WO2019223490A1 - 一种设备监控、去注册方法及装置 - Google Patents
一种设备监控、去注册方法及装置 Download PDFInfo
- Publication number
- WO2019223490A1 WO2019223490A1 PCT/CN2019/084382 CN2019084382W WO2019223490A1 WO 2019223490 A1 WO2019223490 A1 WO 2019223490A1 CN 2019084382 W CN2019084382 W CN 2019084382W WO 2019223490 A1 WO2019223490 A1 WO 2019223490A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- network element
- signaling plane
- terminal device
- monitoring
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/08—Testing, supervising or monitoring using real traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W60/00—Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
- H04W60/06—De-registration or detaching
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/52—Network services specially adapted for the location of the user terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/61—Time-dependent
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/63—Location-dependent; Proximity-dependent
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/70—Services for machine-to-machine communication [M2M] or machine type communication [MTC]
Definitions
- the present application relates to the field of communication technologies, and in particular, to a device monitoring and deregistering method and device.
- mMTC massive machine type communication
- the mMTC application scenario is mainly for devices connected through the Internet of Things (IoT).
- IoT devices such as automobiles, kitchen appliances, and industrial equipment.
- the scale of IoT devices in the mMTC application scenario is huge, and the locations of individual IoT devices are relatively scattered, it is difficult to perform unified management.
- IoT devices are maliciously controlled, for example, a large number of IoT devices are maliciously controlled to initiate a denial of service to the server. , DOS) attacks may cause network security issues such as network paralysis. Therefore, the current mMTC application scenario has lower security.
- the embodiments of the present application provide a device monitoring and deregistering method and device, which are used to improve the security of an mMTC application scenario.
- an embodiment of the present application provides a device monitoring method, which is applied to a device monitoring device.
- the device may be an application server or a core network element.
- the method includes: first, obtaining a terminal device and a core network element.
- the data of the signaling plane that is exchanged between the two, and then, according to the attribute information of the data of the signaling plane, determine whether the terminal device is a device that initiates a denial of service DOS attack.
- the device monitoring device has the ability to obtain data on the signaling plane that the core network element interacts with the terminal device, and after obtaining the data on the signaling plane, it can use the attributes of the data on the signaling plane The information is analyzed to determine the device that may initiate a DOS attack and prevent the DOS attack from occurring in time, which can improve the security performance of the mMTC application scenario.
- the attribute information includes a quantity of data of the signaling plane and / or a length of data of the signaling plane.
- the device monitoring device can determine whether the terminal device is a device that initiates a DOS attack through various parameters, which can improve the flexibility of the device monitoring device.
- the attribute information includes a quantity of data of the signaling plane, and if the quantity of data of the signaling plane is greater than or equal to a threshold, it is determined that the terminal device is a device that initiates a DOS attack.
- the device monitoring device can determine whether the terminal device is a device that initiates a DOS attack through the relationship between the amount of data on the signaling plane and the threshold.
- the method is simple and can reduce the load on the device monitoring device.
- the attribute information includes a length of data of the signaling plane. If the length of the data of the signaling plane is greater than or equal to a preset length, it is determined that the terminal device is a device that initiates a DOS attack.
- the device monitoring device can determine whether the terminal device is a device that initiates a DOS attack through the relationship between the length of the data on the signaling plane and the preset length.
- the method is simple and can reduce the load on the device monitoring device.
- the terminal device's location information can also be obtained, and then based on the location information and the signaling The attribute information of the above data determines that the terminal device is a device that initiates a DOS attack.
- the device monitoring device may determine whether the terminal device is a device that initiates a DOS attack in combination with other information of the terminal device, such as the location information of the terminal device, which can improve the accuracy of the determination result and prevent misjudgment .
- the device monitoring device after determining that the terminal device is a device that initiates a DOS attack according to the attribute information of the data of the signaling plane, the device monitoring device sends first instruction information to the core network element, the first instruction The information is used to instruct the core network element to initiate a de-registration process for the terminal device.
- the core network element may initiate a de-registration process for the terminal device, thereby preventing a DOS attack initiated by the terminal device. Can guarantee the normal access of other terminal equipment.
- an embodiment of the present application provides a deregistration method applied to a core network element.
- the method includes: the core network element first obtains a signaling plane for interaction between M terminal devices and the core network element.
- the data of the signaling plane of each of the N terminal equipments of the M terminal equipments received includes the data of the first type of signaling plane, the data of the N terminal equipments is processed.
- Deregister processing where M is a positive integer, N is an integer greater than or equal to 0, and M is greater than or equal to N.
- the core network element may deregister a terminal device that sends data of a specific type of signaling plane, and the specific type may be a type capable of causing a DOS attack, for example, the first type Data on the signaling plane.
- the specific type may be a type capable of causing a DOS attack, for example, the first type Data on the signaling plane.
- the data of the first type of signaling plane is data of a signaling plane whose quantity received in a unit time is greater than or equal to a threshold.
