17 2015-09-03 Apparatus, system and method for detecting abnormal volte registration message in 4g mobile network

Country Status (2)

Country Link
KR (1) KR101538309B1 (en)
WO (1) WO2016098997A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108243057A (en) * 2016-12-27 2018-07-03 中国移动通信集团浙江有限公司 A kind of VoLTE conversion ratios analysis method and system
EP3442191A1 (en) * 2017-08-07 2019-02-13 Nokia Solutions and Networks Oy Prevention of identity spoofing in a commnications network
WO2019121017A1 (en) 2017-12-21 2019-06-27 Telecom Italia S.P.A. Method and system for avoiding spurious signalling in a communication system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102437480B1 (en) * 2021-11-26 2022-08-29 한국인터넷진흥원 System and method for detecting noncoding of SIP

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20080057161A (en) * 2006-12-19 2008-06-24 주식회사 케이티프리텔 Intrusion protection device and intrusion protection method for point-to-point tunneling protocol
US20100174819A1 (en) * 2007-07-20 2010-07-08 Alcatel Lucent Method for processing register request, network element, and communication system
KR20120100872A (en) * 2012-08-13 2012-09-12 한국인터넷진흥원 Apparatus and method for ip spoofing detectng in mobile environment using gtp
KR101388627B1 (en) * 2013-11-07 2014-04-24 한국인터넷진흥원 Apparatus for blocking abnormal traffic in 4g mobile network
KR101414231B1 (en) * 2013-08-28 2014-07-01 한국인터넷진흥원 Apparatus and method for detecting abnormal call

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20080057161A (en) * 2006-12-19 2008-06-24 주식회사 케이티프리텔 Intrusion protection device and intrusion protection method for point-to-point tunneling protocol
US20100174819A1 (en) * 2007-07-20 2010-07-08 Alcatel Lucent Method for processing register request, network element, and communication system
KR20120100872A (en) * 2012-08-13 2012-09-12 한국인터넷진흥원 Apparatus and method for ip spoofing detectng in mobile environment using gtp
KR101414231B1 (en) * 2013-08-28 2014-07-01 한국인터넷진흥원 Apparatus and method for detecting abnormal call
KR101388627B1 (en) * 2013-11-07 2014-04-24 한국인터넷진흥원 Apparatus for blocking abnormal traffic in 4g mobile network

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108243057A (en) * 2016-12-27 2018-07-03 中国移动通信集团浙江有限公司 A kind of VoLTE conversion ratios analysis method and system
CN108243057B (en) * 2016-12-27 2021-08-13 中国移动通信集团浙江有限公司 VoLTE conversion rate analysis method and system
EP3442191A1 (en) * 2017-08-07 2019-02-13 Nokia Solutions and Networks Oy Prevention of identity spoofing in a commnications network
WO2019121017A1 (en) 2017-12-21 2019-06-27 Telecom Italia S.P.A. Method and system for avoiding spurious signalling in a communication system

Also Published As

Publication number Publication date
KR101538309B1 (en) 2015-07-23

Similar Documents

Publication Publication Date Title
WO2015030458A1 (en) Apparatus and method for detecting abnormal call
WO2016098997A1 (en) Apparatus, system and method for detecting abnormal volte registration message in 4g mobile network
WO2011056046A2 (en) Method and system to support single radio video call continuity during handover
WO2010062045A2 (en) Security system and method for wireless communication system
WO2013063897A1 (en) Method and device for back filling subscriber fixed identity
WO2010002208A2 (en) Method for supporting an emergency call in a mobile communication system
WO2014038737A1 (en) Network traffic management system using monitoring policy and filtering policy, and method thereof
WO2017007122A1 (en) Method and system for providing private network service
KR101228089B1 (en) Ip spoofing detection apparatus
WO2017057955A1 (en) Methods and devices for supporting release of sipto bearer or lipa bearer in dual-connectivity architecture
WO2015083927A1 (en) Apparatus and method for detecting abnormal sdp message in 4g mobile networks
WO2010019021A2 (en) Non-access stratum protocol operation supporting method in a mobile telecommunication system, and the system thereof
WO2016108509A1 (en) Method and apparatus for allocating server in wireless communication system
WO2013094920A1 (en) Method and apparatus for dynamic policy interworking between pcrf and nat
KR101388628B1 (en) Method for blocking abnormal traffic in 4g mobile network
EP2058987B1 (en) A method for dealing with the packet domain gateway support node errors
WO2016114476A1 (en) Apparatus and method for volte session managemet in 4g mobile network
WO2016068475A1 (en) Apparatus and method for user session management in 4g mobile network
WO2015083925A1 (en) Apparatus and method for detecting abnormal sip refer message in 4g mobile networks
KR101499022B1 (en) Apparatus and method for detecting abnormal MMS message in 4G mobile network
WO2015083926A1 (en) Apparatus and method for detecting abnormal sip subscribe message in 4g mobile networks
WO2016098990A1 (en) Apparatus, system and method for detecting abnormal message for obtaining location information based on volte service in 4g mobile networks
CN102143147A (en) Multi-control protocol association method and multi-control protocol association device for interworking IMS network and 2G/3G network
KR101785680B1 (en) Apparatus, system and method for detecting a rtp tunneling packet in 4g mobile networks
WO2022196837A1 (en) Method and device for provisioning bidirectional filter in pfd management procedure

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15870165

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15870165

Country of ref document: EP

Kind code of ref document: A1