WO2017064824A1 - 監視装置、基地局、監視方法、制御方法、及び非一時的なコンピュータ可読媒体 - Google Patents
監視装置、基地局、監視方法、制御方法、及び非一時的なコンピュータ可読媒体 Download PDFInfo
- Publication number
- WO2017064824A1 WO2017064824A1 PCT/JP2016/003172 JP2016003172W WO2017064824A1 WO 2017064824 A1 WO2017064824 A1 WO 2017064824A1 JP 2016003172 W JP2016003172 W JP 2016003172W WO 2017064824 A1 WO2017064824 A1 WO 2017064824A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- communication terminal
- base station
- communication
- mobile network
- monitoring
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/125—Protection against power exhaustion attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/18—Management of setup rejection or failure
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/02—Access restriction performed under specific conditions
Definitions
- the present invention relates to a monitoring device, a base station, a monitoring method, a control method, and a program, and more particularly, to a monitoring device, a base station, a monitoring method, a control method, and a program for monitoring an attack on a mobile network.
- Non-Patent Document 1 describes an ATTACH processing procedure of a communication terminal. By executing the ATTACH process, authentication of the communication terminal, setting of a communication bearer used for the communication terminal to transmit and receive data, and the like are performed.
- An object of the present invention is to provide a monitoring device, a base station, a monitoring method, a control method, and a program capable of reducing the threat of DoS attack on a mobile network.
- the monitoring apparatus is directed to the mobile network according to the number of times the ATTACH process for registering information related to the communication terminal communicating with the base station in the communication apparatus arranged in the mobile network is rejected.
- a signal monitoring unit that estimates a specific base station that communicates with a communication terminal that performs an attack, and the specific base station, according to communication terminal identification information set in a signal transmitted from a subordinate communication terminal, And a base station control unit that determines whether or not to execute ATTACH processing for the communication terminal.
- the base station corresponds to the number of times that the ATTACH process for registering information related to the communication terminal located in the communication area formed by the own device to the communication device arranged in the mobile network is rejected.
- a signal monitoring unit that estimates whether or not there is a communication terminal that attacks the mobile network in the communication area, and communication terminal identification information set in a signal transmitted from the communication terminal located in the communication area
- a signal control unit that determines whether or not to execute ATTACH processing related to the communication terminal.
- the monitoring method is directed to the mobile network according to the number of times that ATTACH processing for registering information related to a communication terminal communicating with a base station in a communication device arranged in the mobile network is rejected.
- the specific base station that communicates with the communication terminal that performs the attack is estimated, and the ATTACH related to the subordinate communication terminal is determined according to the communication terminal identification information set in the signal transmitted from the subordinate communication terminal in the specific base station It is determined whether or not to execute the process.
- the control method according to the fourth aspect of the present invention is based on the number of times the ATTACH process for registering information related to communication terminals located in a communication area formed by a base station to a communication device arranged in a mobile network is rejected. , Estimating whether there is a communication terminal that attacks the mobile network in the communication area, according to the communication terminal identification information set in the signal transmitted from the communication terminal located in the communication area, It is determined whether or not to execute ATTACH processing relating to the communication terminal.
- the program according to the fifth aspect of the present invention attacks the mobile network according to the number of times that ATTACH processing for registering information related to a communication terminal communicating with a base station in a communication device arranged in the mobile network is rejected.
- a specific base station that communicates with a communication terminal that performs communication, and in the specific base station, ATTACH processing related to the subordinate communication terminal according to communication terminal identification information set in a signal transmitted from the subordinate communication terminal The computer is caused to determine whether or not to execute.
- a monitoring device it is possible to provide a monitoring device, a base station, a monitoring method, a control method, and a program that can reduce the threat of DoS attacks on the mobile network.
- FIG. 1 is a configuration diagram of a communication system according to a first exemplary embodiment; It is a block diagram of the mobile network concerning Embodiment 2.
- FIG. It is a figure which shows the outline
- FIG. It is a figure which shows the outline
- FIG. It is a figure which shows the flow of a process when UE concerning Embodiment 2 attacks. It is a figure which shows the flow of a process when UE concerning Embodiment 2 attacks. It is a figure which shows the flow of a process when UE concerning Embodiment 2 attacks. It is a block diagram of eNB concerning Embodiment 2.
- eNB concerning Embodiment 2.
- FIG. 10 is a configuration diagram of a mobile network according to a fifth exemplary embodiment.
- FIG. 10 is a configuration diagram of a mobile network according to a fifth exemplary embodiment.
- FIG. 10 is a configuration diagram of a mobile network according to a fifth exemplary embodiment.
- FIG. 10 is a configuration diagram of a mobile network according to a fifth exemplary embodiment.
- the communication system in FIG. 1 includes a monitoring device 10, a base station 20, a communication terminal 30, a communication device 40, and a subscriber data device 50.
- the monitoring device 10, the base station 20, the communication terminal 30, the communication device 40, and the subscriber data device 50 may be computer devices that operate when a processor executes a program stored in a memory.
- the base station 20, the communication device 40, and the subscriber data device 50 may be node devices defined in 3GPP (3rd Generation Partnership Project).
- the base station 20 may be a NodeB or an eNB (evolved NodeB).
- the communication device 40 may be an SGSN (Serving GPRS Support Node) or an MME (Mobility Management Entity).
- the subscriber data device 50 may be an HSS (Home Subscriber Server) or HLR (Home Location Register).
- the communication terminal 30 is a terminal that performs wireless communication with the base station 20.
- the communication terminal 30 may be, for example, a mobile phone terminal, a smartphone, or a tablet terminal.
- the communication terminal 30 may be an M2M (Machine to Machine) terminal or an MTC (Machine to Type Communication) terminal.
- the monitoring device 10 includes a signal monitoring unit 11 and a base station control unit 12.
- the signal monitoring unit 11 and the base station control unit 12 may be software or a module in which processing is executed when a processor executes a program stored in a memory.
- the signal monitor unit 11 and the base station control unit 12 may be hardware such as a circuit or a chip.
- the signal monitor unit 11 monitors the number of times that the ATTACH process for registering information about the communication terminal 30 communicating with the base station 20 in the communication device 40 is rejected. Furthermore, the signal monitor unit 11 estimates a base station that communicates with a communication terminal that attacks the mobile network according to the monitoring result.
- a base station that communicates with a communication terminal that attacks the mobile network is hereinafter referred to as a specific base station.
- the specific base station may be a sector constituting the base station.
- the mobile network is a network including the base station 20, the communication device 40, and the subscriber data device 50, for example.
- the ATTACH process is a process performed to allow the communication terminal 30 to use the mobile network.
- the information regarding the communication terminal 30 may be information regarding the position of the communication terminal 30, for example.