- the core network element may determine the first type according to data of a signaling plane sent by the M terminal devices, and the processing manner is flexible.
- the core network element after deregistering the N terminal devices of the M terminal devices, the core network element sends a first message to the application server, where the first message is used to indicate that the N Each terminal device has performed the deregistration process.
- the core network element may send the processing result of the N terminal devices to the application server, so that the application server analyzes information of the terminal device that is likely to initiate a DOS attack according to the processing result.
- the core network element after sending the first message to the application server, the core network element receives second instruction information, where the second instruction information is used to instruct registration processing of NK terminal devices, where K is less than or equal to An integer of N.
- the application server may analyze the processing results of the core network element by combining other information to determine the N terminals. Whether the device is a device that initiates a DOS attack. If not, the terminal device that does not initiate a DOS attack is registered again to improve the accuracy of the judgment.
- an embodiment of the present application provides a device monitoring method.
- the method is applied to an application server.
- the method includes: the application server receives information from a core network element to instruct the core network element to perform N terminal devices. Register the processed first message, and then, based on the first message and the location information of the N terminal devices, determine that K terminal devices of the N terminal devices are devices that initiate a denial of service DOS attack, where N is positive Integer, K is an integer greater than or equal to 0, and K is less than or equal to N.
- the application server may combine other information, such as location information, analyze the processing results of the core network element to determine the N terminals. Whether the device is a device that initiates a DOS attack, thereby improving the accuracy of judgment.
- the application server determines that the K terminal devices are devices that initiate a DOS attack.
- the application server may determine whether the terminal device is a device that initiates a DOS attack according to the probability that the terminal device is under a third-party attack, and the processing method is simple.
- N is greater than K.
- the application server may analyze the processing results of the core network element in combination with other information to determine that K terminal devices among the N terminal devices are not devices that initiate a DOS attack, and then the terminal that is not a DOS attack The device then performs registration processing, which can improve the accuracy of judgment.
- an embodiment of the present application provides a device monitoring device.
- the device may be an application server or a core network element, or may be a device in an application server or a core network element.
- the device may include an obtaining unit and a processing unit.
- An obtaining unit configured to obtain data on a signaling plane between a terminal device and a core network element
- a processing unit configured to determine whether the terminal device is a device that initiates a denial-of-service DOS attack according to attribute information of data of the signaling plane.
- the attribute information includes a quantity of data of the signaling plane and / or a length of data of the signaling plane.
- the attribute information includes a quantity of data of the signaling plane
- the processing unit is specifically configured to:
- the terminal device is a device that initiates a DOS attack.
- the attribute information includes a length of data of the signaling plane
- the processing unit is specifically configured to:
- the terminal device is a device that initiates a DOS attack.
- the obtaining unit is further configured to obtain location information of the terminal device
- the processing unit is specifically used for:
- the terminal device is a device that initiates a DOS attack according to the location information and attribute information of data of the signaling plane.
- the device further includes:
- the sending unit is configured to send first instruction information to the core network element, and the first instruction information is used to instruct the core network element to initiate a deregistration process for the terminal device.
- an embodiment of the present application provides a deregistration device.
- the device may be a core network element or a device in the core network element.
- the device may include an obtaining unit and a processing unit. These modules may execute the foregoing.
- An obtaining unit configured to obtain data of a signaling plane between M terminal devices and core network elements
- a processing unit configured to perform de-registration processing on N terminal devices among the M terminal devices, where the data of the signaling plane of each of the N terminal devices received includes a first Type of data on the signaling plane.
- M is a positive integer
- N is an integer greater than or equal to 0, and M is greater than or equal to N.
- the data of the first type of signaling plane is data of a signaling plane whose quantity received in a unit time is greater than or equal to a threshold.
- the device further includes:
- the sending unit is configured to send a first message to the application server, where the first message is used to indicate that the N terminal devices have performed the deregistering process.
- the obtaining unit is further used for:
- Receive second instruction information where the second instruction information is used to instruct registration processing of N-K terminal devices, where K is an integer less than or equal to N.
- an embodiment of the present application provides a device monitoring device.
- the device may be an application server or a device in an application server.
- the device may include a receiving unit and a processing unit. These modules may perform any of the foregoing third aspects.
- a receiving unit configured to receive a first message from a core network element, where the first message is used to instruct the core network element to perform de-registration processing on N terminal devices;
- a processing unit configured to determine, based on the first message and the location information of the N terminal devices, that K terminal devices among the N terminal devices are devices that initiate a denial of service DOS attack, where N is a positive integer , K is an integer greater than or equal to 0, and K is less than or equal to N.
- the processing unit is specifically used for:
- the K terminal devices are located at a position where the probability of being attacked by a third party is greater than a preset probability, and it is determined that the K terminal devices are devices that initiate a DOS attack.
- N is greater than K
- the device further includes a sending unit, the sending unit is configured to:
- the K terminal devices After determining that the K terminal devices are devices that initiate a DOS attack, send second instruction information to the core network element, where the second instruction information is used to instruct the core network element to initiate a registration process for NK terminal devices .
- an embodiment of the present application provides a device monitoring apparatus, where the apparatus includes a processor, and is configured to implement the method described in the first aspect.
- the apparatus may further include a memory for storing program instructions and data.
- the memory is coupled to the processor, and the processor may call and execute program instructions stored in the memory to implement the method described in the first aspect.
- the apparatus may further include a communication interface for the apparatus to communicate with other devices.
- the other device is a core network element.
- the device includes:
- a communication interface for acquiring data on a signaling plane between a terminal device and a core network element
- Memory for storing program instructions
- a processor configured to determine whether the terminal device is a device that initiates a denial of service DOS attack according to the attribute information of the data of the signaling plane.
- the attribute information includes a quantity of data of the signaling plane and / or a length of data of the signaling plane.
- the attribute information includes a quantity of data of the signaling plane
- the processor is specifically configured to:
- the terminal device is a device that initiates a DOS attack.
- the attribute information includes a length of data of the signaling plane
- the processor is specifically configured to:
- the terminal device is a device that initiates a DOS attack.
- the communication interface is further configured to obtain location information of the terminal device
- the processor is specifically used for:
- the terminal device is a device that initiates a DOS attack according to the location information and attribute information of data of the signaling plane.
- the communication interface is further configured to send first instruction information to the core network element, and the first instruction information is used to instruct the core network element to initiate a de-registration process for the terminal device.
- An embodiment of the present application provides a de-registration device.
- the device includes a processor, and is configured to implement the method described in the second aspect.
- the apparatus may further include a memory for storing program instructions and data.
- the memory is coupled to the processor, and the processor may call and execute program instructions stored in the memory to implement the method described in the second aspect above.
- the apparatus may further include a communication interface for the apparatus to communicate with other devices.
- the other device is a terminal device.
- the device includes:
- a communication interface for acquiring data on a signaling plane between M terminal devices and core network elements
- Memory for storing program instructions
- a processor configured to perform de-registration processing on N terminal devices of the M terminal devices, where the received data of the signaling plane of each of the N terminal devices includes a first Type of data on the signaling plane.
- M is a positive integer
- N is an integer greater than or equal to 0, and M is greater than or equal to N.
- the data of the first type of signaling plane is data of a signaling plane whose quantity received in a unit time is greater than or equal to a threshold.
- the communication interface is further configured to send a first message to the application server, where the first message is used to indicate that the N terminal devices have performed the deregistering process.
- the communication interface is further configured to receive second instruction information, where the second instruction information is used to instruct registration processing of N-K terminal devices, where K is an integer less than or equal to N.
- an embodiment of the present application provides a device monitoring apparatus.
- the apparatus includes a processor, and is configured to implement the method described in the third aspect.
- the apparatus may further include a memory for storing program instructions and data.
- the memory is coupled to the processor, and the processor may call and execute program instructions stored in the memory to implement the method described in the third aspect.
- the apparatus may further include a communication interface for the apparatus to communicate with other devices.
- the other device is a core network element.
- the device includes:
- a communication interface configured to receive a first message from a core network element, where the first message is used to instruct the core network element to perform de-registration processing on N terminal devices;
- Memory for storing program instructions
- a processor configured to determine, based on the first message and the location information of the N terminal devices, that K terminal devices among the N terminal devices are devices that initiate a denial of service DOS attack, where N is a positive integer , K is an integer greater than or equal to 0, and K is less than or equal to N.
- the processor is specifically used to:
- the K terminal devices are located at a position where the probability of being attacked by a third party is greater than a preset probability, and it is determined that the K terminal devices are devices that initiate a DOS attack.
- N is greater than K
- the communication interface is further configured to: after determining that the K terminal devices are devices that initiate a DOS attack, send second instruction information to the core network element, where the second The instruction information is used to instruct the core network element to initiate a registration process for NK terminal devices.
- an embodiment of the present application provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program, where the computer program includes program instructions, and when the program instructions are executed by a computer, the program instructions The computer executes the method of any one of the first aspects.
- an embodiment of the present application provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program, where the computer program includes program instructions, and the program instructions, when executed by a computer, cause all the The computer executes the method of any one of the second aspects.
- an embodiment of the present application provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program, where the computer program includes program instructions, and the program instructions, when executed by a computer, cause all the The computer executes the method of any of the third aspects.
- an embodiment of the present application provides a computer program product.
- the computer program product stores a computer program, where the computer program includes program instructions, and when the program instructions are executed by a computer, the computer executes the first The method of any one of the aspects.
- an embodiment of the present application provides a computer program product.
- the computer program product stores a computer program, where the computer program includes program instructions, and when the program instructions are executed by a computer, the computer executes the first The method according to any one of the two aspects.
- an embodiment of the present application provides a computer program product.
- the computer program product stores a computer program, where the computer program includes program instructions, and when the program instructions are executed by a computer, the computer executes the first The method according to any one of the three aspects.