- the communication device 40 refuses to register information regarding the communication terminal 30 when the communication terminal 30 cannot be authenticated or when the communication terminal 30 is a communication terminal that cannot use the mobile network. . Specifically, it is determined that the communication terminal 30 cannot be authenticated, for example, when the communication terminal 30 disguises the identification information of the communication terminal.
- the communication device 40 may reject registration of information related to the communication terminal 30 by communicating with the subscriber data device 50 that holds subscriber information related to the communication terminal 30.
- the signal monitoring unit 11 sends the base station 20 to the mobile network. It is presumed that there is a communication terminal that performs an attack. That is, the signal monitor unit 11 estimates the base station 20 as a specific base station.
- the base station control unit 12 transmits information on the communication terminal 30 and the like according to the communication terminal identification information set in the signal transmitted from the communication terminal 30 and the like under the base station 20 estimated as the specific base station.
- the base station 20 is instructed to determine whether or not to execute the process of registering in the base station 20.
- the base station 20 does not execute the process of registering information related to all communication terminals under its control in the communication device 40, but sends information related to some or all communication terminals to the communication device 40 based on the communication terminal identification information.
- the registration process is not performed.
- the monitoring apparatus 10 can estimate a specific base station that is communicating with a communication terminal that attacks the mobile network. Furthermore, the monitoring device 10 can determine whether or not to execute processing for registering information related to the communication terminal in the communication device 40 in the specific base station.
- the base station 20 can reduce the number of processes for registering information related to the communication terminal to the communication device 40. Therefore, even when there is a communication terminal that attacks the mobile network, an increase in the number of signals can be suppressed.
- the mobile network of FIG. 2 is configured using node devices defined in 3GPP. 2 includes UE (User Equipment) 31 to 33, ATT (ATTACKER) UE 34, eNB 21, eNB 22, MME 41, HSS 51, SGW (Serving Gateway) 61, PGW (Packet Data Network Gateway) 62, and PCRF (Policy). and Charging Rule Function) 63.
- UE User Equipment
- ATT ATTACKER
- UE 34 UE
- eNB 21, eNB 22, MME 41 HSS 51
- SGW Serving Gateway
- PGW Packet Data Network Gateway
- PCRF Policy
- Charging Rule Function Charging Rule Function
- FIG. 2 mainly shows communication paths of control data or C-Plane data used when setting up PDN connections or communication bearers related to UEs 31 to 33 and ATT UE34.
- the UEs 31 to 33 and the ATT UE 34 correspond to the communication terminal 30 in FIG. UE is a general term for communication terminals in 3GPP.
- the ATT UE 34 indicates a UE that attacks the mobile network.
- the eNB 21 and the eNB 22 correspond to the base station 20 in FIG.
- the eNB 21 and the eNB 22 are base stations that support LTE as a wireless communication method.
- the MME 41 corresponds to the communication device 40 in FIG.
- the MME 41 manages the location information of the UEs 31 to 33 and the ATT UE 34.
- the HSS 51 corresponds to the subscriber data device 50 of FIG.
- the HSS 51 manages subscriber information of the UEs 31 to 33 and the ATT UE 34.
- the SGW 61 and the PGW 62 are gateway devices that transmit user data related to the UEs 31 to 33 and the ATT UE 34.
- the user data may be referred to as U-Plane data.
- the PCRF 63 is a device that performs QoS (Quality of Service) control and charging control for the UEs 31 to 33 and the ATT UE.
- the PCRF 63 may be referred to as a PCRF entity or a PCRF device.
- the ATT UE 34 performs, for example, a DoS attack on the mobile network. Specifically, the ATT UE 34 increases the control data transmitted in the mobile network by repeatedly executing the Initial-Attach process. Each node device in the mobile network increases the processing to be executed and the processing load increases as the control data increases.
- the outline of the Initial-Attach process defined in 3GPP will be described with reference to FIGS. 3 and 4, an outline of an initial attach process of a general UE 31 that does not execute an attack on a mobile network will be described.
- the Initial-Attach process is executed when the UE 31 is turned on for the first time or when the UE 31 roams from a foreign country and communicates with the eNB 21 for the first time.
- the UE 31 transmits an RRC (Radio Resource Control) connection request message to the eNB 21 (S21).
- RRC Radio Resource Control
- the UE 31 sets an arbitrary value as identification information of the UE 31 in the RRC31connection ⁇ Request message in step S21.
- the arbitrary value may be referred to as, for example, random value.
- the eNB 21 transmits an RRC connection setup message to the UE 31 as a response message to the RRC connection request message (S22).
- the UE 31 transmits an RRCeNBconnection setup complete message including a NAS message used in the NAS (Non-Access Stratum) protocol to the eNB 21 (S23).
- an ATTACH request message is set as the NAS message.
- the UE 31 sets IMSI (International Mobile Subscriber Identity) as identification information of the UE 31 in the ATTACH request message.
- IMSI International Mobile Subscriber Identity
- IMSI is an identification number that uniquely identifies a UE in all mobile networks operated by a carrier.
- the eNB 21 selects an MME that manages position information related to the UE 31 (S24). For example, the eNB 21 may select the MME in consideration of the load status of the MME. Here, it is assumed that the eNB 21 selects the MME 41.
- the MME 41 transmits an Authentication Information Request message in which the IMSI of the UE 31 is set to the HSS 51 in order to execute an authentication process related to the UE 31 (S26).
- the HSS 51 transmits an Authentication Information Answer message including Authentication Vectors associated with the IMSI of the UE 31 to the MME 41 (S27).
- Authentication Vectors includes parameters necessary for performing authentication related to the UE 31 in the MME 41.
- Authentication Vectors includes parameters such as RAND (Random challenge), AUTN (Authentication token), and XRES (Expected user response).
- the MME 41 transmits an Authentication Request message including RAND and AUTN transmitted from the HSS 51 to the UE 31 (S28).
- UE31 calculates RES (User
- the UE 31 transmits an Authentication Response message including the calculated RES to the MME 41 (S29).
- the MME 41 executes an authentication process related to the UE 31 using the RES transmitted from the UE 31 and the XRES transmitted from the HSS 51 (S30). Specifically, the MME 41 determines whether or not RES and XRES match. When the RES and XRES match, the MME 41 permits the UE 31 to use the mobile network. In step S30, it is assumed that the MME 41 permits the UE 31 to use the mobile network.
- the MME 41 transmits a SECURITY MODE COMMAND message including a security algorithm used in the security association to the UE 31 (S31).
- the UE 31 transmits a SECURITY MODE MODE COMPLETE message to the MME 41 as a response message to the SECURITY MODE COMMAND message (S32).
- the MME 41 transmits an Update-Location-Request message to the HSS 51 in order to update the location information regarding the UE 31 held in the HSS 51 (S33).
- the HSS 51 transmits an Update Location Ack message to the MME 41 as a response message to the Update Location Request message (S34).