- the present application provides a chip system, which includes a processor and may further include a memory, for implementing the method described in the first aspect.
- the chip system can be composed of chips, and can also include chips and other discrete devices.
- the present application provides a chip system, which includes a processor and may further include a memory, for implementing the method described in the second aspect.
- the chip system can be composed of chips, and can also include chips and other discrete devices.
- the present application provides a chip system, which includes a processor and may further include a memory, for implementing the method described in the third aspect.
- the chip system can be composed of chips, and can also include chips and other discrete devices.
- the present application provides a system including the device described in the fifth aspect and the device described in the sixth aspect.
- the present application provides a system including the device according to the eighth aspect and the device according to the ninth aspect.
- FIG. 1 is a structural diagram of a communication system according to an embodiment of the present application.
- FIG. 2 is a flowchart of a device monitoring and deregistration method according to an embodiment of the present application
- FIG. 3 is a flowchart of another example of a device monitoring and deregistering method according to an embodiment of the present application.
- FIG. 4 is a flowchart of another example of a device monitoring and deregistering method according to an embodiment of the present application.
- 5A-5B are schematic structural diagrams of a device monitoring device according to an embodiment of the present application.
- FIGS. 6A-6B are schematic structural diagrams of another device monitoring apparatus according to an embodiment of the present application.
- FIGS. 7A-7B are schematic structural diagrams of a deregistration device according to an embodiment of the present application.
- FIG. 8 is a schematic structural diagram of another device monitoring apparatus according to an embodiment of the present application.
- FIG. 9 is a schematic structural diagram of another device monitoring apparatus according to an embodiment of the present application.
- FIG. 10 is a schematic structural diagram of a deregistration device according to an embodiment of the present application.
- FIG. 11 is a schematic structural diagram of another device monitoring apparatus according to an embodiment of the present application.
- the technical solutions of the embodiments of the present application can be applied to various communication systems, for example, an open capability architecture of a 4th generation (4G) system, an NR system, an IoT system, and a next-generation mobile communication system.
- 4G 4th generation
- NR NR
- IoT IoT
- next-generation mobile communication system for example, an open capability architecture of a 4th generation (4G) system, an NR system, an IoT system, and a next-generation mobile communication system.
- the communication system may also be applicable to future-oriented communication technologies.
- the system described in the embodiments of the present application is to more clearly illustrate the technical solutions of the embodiments of the present application, and does not constitute a technical solution provided by the embodiments of the present application. It is known to those skilled in the art that as the network architecture evolves, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
- FIG. 1 is a structural diagram of a communication system according to an embodiment of the present application.
- the technical solution in the embodiment of the present application is applicable to a scenario in which the terminal device is monitored and / or deregistered in the communication system.
- Network capability open function (NEF) network element is mainly used for interaction with third parties, such as Internet applications (over the top, OTT), so that third parties can indirectly interact with some third generation Network elements within the 3rd Generation Partnership Project (3GPP) network interact.
- third parties such as Internet applications (over the top, OTT)
- OTT Internet applications
- 3GPP 3rd Generation Partnership Project
- NF storage function (NFRF) network element is used to support network function service registration, status monitoring, etc., to realize automatic management, selection and scalability of network function service.
- a policy control function (PCF) network element is used to store or generate rules related to session management, for example, quality of service (QoS) rules for a session, and provide the rules to session management
- the function (session management function (SMF)) entity is also used to generate policy information related to mobility management and provide it to the access and mobility management function (AMF) entity.
- Unified data management (UDM) network element stores the contract information of the terminal equipment.
- An application function (AF) network element is used to interact with the PCF entity and provide the third-party service requirements to the PCF entity so that the PCF entity generates corresponding QoS rules according to the service requirements.
- AF application function
- An authentication service function (AUSF) network element is used to obtain a security authentication vector, which is used to perform security authentication between the terminal device and the network side.
- AUSF authentication service function
- AMF network element used for authentication of terminal equipment, terminal equipment mobility management, network slice selection, SMF entity selection and other functions; AMF network element interacts with terminal equipment through N1 signaling, and through N2 signaling Interact with (radio) access network ((radio) access network ((R) AN)), and route information of N1 session management (SM) messages corresponding to N1 signaling and corresponding N2 signaling The routing information of the N2SM message is sent to the SMF network element; the status information of the terminal equipment is maintained and managed.
- Security anchor function (SEAF) network element used to initiate an authentication request to the AUSF entity to complete the authentication of the terminal device on the network side.
- SMF network element which is used to manage all control plane functions of the terminal device, including UPF entity selection, network protocol (IP) address allocation, session QoS attribute management, and policy control function (PCF)
- IP network protocol
- PCF policy control function
- the entity obtains policy control and charging (PCC) rules, and allocates session resources to the user plane.
- PCC policy control and charging
- UPF User plane function
- PDU protocol data unit
- a data network (DN) entity is used to generate downlink data to be sent to the terminal device, and to receive uplink data sent by the terminal device.
- (R) AN is connected to the UPF network element through the user plane interface N3, and is used to transmit data of the terminal equipment; (R) AN network element establishes a control plane signaling connection with the AMF network element through the control plane interface N2.
- the (R) AN network element may be an access network using different access technologies, for example, 3GPP access technology or non-3rd generation partnership project (non-3GPP) access technology.
- the (R) AN network element can also be called an access network network element.
- a base station can be a gNB (gNodeB) in a new radio (NR) system, and a long term evolution (LTE) system.
- gNodeB gNodeB
- NR new radio
- LTE long term evolution
- the evolving base station can be a new air interface controller (NR controller), it can be a centralized network element (centralized unit), it can be a radio remote module, and it can be a micro controller.
- the base station can be a distributed network unit, a transmission point (TRP) or a transmission point (TP), or a cloud radio access network (CRAN).
- the wireless controller in the scenario, or the network device may be a relay station, an access point, an in-vehicle device, a wearable device, and a network device in a public land mobile network (PLMN) that is evolving in the future or any other wireless interface. Devices, but the embodiments of the present application are not limited to this.
- the access network element will allocate appropriate resources for the user plane transmission channel according to the QoS rules provided by the SMF entity.
- the terminal device may be a wireless terminal device or a wired terminal device.
- the terminal device performs authentication with other network elements, such as the AMF entity and the AUSF entity, the long-term key and related functions stored in the terminal device are used to verify the authenticity of the network.
- a wireless terminal device may be a device that provides voice and / or data connectivity to a user, a handheld device with a wireless connection function, or other processing device connected to a wireless modem.
- a wireless terminal device may communicate with one or more core networks via (R) AN.
- the wireless terminal device may be a mobile terminal device, such as a mobile phone (or called a "cellular" phone) and a computer with a mobile terminal device, for example, It can be a portable, pocket, handheld, computer-built or vehicle-mounted mobile device that exchanges language and / or data with a wireless access network.
- a mobile terminal device such as a mobile phone (or called a "cellular" phone) and a computer with a mobile terminal device, for example, It can be a portable, pocket, handheld, computer-built or vehicle-mounted mobile device that exchanges language and / or data with a wireless access network.
- PCS personal communication service
- SIP session initiation protocol
- WLL wireless local loop
- PDA personal digital assistants
- the wireless terminal can also be called a system, a subscriber unit (SU), a subscriber station (SS), a mobile station (MB), a mobile station (mobile), a remote station (RS), Access point (AP), remote terminal (RT), access terminal (AT), user terminal (UT), user agent (UA), terminal device ( user device (UD), or user equipment (UE).
- the terminal device may also be an IoT device, such as a home appliance, a car, or an industrial device connected through the Internet of Things.
- DOS attack the attacker stops the target network from providing services or denies resource access in various ways. For example, the attacker controls a large number of terminal devices to send the same message to the same target network at the same time, causing network congestion; or the attacker controls the terminal device to repeatedly send off aggressive repeated service requests or malformed attack data, causing Buffer overflow, causing the target network to be paralyzed.
- each network element shown in this article may be a physical concept, for example, it may be a single device physically, or at least two network elements may be integrated on the same physical device, or A network element can also be a logical concept, such as a software module or a network function corresponding to the services provided by each network element.
- the network function can be understood as a virtualization function under virtualization implementation, and can also be understood as being provided under a serviced network.
- the network function of the service for example, a network function specifically used to allocate PDU session resources to the user plane, or a network function specifically used to provide a QoS policy to the terminal device, is not specifically limited in this embodiment of the present application.
- IoT devices Due to the huge scale of IoT devices in the mMTC application scenario, such as vehicles in Internet of Vehicles (IoV) systems, road infrastructure, tens of millions of smart meters and smart water meters deployed in large cities, etc., once Malicious control of IoT devices may cause network security issues such as network paralysis.
- IoV Internet of Vehicles
- the embodiments of the present application provide a method and a device for monitoring and deregistering equipment, so as to improve the security performance of the mMTC application scenario.
- FIG. 2 is a flowchart of a device monitoring and deregistering method according to an embodiment of the present application. The flowchart is described as follows:
- Step 201 The AF network element sends a monitoring request message to the NEF network element, and the NEF network element receives the monitoring request message.
- the monitoring request message is used to configure a monitoring event of a core network element on a terminal device
- the monitoring event includes monitoring of data on a signaling plane of interaction between the terminal device and the core network element, for example, It can be attribute information such as the quantity and type of data on the signaling plane that monitors the interaction between the terminal equipment and the core network element, and it can also monitor the attribute information between the terminal equipment and the core network.
- the frequency of the interaction of the data on the signaling plane may of course be other parameters of the data on the signaling plane that monitor the interaction between the terminal device and the core network element, which is not limited here.
- this monitoring event will be used as an example to monitor the attribute information of the signaling plane data between the terminal device and the core network element.