- the MME 41 transmits a Create Session Request message to the SGW 61 in order to set a communication bearer (S35). Further, the SGW 61 transmits a Create Session Request message to the PGW 62 (S36). Next, the PGW 62 exchanges a message regarding the QoS negotiation with the PCRF 63 in order to determine the QoS to be applied to the PDN (Packet Data Network) Connection related to the UE 31 (S37).
- PDN Packet Data Network
- the PGW 62 transmits a Create Session Response message to the SGW 61 as a response message to the Create Session Request message in Step S36 (S38). Further, the SGW 61 transmits a Create Session Response message to the MME 41 as a response message to the Create Session Request message in step S35 (S39).
- the MME 41 performs wireless setting between the UE 31 and the eNB 21 (S40).
- the MME 41 transmits / receives a Modify Bearer Request message and a Modify Bearer Response message to and from the SGW 61 in order to update the communication bearer after wireless setting (S41 and S42).
- the MME 41 assigns GUTI (Globally Unique Temporary Identity) to the UE 31 as temporary identification information of the UE 31 (S43).
- MME41 transmits the ATTACH
- the Initial Attach process executed by the ATT UE 34 intended to attack the mobile network will be described.
- the following attacks can be considered as an attack method using the ATT UE 34.
- an Initial Attach process is executed using an IMSI with an inappropriate number of bits or number format.
- an IMSI having a value that is not managed in any mobile network operated by the communication carrier is set, and the Initial Attach process is executed.
- the IMSI of another UE is set as the identification information of the ATT UE 34, and the Initial Attach process is executed by impersonating the other UE.
- Steps S51 to S55 are the same as steps S21 to S25 in FIG.
- step S55 when the MME 41 receives an Initial UE message including an ATTACH request message in which inappropriate IMSI is set, the MME 41 transmits an Initial Context Setup Request message including an ATTACH reject message to the eNB 21 (S56). Next, the eNB 21 transmits an RRC connection Reconfiguration message including the ATTACH reject message to the ATT UE 34 (S57).
- Step S61 to S66 are the same as steps S21 to S26 in FIG.
- the HSS 51 receives an IMSI having a value that is not managed in any mobile network operated by the communication carrier.
- the HSS 51 transmits, to the MME 41, an Authentication InformationCaAnswer message in which a Cause indicating that the received IMSI value does not exist is set (S67).
- the Cause that the received IMSI value does not exist may be, for example, EPS services and non-EPS services not allowed.
- the MME 41 transmits an Initial Context Setup message including an ATTACH reject message to the eNB 21 (S68).
- the eNB 21 transmits an RRC connection Reconfiguration message including the ATTACH reject message to the ATT UE 34 (S69).
- Steps S71 to S79 are the same as steps S21 to S29 in FIG.
- the ATT UE 34 sets the IMSI of another UE and impersonates the other UE. Therefore, the ATT UE 34 cannot generate a RES having the same value as the XRES generated by the HSS 51 even if the RAND and AUTN transmitted in step S78 are used. Therefore, the MME 41 determines that the RES transmitted in step S79 is different from the XRES transmitted in step S77 in the authentication of the ATT UE 34 (S80). That is, the MME 41 refuses that the ATT UE 34 uses the mobile network.
- the eNB 21 transmits an Authentication reject message to the ATT UE 34 (S81).
- the eNB 21 includes an RRC signal monitoring unit 71 and a NAS signal control unit 72. Further, the NAS signal control unit 72 includes a NAS signal monitor unit 73 and a signal control unit 74.
- the NAS signal monitoring unit 73 corresponds to the signal monitoring unit 11 in FIG.
- the signal control unit 74 corresponds to the base station control unit 12 in FIG. That is, the NAS signal control unit 72 executes a function similar to the function executed by the monitoring device 10 in FIG.
- FIG. 8 illustrates a configuration in which the monitoring device 10 in FIG. 1 is included in the eNB 21 that is the base station 20.
- the RRC signal monitoring unit 71 monitors or monitors RRC signals transmitted from a plurality of UEs located in the communication area formed by the eNB 21.
- the RRC signal monitoring unit 71 monitors RRC signals transmitted and received in the eNB 21 every arbitrary time, every day, every week, every month, every year, etc., and generates statistical data regarding the number of RRC signals Also good. By generating statistical data, the RRC signal monitoring unit 71 can grasp at what time of day a large amount of traffic occurred, on which day of the week a large amount of traffic occurred, etc. it can.
- the RRC signal monitoring unit 71 may associate weather information, event information, and the like as factors that cause a large amount of traffic.
- the event information may be an event where many people gather, such as a concert or a meeting.
- the RRC signal monitoring unit 71 When the RRC signal monitoring unit 71 generates statistical data to detect an unusual traffic tendency, that is, when an abnormal network operation is detected, whether or not the ATT UE 34 exists is verified. You may perform the process to do. The processing for verifying whether or not the ATT UE 34 exists is executed in the NAS signal control unit 72. Therefore, the RRC signal monitor unit 71 may activate the NAS signal control unit 72 when detecting an abnormality in the network operation. In this case, the NAS signal control unit 72 is normally stopped.
- NAS signal monitoring unit 73 monitors messages transmitted to and received from MME 41. For example, the NAS signal monitoring unit 73 counts the number of ATTACH reject messages received in step S56 of FIG. 5 or step S68 of FIG. The NAS signal monitoring unit 73 counts the number of Authentication reject messages transmitted from the MME 41 in step S81 in FIG.
- the NAS signal monitoring unit 73 assumes that the ATT UE 34 exists when the number of ATTACH reject messages and the number of AuthenticationAuthreject messages transmitted and received in unit time exceed an arbitrary threshold.
- an arbitrary threshold value a constant value may be used or may be changed dynamically.
- the arbitrary threshold value may be dynamically changed based on statistical data generated in the RRC signal monitor unit 71. Specifically, by analyzing the statistical data generated in the RRC signal monitoring unit 71, it is possible to assume a time zone, a day of the week, a season, a weather condition, or the like where traffic is generated or reduced. Accordingly, the threshold value may be set high in a time zone where a lot of traffic occurs, and the threshold value may be set low in a time zone where the traffic occurs little.
- the threshold for the schedule for the event may be set high.
- the signal control unit 74 sets the communication area formed by the eNB 21.
- the Initial Attach process for some UEs among the located UEs is rejected.
- some UEs for which the Initial-Attach process is rejected may be UEs for which S-TMSI is not set in UE-identity in the RRC-connection-Request message.
- the signal control unit 74 may set a time for executing a process for rejecting the Initial-Attach process for some UEs among UEs located in the communication area formed by the eNB 21. When the set time has elapsed, the signal control unit 74 cancels the process of rejecting the Initial-Attach process for some UEs among the UEs located in the communication area formed by the eNB 21.