- the core network element in the embodiment of the present application may be a single network element as shown in FIG. 1, for example, it may be an AMF network element or another network element such as a UDM network element; or the core network element It can also be a combination of multiple network elements, for example, it can be a combination of AMF network elements and UDM network elements, or it can be a combination of AUSF network elements and AMF network elements; or the core network element can also be a certain service
- the corresponding network element is, for example, a network element dedicated to managing data of the signaling plane of the terminal device, or may be a combination of network elements corresponding to multiple services, etc., which is not limited herein.
- the core network element is an AMF network element shown in FIG. 1 as an example.
- the AMF network element may be an AMF network element among multiple AMF network elements interacting with the AF network element, or may be Multiple AMF network elements that interact with the AF network element are not limited herein. In the following description, the AMF network element is used as an example to interact with the AF network element.
- the monitoring request message is introduced below.
- the Monitoring Request message may include at least one of the following parameters:
- Monitoring type that is, attribute information of data of a signaling plane that is exchanged between a terminal device and a core network element
- the monitoring duration is, for example, 1 hour or 2 hours, that is, the data of the signaling plane of the terminal device within a period of 1 hour or 2 hours after the core network element receives the Monitoring Request message.
- Monitoring; or the monitoring duration can also be understood as a monitoring time period, that is, the core network element monitors the data on the signaling plane of the terminal device in this monitoring time period after receiving the monitoring request message
- the monitoring time period may be set to a time period when the terminal equipment is relatively active, for example, 8 am to 6 pm, or the monitoring time period may be set to the number of terminal equipments that interact with the core network element.
- the AF network element counts the number of terminal devices of the core network element between 12:00 and 14:00 every day, and then the monitoring duration is set from 12:00 to 14:00;
- the monitoring period is, for example, one day, or a preset duration. For example, when the monitoring period is 1 hour, the monitoring period can be set to 3 hours. Then, the core network element sends the terminal to the terminal every 3 hours. Data monitoring of equipment's signaling plane for 1 hour;
- a monitoring object such as an identifier of a terminal device, such as a UE_ID when the terminal device is registered with a core network element;
- the Monitoring request message may include one or more of the above four parameters.
- the Monitoring request message only includes the monitoring type.
- the AF network element and the The core network element can pre-determine the monitoring duration, monitoring period, and monitoring object, or, after receiving the Monitoring Request message, the core network element starts to signal data on the signaling plane of all terminal devices that interact with the core network element. The attribute information is monitored until the AF network element cancels the monitoring event.
- the Monitoring Request message may include the monitoring type, monitoring duration, and monitoring period, but does not include the monitoring object.
- the core network element exchanges all information that is exchanged with the core network element.
- the data of the signalling plane of the terminal equipment is monitored, which will not be enumerated here one by one.
- the AF network element may set parameters in the Monitoring Request message according to actual conditions, and is not limited herein.
- the AF network element can send the Monitoring to the NEF network element when it is necessary to monitor the terminal equipment, for example, to ensure the normal operation of the entire system, or when it is suspected that the entire system may have network security problems.
- the Request message may also be that the AF network element sends the Monitoring Request message when the system is established, which is not limited herein.
- Step 202 The NEF network element stores the monitoring request message.
- the NEF network element After receiving the Monitoring Request message, the NEF network element will decode the Monitoring Request message to obtain the content in the Monitoring Request message. It should be noted that there may be multiple AF network elements when interacting with NEF network elements. Therefore, when the AF network element sends the Monitoring Request message to the NEF network element, it may carry identification information of the AF network element, such as the ID of the AF network element. It can also carry the destination address of the interface through which the AF network element communicates with the NEF network element. For example, the T8 interface is the interface through which the AF network element and the NEF network element communicate directly, so the Monitoring Request message can also carry the destination address of the T8 interface.
- the NEF network element After the NEF network element decodes the Monitoring Request message, it stores the ID of the AF network element and / or the destination address of the T8 interface included in the Monitoring Request message. In this way, when the NEF network element receives the feedback from the AMF network element After the information is sent, the feedback information can be accurately sent to the corresponding AF network element according to the ID of the AF network element and / or the destination address of the T8 interface.
- Step 203 The NEF network element sends the monitoring request information to the AMF network element, and the AMF network element receives the monitoring request message.
- the encoding method used by the AF network element to send the Monitoring Request message to the NEF network element may be different from the encoding method used for interaction between the NEF network element and the AMF network element. Therefore, the NEF network element responds to the received Monitoring request message. After decoding, the content of the Monitoring Request message needs to be encoded using the encoding method used when interacting with the AMF network element, so that the obtained Monitoring Request message is converted into a message that the AMF network element can recognize, and then the format converted The Monitoring Request message is sent to the AMF network element. In this way, the computational complexity of the AMF network element can be reduced.