- many ATT UEs 34 cannot successfully complete the Initial Attach process, so when performing the Initial Attach process repeatedly to perform an attack, S- Cannot set TMSI. This is because the S-TMSI is identification information included in the GUTI assigned to the UE when the Initial-Attach process is normally completed.
- UEs that do not intend to attack the mobile network and that have been powered on for the first time or have roamed from other mobile networks such as overseas may be subject to the rejection of the Initial-Attach process. is there.
- the Initial-Attach process can be normally terminated.
- the RRC signal monitoring unit 71 determines whether or not a network operation abnormality is detected from the generated statistical data (91). If the RRC signal monitoring unit 71 does not detect a network operation abnormality, step S91 is performed. Repeat the process. When the RRC signal monitor unit 71 detects an abnormality in the network operation, the NAS signal monitor unit 73 determines whether or not the ATT UE 34 exists (S92).
- the NAS signal monitoring unit 73 determines that the ATT UE 34 does not exist, the NAS signal monitoring unit 73 repeats the process of step S91.
- the signal control unit 74 rejects the Initial-Attach process for some UEs among the UEs located in the communication area formed by the eNB 21 (S93).
- FIG. 10 is a sequence related to step S93 in FIG.
- the mobile network in FIG. 11 includes UEs 31 to 33, ATT UE 34, NB (Node B) 23, NB 24, RNC 25, SGSN 42, GGSN 43, HSS 51, and PCRF 63.
- the NB 23 and the NB 24 are base stations that support radio systems used in the second generation mobile phone system and the third generation mobile phone system.
- the RNC 25 corresponds to the eNB 21 or the eNB 22 and is a control device that controls the radio base station.
- the eNB 21 and the eNB 22 operate as a base station having a function corresponding to the RNC 25.
- the SGSN 42 corresponds to the MME 41, and is a device that manages UE location information and transmits user data.
- the GGSN 43 corresponds to the PGW 62.
- the RNC 25 includes the RRC signal monitoring unit 71 and the NAS signal control unit 72 in FIG. 8, so that the same processing as the eNB 21 in FIG. 2 can be executed.
- attack methods other than the above (1) to (3) the following attack methods are also assumed.
- the MME 41 transmits an Authentication ⁇ Request message to the ATT UE34 in step S78 of FIG. 7, the ATT UE34 disconnects the connection with the eNB 21 or sends a response message to the Authentication Request message without intentionally processing. Do not send.
- the session with the ATT UE 34 is maintained in the MME 41 for a certain period of time, the number of sessions managed in the MME 41 increases.
- the MME 41 resends the Authentication Request message after a certain period of time, and if it does not receive a response message even after the retransmission, the MME 41 disconnects the session with the ATT UE 34 due to timeout. Therefore, the NAS signal monitoring unit 73 may assume that the ATT UE 34 is present when the number of retransmitted messages or the number of times of timeout exceeds an arbitrary threshold per unit time.
- the Cause value is a value indicating the reason for sending an ATTACH reject message or an Authentication reject message.
- the NAS signal monitoring unit 73 may monitor the number of ATTACH reject messages and the number of Authentication reject messages having a Cause value indicating that the UE executing the Initial Attach process is an inappropriate UE.
- the Cause value indicating that the UE is inappropriate may be, for example, the value illustrated in FIG. Figure 12 shows the Cause value indicating that the UE is inappropriate from the Cause values shown in 3GPP TS 24.301 V13.3.0 2015-09 Table E9.9.3.9.1: EMM Cause information is doing.
- the NAS signal monitoring unit 73 only includes the number of ATTACH reject messages and the number of Authentication reject messages having a Cause value indicating an inappropriate UE among all ATTACH reject messages and Authentication reject messages. Count.
- the eNB 21 does not count an AuthenticationAuthreject message that occurs when a failure occurs in the HSS or the like. Therefore, if the number of ATTACH reject messages and the number of Authentication reject messages with Cause values indicating inappropriate UEs exceed the threshold, compare with the case where all ATTACH reject messages and Authentication reject messages exceed the threshold Thus, the eNB 21 can estimate the possibility that the ATT UE 34 exists with high accuracy.
- Steps S111 to S113 are the same as steps S21 to S23 of FIG.
- the eNB 21 determines that the IMSI included in the specific value range (specific range) is set in the UE identity set in the RRC connection setup complete message ( S114). Next, the eNB 21 discards the RRC connection setup complete message received in step S113, and stops the Initial Attach process (S115).
- the eNB 21 may set the value of the specific range used in step S114 as follows. For example, the eNB 21 is set by the UE in the Initial-Attach process in which the ATTACH reject message and the Authentication-reject message are to be transmitted in Step S56 of FIG. 5, Step S67 of FIG. 6, and Step S81 of FIG.
- the width of the range value may be set so as to include the IMSI.
- the number of IMSIs included in the range may be any number.
- the eNB 21 discards the RRC “connection” setup “complete” message in which the IMSI included in the specific range in which the ATT UE 34 is likely to be included, thereby causing the eNB 21 to move the mobile from the ATT UE 34. Can defend against attacks on the network.
- the number of messages related to the Initial-Attach process does not decrease in the eNB 21 even after executing the method of defending against the attack from the ATT UE 34 in FIGS. 10 and 13, it is set in the RRC connection-Request message in step S21 in FIG.
- the Initial Attach process may be rejected for a certain period of time regardless of the UE identity.
- the eNB 21 that is estimated to be present may be prevented from receiving a message relating to a stop or attachment process for a certain period of time.
- the NAS signal monitoring unit 73 detects the frequency band accessed by the UE in the Initial-Attach process in which the ATTACH reject message and the Authentication-reject message are transmitted, the sector that supports the frequency band detected in the eNB 21 You may stop only.
- the ATT UE 34 performs a DoS attack and the processing load of the MME 41 increases, transmission restriction and the like are performed in all eNBs under the MME 41, and the DoS attack may be affected in a wide range.
- the eNB 21 estimated to be communicating with the ATT UE 34 for a certain period of time or by stopping only a part of the sectors of the eNB 21 the range of influence of the DoS attack is narrowed. Can do.
- the mobile network in FIG. 14 has a configuration in which a Security GW 81 and a monitoring device 91 are added to the mobile network in FIG.
- the Security GW 81 is connected to the eNB 21 and the eNB 22.
- the monitoring device 91 relays communication between the Security GW 81 and the MME 41.
- the security of the communication path may be ensured by IPsec between the eNB 21 and the Security GW 81 and further between the eNB 22 and the Security GW 81.
- the monitoring device 91 is a device having the RRC signal monitoring unit 71 and the NAS signal control unit 72 in FIG. In other words, the monitoring device 91 determines whether or not the ATT UE 34 exists, and determines to reject the Initial-Attach process for some UEs in the eNB that communicates with the ATT UE 34.
- the monitoring device 91 may be provided in the Security GW 81 or may be provided in the MME 41.
- the mobile network in FIG. 15 has a configuration in which a Security GW 81 and a monitoring device 91 are added to the mobile network in FIG.
- the Security GW 81 is connected to the RNC 25.
- the monitoring device 91 relays communication between the Security GW 81 and the SGSN 42.
- the monitoring device 91 may be provided in the Security GW 81 or in the SGSN 42.
- the monitoring device 91 may be arranged in front of the MME 41 or SGSN 42.
- the function executed in the monitoring device 91 as shown in FIG. 8 need not be included in all eNBs or RNCs on the mobile network. Therefore, as compared with the case where the function of the monitoring device 91 is executed in the eNB as shown in FIG. 8, it is possible to easily incorporate a function for protecting the DoS attack into the mobile network.
- the network management apparatus 100 may be configured to collectively manage a plurality of monitoring apparatuses 91.
- the network management apparatus 100 may be referred to as EMS (Element Management System) or NMS (Network Management System).
- EMS Element Management System
- NMS Network Management System
- the eNB 21 and the eNB 22 may communicate with an MME other than the MME 41.
- the eNB 21 can select an MME for each UE in step S54 of FIG. 5 and can therefore communicate with a plurality of MMEs.
- the monitoring device 91 connected to the Security GW 81 monitors the number of messages generated for each eNB by monitoring messages transmitted from the eNB and messages destined for the eNB. However, since each eNB communicates with a plurality of MMEs, a message when each eNB communicates with another MME is monitored by another monitoring device different from the monitoring device 91.
- a network management apparatus 100 that collects and manages a plurality of monitoring apparatuses 91 is used.
- the network management device 100 collects information on the number of messages generated for each eNB from the monitoring devices 91_1 and 91_2, and 91_n (n is an integer of 1 or more).
- the network management device 100 can accurately monitor the number of messages generated for each eNB by collecting information from a plurality of monitoring devices and adding the number of messages generated for each eNB.
- FIG. 17 is a block diagram illustrating a configuration example of the node device 140.
- the node device 140 includes a network interface 1201, a processor 1202, and a memory 1203.
- the network interface 1201 is used to communicate with other network node devices constituting the communication system.
- the network interface 1201 may include, for example, a network interface card (NIC) compliant with IEEE 802.3 series.
- NIC network interface card
- the processor 1202 reads out and executes software (computer program) from the memory 1203, thereby performing the processing of the node device 140 described with reference to the sequence diagram and the flowchart in the above-described embodiment.
- the processor 1202 may be, for example, a microprocessor, MPU, or CPU.
- the processor 1202 may include a plurality of processors.
- the memory 1203 is configured by a combination of a volatile memory and a nonvolatile memory.
- Memory 1203 may include storage located remotely from processor 1202. In this case, the processor 1202 may access the memory 1203 via an I / O interface not shown.
- the memory 1203 is used for storing software module groups.
- the processor 1202 can perform the processing of the server 140 described in the above-described embodiment by reading these software module groups from the memory 1203 and executing them.
- each of the processors included in each node device constituting the communication system has one or more programs including a group of instructions for causing a computer to execute the algorithm described with reference to the drawings. Execute.
- Non-transitory computer readable media include various types of tangible storage media (tangible storage medium).
- Examples of non-transitory computer-readable media include magnetic recording media (eg flexible disks, magnetic tapes, hard disk drives), magneto-optical recording media (eg magneto-optical discs), CD-ROMs (Read Only Memory), CD-Rs, CD-R / W, semiconductor memory (for example, mask ROM, PROM (Programmable ROM), EPROM (Erasable ROM), flash ROM, RAM (Random Access Memory)) are included.
- the program may also be supplied to the computer by various types of temporary computer-readable media. Examples of transitory computer readable media include electrical signals, optical signals, and electromagnetic waves.
- the temporary computer-readable medium can supply the program to the computer via a wired communication path such as an electric wire and an optical fiber, or a wireless communication path.
- Embodiments 1 to 5 may be combined as appropriate.
- the process of estimating the presence of the ATT UE 34 in the second embodiment may be replaced with the process of estimating the presence of the ATT UE 34 in the third embodiment.
- the processing when defending the attack from the ATT UE 34 in the second embodiment may be replaced with the processing when defending the attack from the ATT UE 34 in the fourth embodiment.
- (Appendix 1) Estimate a specific base station that communicates with a communication terminal that attacks the mobile network according to the number of times that the ATTACH process for registering information about the communication terminal that communicates with the base station is registered in a communication device arranged in the mobile network A signal monitoring unit to A base station controller configured to determine whether or not to perform ATTACH processing for the subordinate communication terminal in accordance with communication terminal identification information set in a signal transmitted from the subordinate communication terminal in the specific base station; A monitoring device. (Appendix 2) The communication device The monitoring apparatus according to appendix 1, wherein registration of information relating to a communication terminal for which the inappropriate communication terminal identification information is set is refused to be registered in the communication apparatus.
- the communication device The registration according to appendix 1, wherein if the authentication information generated at the communication terminal and the authentication information generated within the mobile network do not match, information regarding the communication terminal is refused to be registered in the communication device.
- Monitoring device The signal monitor unit A specific base station that communicates with a communication terminal that attacks the mobile network according to the number of messages for which a predetermined Cause value is set among messages transmitted when rejecting the ATTACH process.
- the monitoring apparatus according to any one of appendices 1 to 3, which is estimated.
- the base station controller Causing the specific base station to reject processing for registering information related to a communication terminal that has transmitted a signal set with the communication terminal identification information indicating that the communication terminal is the first communication terminal in the mobile network.
- the monitoring device according to any one of appendices 1 to 4.
- the base station controller The specific base station rejects processing for registering information related to a communication terminal that has transmitted a signal in which an IMSI included in a determination value having at least one value is set as the communication terminal identification information to the communication device.
- the monitoring apparatus according to any one of 1 to 4.
- the base station controller The monitoring apparatus according to any one of supplementary notes 1 to 6, wherein the specific base station is not allowed to execute processing for registering information related to communication terminals under the specific base station in the communication apparatus for a predetermined period.
- the base station controller The monitoring device according to appendix 7, wherein the radio wave in the specific base station is stopped.
- Appendix 9 Generates statistical data on the number of messages transmitted and received at the base station, and activates the signal monitoring unit and the base station control unit when a traffic tendency different from the traffic tendency indicated in the statistical data is generated
- the monitoring apparatus according to any one of appendices 1 to 8, further comprising a wireless signal monitor unit.