- some monitoring events are pre-configured in the NEF network element and the AMF network element, for example, a monitoring event monitoring the position of the terminal device 1, a monitoring event monitoring the data on the signaling plane of the terminal device 2 And monitoring event 3 for monitoring user plane data of the terminal device, after receiving the Monitoring Request message, the NEF network element determines that the monitoring event corresponding to the Monitoring Request message is the same as a pre-configured monitoring event, for example, NEF
- the network element determines that the monitoring event in the Monitoring Request message obtained from the AF network element is the same as the monitoring event 1 configured in the AMF network element, then the NEF network element can directly send the monitoring event 1 configured in the AMF network element to the AMF network element.
- Identification information for example, the identification information may be an index number or a number of the monitoring event 1, so that the resources occupied by the NEF network element sending the Monitoring Request message to the AMF network element can be reduced.
- the NEF network element may also send the Monitoring Request message to the AMF network element in other ways, which is not limited here.
- Step 204 The AMF network element configures a monitoring event.
- the AMF network element After receiving the Monitoring Request message, the AMF network element stores the content in the Monitoring Request message, and configures a monitoring event on the signaling plane data of the terminal device according to the parameters in the Monitoring Request message.
- Step 205 The AMF network element sends a monitoring response message to the NEF network element, and the NEF network element receives the monitoring response message.
- the AMF network element When the AMF network element successfully configures the monitoring event, it sends a monitoring reply message to the NEF network element to confirm acceptance of the monitoring request. Of course, if the AMF network element fails to configure the monitoring event, the AMF network element also needs to send a monitoring reply message to the NEF network element to confirm that the monitoring request is not accepted. In the embodiment of the present application, the AMF network element successfully configures the monitoring event as example.
- Step 206 The NEF network element sends the monitoring response message to the AF network element, and the AF network element receives the monitoring response message.
- the NEF network element After receiving the monitoring response message sent by the AMF network element, the NEF network element sends the monitoring response message to the AF network element sending the Monitoring Request message according to the stored AF network element ID and interface information.
- steps 201 to 206 are all optional steps, that is, steps that are not necessarily performed.
- Step 207 The terminal device sends data to the AMF network element through signaling, and the AMF receives data on the signaling plane.
- the data may be sent through a non-access stratum (NAS) message, or it may be sent through other messages, which is not limited herein.
- NAS non-access stratum
- Step 208 The AMF network element sends the data on the signaling plane to the NEF network element, and the NEF network element receives the data on the signaling plane.
- step 201 to step 206 are performed before step 208, after the AMF network element receives the data sent by the terminal device from the signaling plane, it is determined that the terminal device is the terminal device monitored by the AF network element, thereby determining the monitoring event of the AF network element configuration. Occurs, and sends the received data of the signaling plane to the NEF network element.
- a processing method for the data on the signaling plane sent by the terminal device may be set in the AMF network element in advance, and the processing method may be that the signaling sent by the terminal device is detected
- the data of the plane is sent to the AF network element, so that when the AMF network element receives the data of the signaling plane, it sends the data of the signal plane to the NEF network element.
- the AMF network element needs to signal the signaling plane of each terminal device that interacts with the AMF network element.
- the data sent to the NEF network element can carry the identification information of the terminal device, such as the UE_ID of the terminal device.
- the order data is respectively associated with the terminal device.
- Step 209 The NEF network element sends the data of the signaling plane to the AF network element, and the AF network element receives the data of the signaling plane.
- Step 210 The AF network element sends a confirmation message to the NEF network element, and the NEF network element receives the confirmation message.
- the confirmation message is used to notify the NEF network element to confirm receipt of data of the signaling plane.
- step 210 is an optional step, that is, it does not have to be performed.
- steps 207 to 210 may be performed multiple times.
- the monitoring event configured in the Monitoring Request message is data on the signaling plane of the monitoring terminal device that interacts with the AMF network element during the monitoring period.
- the terminal device continuously sends data of three signaling planes to the AMF network element, and steps 207 to 210 need to be performed three times.
- the number of times of execution of steps 207 to 210 is not limited. In FIG. 2, step 207 to step 210 are performed twice as an example.
- Step 211 The AF network element determines that the terminal device is a device that initiates a DOS attack according to data on the signaling plane.
- the AF network element determines whether the terminal device is a device that sends a DOS attack according to the amount of data on the signaling plane and / or the length of the data on the signaling plane as an example.
- step 211 includes, but are not limited to, the following four determination manners. Each determination manner is described below.
- the first determination method is to determine whether the terminal device is a device that initiates a DOS attack according to the amount of data on the signaling plane.
- the specific implementation method is as follows:
- the AF network element may update the received terminal device ’s The data on the signaling plane is superimposed. For example, after the AF network element receives the data of the first signaling plane of the terminal device, it determines the amount of data on the first signaling plane. For example, the The data is a data packet, and the AF network element determines the size of the data packet of the data of the first signaling plane.