- a signal monitoring unit that estimates whether a terminal exists;
- a base station comprising: a signal control unit that determines whether or not to perform ATTACH processing on the communication terminal according to communication terminal identification information set in a signal transmitted from a communication terminal located in the communication area .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
以下、図面を参照して本発明の実施の形態について説明する。図1を用いて本発明の実施の形態1にかかる通信システムの構成例について説明する。図1の通信システムは、監視装置10、基地局20、通信端末30、通信装置40、及び、加入者データ装置50を有している。監視装置10、基地局20、通信端末30、通信装置40、及び、加入者データ装置50は、プロセッサがメモリに格納されているプログラムを実行することによって動作するコンピュータ装置であってもよい。
続いて、図2を用いて本発明の実施の形態2にかかるモバイルネットワークの構成例について説明する。図2のモバイルネットワークは、3GPPにおいて規定されているノード装置を用いて構成されている。図2のモバイルネットワークは、UE(User Equipment)31~33、ATT(ATTACKER) UE34、eNB21、eNB22、MME41、HSS51、SGW(Serving Gateway)61、PGW(Packet Data Network Gateway)62、及びPCRF(Policy and Charging Rule Function)63を有している。
(1)ATT UE34の識別情報として、ビット数もしくは番号形態等が不適切なIMSIを用いてInitial Attach処理を実行する。
(2)ATT UE34の識別情報として、通信事業者によって運用されるいずれのモバイルネットワークにおいても管理されていない値のIMSIを設定し、Initial Attach処理を実行する。
(3)ATT UE34の識別情報として、他のUEのIMSIを設定し、他のUEに成りすましてInitial Attach処理を実行する。
続いて、実施の形態3にかかるATT UE34の存在を推定する処理について説明する。実施の形態3にかかるeNB21の構成は、図8と同様であるため詳細な説明を省略する。実施の形態3においては、NAS信号モニタ部73が、予め定められたCause値を有するATTACHリジェクトメッセージの数及びAuthentication rejectメッセージの数を監視する。
続いて、図13を用いてATT UE34とeNB21との間におけるATT UE34からの攻撃を防御する際の処理の流れについて説明する。ステップS111~S113は、図2のステップS21~S23と同様であるため詳細な説明を省略する。
続いて、図14を用いて、図2及び図11とは異なるモバイルネットワークの構成例について説明する。図14のモバイルネットワークは、図2のモバイルネットワークに、Security GW81及び監視装置91を追加した構成である。Security GW81は、eNB21及びeNB22と接続している。また、監視装置91は、Security GW81とMME41との間の通信を中継する。
基地局と通信する通信端末に関する情報をモバイルネットワークに配置されている通信装置へ登録するATTACH処理を拒否された回数に応じて、前記モバイルネットワークへ攻撃を行う通信端末と通信する特定基地局を推定する信号モニタ部と、
前記特定基地局において、配下の通信端末から送信された信号に設定されている通信端末識別情報に応じて、前記配下の通信端末に関するATTACH処理を実行するか否かを判定させる基地局制御部と、を備える監視装置。
(付記2)
前記通信装置は、
不適切な前記通信端末識別情報を設定している通信端末に関する情報を前記通信装置へ登録することを拒否する、付記1に記載の監視装置。
(付記3)
前記通信装置は、
前記通信端末において生成された認証情報と、前記モバイルネットワーク内において生成された認証情報とが一致しない場合に、前記通信端末に関する情報を前記通信装置へ登録することを拒否する、付記1に記載の監視装置。
(付記4)
前記信号モニタ部は、
前記ATTACH処理を拒否する際に送信されるメッセージのうちに、予め定められたCause値が設定されているメッセージの数に応じて、前記モバイルネットワークへ攻撃を行う通信端末と通信する特定基地局を推定する、付記1乃至3のいずれか1項に記載の監視装置。
(付記5)
前記基地局制御部は、
前記モバイルネットワーク内において初めて通信を行う通信端末であることを示す前記通信端末識別情報が設定された信号を送信してきた通信端末に関する情報を前記通信装置へ登録する処理を前記特定基地局に拒否させる、付記1乃至4のいずれか1項に記載の監視装置。
(付記6)
前記基地局制御部は、
前記通信端末識別情報として、少なくとも1つの値を有する判定値に含まれるIMSIが設定された信号を送信してきた通信端末に関する情報を前記通信装置へ登録する処理を前記特定基地局に拒否させる、付記1乃至4のいずれか1項に記載の監視装置。
(付記7)
前記基地局制御部は、
前記特定基地局配下の通信端末に関する情報を前記通信装置へ登録する処理を所定期間前記特定基地局に実行させない、付記1乃至6のいずれか1項に記載の監視装置。
(付記8)
前記基地局制御部は、
前記特定基地局における電波を停波させる、付記7に記載の監視装置。
(付記9)
前記基地局において送受信されるメッセージ数に関する統計データを生成し、前記統計データに示されるトラヒックの傾向と異なるトラヒックの傾向が発生している場合に、前記信号モニタ部及び前記基地局制御部を起動する無線信号モニタ部をさらに備える、付記1乃至8のいずれか1項に記載の監視装置。
(付記10)
自装置が形成する通信エリアに位置する通信端末に関する情報をモバイルネットワークに配置されている通信装置へ登録するATTACH処理を拒否された回数に応じて、前記通信エリアに前記モバイルネットワークへ攻撃を行う通信端末が存在するか否かを推定する信号モニタ部と、
前記通信エリアに位置する通信端末から送信された信号に設定されている通信端末識別情報に応じて、前記通信端末に関するATTACH処理を実行するか否かを判定する信号制御部と、を備える基地局。
(付記11)
基地局と通信する通信端末に関する情報をモバイルネットワークに配置されている通信装置へ登録するATTACH処理を拒否された回数に応じて、前記モバイルネットワークへ攻撃を行う通信端末と通信する特定基地局を推定し、
前記特定基地局において、配下の通信端末から送信された信号に設定されている通信端末識別情報に応じて、前記配下の通信端末に関するATTACH処理を実行するか否かを判定させる、監視方法。
(付記12)
基地局が形成する通信エリアに位置する通信端末に関する情報をモバイルネットワークに配置されている通信装置へ登録するATTACH処理を拒否された回数に応じて、前記通信エリアに前記モバイルネットワークへ攻撃を行う通信端末が存在するか否かを推定し、
前記通信エリアに位置する通信端末から送信された信号に設定されている通信端末識別情報に応じて、前記通信端末に関するATTACH処理を実行するか否かを判定する、制御方法。
(付記13)
基地局と通信する通信端末に関する情報をモバイルネットワークに配置されている通信装置へ登録するATTACH処理を拒否された回数に応じて、前記モバイルネットワークへ攻撃を行う通信端末と通信する特定基地局を推定し、
前記特定基地局において、配下の通信端末から送信された信号に設定されている通信端末識別情報に応じて、前記配下の通信端末に関するATTACH処理を実行するか否かを判定させることをコンピュータに実行させるプログラム。
(付記14)
基地局が形成する通信エリアに位置する通信端末に関する情報をモバイルネットワークに配置されている通信装置へ登録するATTACH処理を拒否された回数に応じて、前記通信エリアに前記モバイルネットワークへ攻撃を行う通信端末が存在するか否かを推定し、
前記通信エリアに位置する通信端末から送信された信号に設定されている通信端末識別情報に応じて、前記通信端末に関するATTACH処理を実行するか否かを判定することをコンピュータに実行させるプログラム。
11 信号モニタ部
12 基地局制御部
20 基地局
21 eNB
22 eNB
23 NB
24 NB
25 RNC
30 通信端末
31 UE
32 UE
33 UE
34 ATT UE
40 通信装置
41 MME
42 SGSN
43 GGSN
50 加入者データ装置
51 HSS
61 SGW
62 PGW
63 PCRF
71 RRC信号モニタ部
72 NAS信号制御部
73 NAS信号モニタ部
74 信号制御部
81 Security GW
91 監視装置
100 ネットワーク管理装置
Claims (14)
- 基地局と通信する通信端末に関する情報をモバイルネットワークに配置されている通信装置へ登録するATTACH処理を拒否された回数に応じて、前記モバイルネットワークへ攻撃を行う通信端末と通信する特定基地局を推定する信号モニタ手段と、
前記特定基地局において、配下の通信端末から送信された信号に設定されている通信端末識別情報に応じて、前記配下の通信端末に関するATTACH処理を実行するか否かを判定させる基地局制御手段と、を備える監視装置。 - 前記通信装置は、
不適切な前記通信端末識別情報を設定している通信端末に関する情報を前記通信装置へ登録することを拒否する、請求項1に記載の監視装置。 - 前記通信装置は、
前記通信端末において生成された認証情報と、前記モバイルネットワーク内において生成された認証情報とが一致しない場合に、前記通信端末に関する情報を前記通信装置へ登録することを拒否する、請求項1に記載の監視装置。 - 前記信号モニタ手段は、
前記ATTACH処理を拒否する際に送信されるメッセージのうちに、予め定められたCause値が設定されているメッセージの数に応じて、前記モバイルネットワークへ攻撃を行う通信端末と通信する特定基地局を推定する、請求項1乃至3のいずれか1項に記載の監視装置。 - 前記基地局制御手段は、
前記モバイルネットワーク内において初めて通信を行う通信端末であることを示す前記通信端末識別情報が設定された信号を送信してきた通信端末に関する情報を前記通信装置へ登録する処理を前記特定基地局に拒否させる、請求項1乃至4のいずれか1項に記載の監視装置。 - 前記基地局制御手段は、
前記通信端末識別情報として、少なくとも1つの値を有する判定値に含まれるIMSIが設定された信号を送信してきた通信端末に関する情報を前記通信装置へ登録する処理を前記特定基地局に拒否させる、請求項1乃至4のいずれか1項に記載の監視装置。 - 前記基地局制御手段は、
前記特定基地局配下の通信端末に関する情報を前記通信装置へ登録する処理を所定期間前記特定基地局に実行させない、請求項1乃至6のいずれか1項に記載の監視装置。 - 前記基地局制御手段は、
前記特定基地局における電波を停波させる、請求項7に記載の監視装置。 - 前記基地局において送受信されるメッセージ数に関する統計データを生成し、前記統計データに示されるトラヒックの傾向と異なるトラヒックの傾向が発生している場合に、前記信号モニタ手段及び前記基地局制御手段を起動する無線信号モニタ手段をさらに備える、請求項1乃至8のいずれか1項に記載の監視装置。
- 自装置が形成する通信エリアに位置する通信端末に関する情報をモバイルネットワークに配置されている通信装置へ登録するATTACH処理を拒否された回数に応じて、前記通信エリアに前記モバイルネットワークへ攻撃を行う通信端末が存在するか否かを推定する信号モニタ手段と、
前記通信エリアに位置する通信端末から送信された信号に設定されている通信端末識別情報に応じて、前記通信端末に関するATTACH処理を実行するか否かを判定する信号制御手段と、を備える基地局。 - 基地局と通信する通信端末に関する情報をモバイルネットワークに配置されている通信装置へ登録するATTACH処理を拒否された回数に応じて、前記モバイルネットワークへ攻撃を行う通信端末と通信する特定基地局を推定し、
前記特定基地局において、配下の通信端末から送信された信号に設定されている通信端末識別情報に応じて、前記配下の通信端末に関するATTACH処理を実行するか否かを判定させる、監視方法。 - 基地局が形成する通信エリアに位置する通信端末に関する情報をモバイルネットワークに配置されている通信装置へ登録するATTACH処理を拒否された回数に応じて、前記通信エリアに前記モバイルネットワークへ攻撃を行う通信端末が存在するか否かを推定し、
前記通信エリアに位置する通信端末から送信された信号に設定されている通信端末識別情報に応じて、前記通信端末に関するATTACH処理を実行するか否かを判定する、制御方法。 - 基地局と通信する通信端末に関する情報をモバイルネットワークに配置されている通信装置へ登録するATTACH処理を拒否された回数に応じて、前記モバイルネットワークへ攻撃を行う通信端末と通信する特定基地局を推定し、
前記特定基地局において、配下の通信端末から送信された信号に設定されている通信端末識別情報に応じて、前記配下の通信端末に関するATTACH処理を実行するか否かを判定させることをコンピュータに実行させるプログラムが格納された非一時的なコンピュータ可読媒体。 - 基地局が形成する通信エリアに位置する通信端末に関する情報をモバイルネットワークに配置されている通信装置へ登録するATTACH処理を拒否された回数に応じて、前記通信エリアに前記モバイルネットワークへ攻撃を行う通信端末が存在するか否かを推定し、
前記通信エリアに位置する通信端末から送信された信号に設定されている通信端末識別情報に応じて、前記通信端末に関するATTACH処理を実行するか否かを判定することをコンピュータに実行させるプログラムが格納された非一時的なコンピュータ可読媒体。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2017545076A JP6737283B2 (ja) | 2015-10-15 | 2016-07-04 | 監視装置、基地局、及び監視方法 |
US15/768,315 US11190541B2 (en) | 2015-10-15 | 2016-07-04 | Monitor device, base station, monitoring method, control method, and non-transitory computer readable medium |
US17/482,979 US20220014550A1 (en) | 2015-10-15 | 2021-09-23 | Monitor device, base station, monitoring method, control method, and non-transitory computer readable medium |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2015-203626 | 2015-10-15 | ||
JP2015203626 | 2015-10-15 |
Related Child Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/768,315 A-371-Of-International US11190541B2 (en) | 2015-10-15 | 2016-07-04 | Monitor device, base station, monitoring method, control method, and non-transitory computer readable medium |
US17/482,979 Continuation US20220014550A1 (en) | 2015-10-15 | 2021-09-23 | Monitor device, base station, monitoring method, control method, and non-transitory computer readable medium |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017064824A1 true WO2017064824A1 (ja) | 2017-04-20 |
Family
ID=58517935
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2016/003172 WO2017064824A1 (ja) | 2015-10-15 | 2016-07-04 | 監視装置、基地局、監視方法、制御方法、及び非一時的なコンピュータ可読媒体 |
Country Status (3)
Country | Link |
---|---|
US (2) | US11190541B2 (ja) |
JP (2) | JP6737283B2 (ja) |
WO (1) | WO2017064824A1 (ja) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109104335A (zh) * | 2018-08-27 | 2018-12-28 | 广东电网有限责任公司 | 一种工控设备网络攻击测试方法与系统 |
WO2021129803A1 (zh) * | 2019-12-26 | 2021-07-01 | 华为技术有限公司 | 一种信息处理方法及通信装置 |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3744058B1 (en) * | 2018-01-25 | 2023-09-06 | Telefonaktiebolaget Lm Ericsson (Publ) | Technique for enabling signaling message correlation |
US10681556B2 (en) * | 2018-08-13 | 2020-06-09 | T-Mobile Usa, Inc. | Mitigation of spoof communications within a telecommunications network |
JP7091472B2 (ja) * | 2018-11-28 | 2022-06-27 | 京セラ株式会社 | 通信機器、車両、及び方法 |
CN113811022B (zh) * | 2021-08-12 | 2024-03-12 | 天翼物联科技有限公司 | 异常终端拒绝方法、系统、装置及存储介质 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2004241842A (ja) * | 2003-02-03 | 2004-08-26 | Toshiba Corp | サービス提供装置、サービス送受信システム及びサービス提供プログラム |
WO2014049909A1 (ja) * | 2012-09-28 | 2014-04-03 | 日本電気株式会社 | 無線アクセスネットワーク装置、移動通信システム、通信方法、およびプログラムが格納された非一時的なコンピュータ可読媒体 |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020188868A1 (en) * | 2001-06-12 | 2002-12-12 | Budka Kenneth C. | Method for protecting use of resources in a network |
CN100413370C (zh) * | 2004-12-13 | 2008-08-20 | 上海贝尔阿尔卡特股份有限公司 | 传输多媒体广播/多播业务告知指示的方法和设备 |
CN103370899B (zh) | 2011-02-14 | 2016-09-28 | 瑞典爱立信有限公司 | 无线设备、注册服务器和无线设备预配置方法 |
US8897751B2 (en) | 2011-03-14 | 2014-11-25 | Alcatel Lucent | Prevention of eavesdropping type of attack in hybrid communication system |
US8955113B2 (en) * | 2011-09-28 | 2015-02-10 | Verizon Patent And Licensing Inc. | Responding to impermissible behavior of user devices |
US20150033335A1 (en) * | 2012-11-28 | 2015-01-29 | Verisign, Inc. | SYSTEMS AND METHODS TO DETECT AND RESPOND TO DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACKS |
US9654361B2 (en) * | 2014-05-13 | 2017-05-16 | Cisco Technology, Inc. | Dynamic collection of network metrics for predictive analytics |
US9900801B2 (en) * | 2014-08-08 | 2018-02-20 | Parallel Wireless, Inc. | Congestion and overload reduction |
WO2016020012A1 (en) * | 2014-08-08 | 2016-02-11 | Telefonaktiebolaget L M Ericsson (Publ) | Authentication procedure in a control node |
US10327137B2 (en) * | 2015-03-16 | 2019-06-18 | Mavenir Systems, Inc. | System and method for detecting malicious attacks in a telecommunication network |
-
2016
- 2016-07-04 WO PCT/JP2016/003172 patent/WO2017064824A1/ja active Application Filing
- 2016-07-04 JP JP2017545076A patent/JP6737283B2/ja active Active
- 2016-07-04 US US15/768,315 patent/US11190541B2/en active Active
-
2020
- 2020-07-10 JP JP2020119126A patent/JP2020174391A/ja active Pending
-
2021
- 2021-09-23 US US17/482,979 patent/US20220014550A1/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2004241842A (ja) * | 2003-02-03 | 2004-08-26 | Toshiba Corp | サービス提供装置、サービス送受信システム及びサービス提供プログラム |
WO2014049909A1 (ja) * | 2012-09-28 | 2014-04-03 | 日本電気株式会社 | 無線アクセスネットワーク装置、移動通信システム、通信方法、およびプログラムが格納された非一時的なコンピュータ可読媒体 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109104335A (zh) * | 2018-08-27 | 2018-12-28 | 广东电网有限责任公司 | 一种工控设备网络攻击测试方法与系统 |
WO2021129803A1 (zh) * | 2019-12-26 | 2021-07-01 | 华为技术有限公司 | 一种信息处理方法及通信装置 |
Also Published As
Publication number | Publication date |
---|---|
JPWO2017064824A1 (ja) | 2018-08-02 |
US20180309783A1 (en) | 2018-10-25 |
US20220014550A1 (en) | 2022-01-13 |
JP6737283B2 (ja) | 2020-08-05 |
JP2020174391A (ja) | 2020-10-22 |
US11190541B2 (en) | 2021-11-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6737283B2 (ja) | 監視装置、基地局、及び監視方法 | |
JP6564022B2 (ja) | 異種ネットワークに対して有効なユーザ機器識別情報 | |
BR112020002580A2 (pt) | dipositivo sem fio e entidade ou função de rede núcleo para prover controle de gap de serviço e métodos de operação relacionados | |
US10327137B2 (en) | System and method for detecting malicious attacks in a telecommunication network | |
CN102905266B (zh) | 一种实现移动设备附着的方法及装置 | |
CN107925954B (zh) | 用来支持实时业务定向网络的信令接口 | |
CN102917332B (zh) | 一种实现移动设备附着的方法及装置 | |
US11882445B2 (en) | Authentication system | |
EP3300417B1 (en) | Method, apparatus and system for detecting anomaly of terminal device | |
Xenakis et al. | An advanced persistent threat in 3G networks: Attacking the home network from roaming networks | |
US20170310761A1 (en) | First terminal apparatus, server apparatus, and control method | |
US11882105B2 (en) | Authentication system when authentication is not functioning | |
US20220038904A1 (en) | Wireless-network attack detection | |
US10492056B2 (en) | Enhanced mobile subscriber privacy in telecommunications networks | |
WO2017146076A1 (ja) | ゲートウェイ装置、通信方法、及び、非一時的なコンピュータ可読媒体 | |
JP2019114950A (ja) | Lte通信システム及び通信制御方法 | |
CN108702619A (zh) | 获取、发送用户设备标识的方法及设备 | |
JP6230130B2 (ja) | 通信端末、通信システム、通信方法及びプログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16855082 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2017545076 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15768315 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16855082 Country of ref document: EP Kind code of ref document: A1 |