- the AF network element determines the size of the data packet of the second signaling plane received, and determines whether the sum of the size of the data packet of the first signaling plane and the size of the data packet of the second signaling plane Greater than or equal to the threshold, if the sum of the size of the data packets is greater than or equal to the threshold, the AF network element determines that the terminal device is the device that initiated the DOS attack; if the AF network element determines that all of the terminal device is within the monitoring period Number of signaling planes If the sum of the size of the data packets is less than the threshold, the AF network element determines that the terminal device is not a device that initiates a DOS attack.
- a preset threshold of the AF network element for example, the threshold may be 10M or 20M, etc.
- the AF network element If the Monitoring Request message monitors the signalling plane data of all terminal devices that interact with the AMF network element during the monitoring period, the AF network element first needs to receive the signalling plane data sent by the NEF network element. According to the identification of the terminal equipment corresponding to the data of each signaling plane, classify the received data of the signaling plane according to different terminal equipment, and then make the above judgment on the amount of data of the signaling plane of each terminal equipment Process to determine whether there is a device that initiates a DOS attack in all terminal devices that interact with the AMF network element.
- the AF network element receives the signalling plane sent by the NEF network element.
- the data of the signaling plane sent by each terminal device is classified. For example, according to the purpose of the data of the signaling plane, the data of the signaling plane used to transmit video data is classified into one type, which will be used for The data of the signaling plane for transmitting voice data is divided into one category, and the data of the signaling plane used for transmitting text data is divided into one category, and then the AF network element counts the amount of data of the signaling plane for each category, for example, Count the size of the data packet of each type of signaling plane.
- the AF network element adds new data of the signaling plane in this category, and then judges the size of the data packet of the signaling plane of the category again. The sum of the size of the bag is large If the threshold value is equal to or greater than the threshold value, the AF network element determines that the data on the signaling plane of this category is the data used to implement the DOS attack, and determines that the terminal device that sends the data on the signaling plane of this category is the device that initiated the DOS attack.
- the AF network element determines that the sum of the size of the data packet used to transmit the data of the signaling plane of the video data is greater than the threshold, and the corresponding terminal equipment identifier in the data of the signaling plane of this category is terminal equipment 1, terminal equipment 3 and terminal device 4, so that the AF network element determines that terminal device 1, terminal device 3, and terminal device 4 are devices that initiate a DOS attack; if the AF network element determines that all types of signaling planes of the terminal device are within the monitoring period, The sum of the size of the data packets is less than the threshold, the AF network element determines that there is no device that initiates a DOS attack in the terminal device that interacts with the AMF network element.
- the amount of data sent by the terminal device that initiates a DOS attack within the unit time may not exceed the threshold.
- the terminal device that initiates a DOS attack uses protocol vulnerabilities and repeatedly sends out aggressive repetitions. Service requests or malformed attack data caused the system cache of the AMF network element to overflow, resulting in a system crash, such as a ping of death, or the use of a series of incorrect intranet MAC addresses, which were continuously performed at a certain frequency to make the real address It cannot be saved in the router by updating. As a result, all data of the router can only be sent to the wrong MAC address, which causes normal terminal equipment or network elements in the communication system to fail to receive information, such as ARP spoofing attacks.
- the signaling plane data issued by DOS attacks based on protocol vulnerabilities have certain characteristics. For example, the length of a single packet of a dead ping exceeds the packet length specified by the IP protocol specification, or the intranet MAC address of an ARP spoofing attack error. Therefore, the characteristics of the data of the signaling plane based on the protocol vulnerability attack class can be used to determine whether the terminal device is a device that initiates a DOS attack.
- the feature of the data of the signaling plane issued by the DOS attack based on the protocol vulnerability is that the length of a single packet exceeds the length of the packet specified by the IP protocol specification as an example.
- the second determination method in the embodiment of the present application is to determine whether the terminal device is a device that initiates a DOS attack according to the length of the data on the signaling plane.
- the specific implementation method is as follows:
- the AF network element needs to receive the signaling plane of each terminal device. For example, after the AF network element receives the data of the first signaling plane of the terminal device, it determines the length of the data of the first signaling plane. For example, the data of the signaling plane is one data.
- the AF network element determines the packet length of the data packet of the first signaling plane, if it is less than the preset length of the AF network element, for example, the preset length may be a data link layer protocol applied by the terminal device The length corresponding to the maximum transmission unit of the data of the signaling plane allowed in the transmission, or other lengths, the AF network element determines whether the packet length of the data packet of the data of the second signaling plane received is greater than or equal to the pre- Set the length, and so on. If the AF network element determines that the packet length of the data packet of the fourth signaling plane of the terminal device is greater than the preset length, the AF network element determines that the terminal device is the device that initiated the DOS attack. If AF network element In the set of all data packets in the signaling plane to monitor the length of the terminal device of a packet length is less than a predetermined length, the AF network element determines that the terminal device is not a device to initiate DOS attack.
- the preset length may be a
- the AF network element If the Monitoring Request message monitors the signalling plane data of all terminal devices that interact with the AMF network element during the monitoring period, the AF network element first needs to receive the signalling plane data sent by the NEF network element. According to the identification of the terminal equipment corresponding to the data of each signaling plane, classify the received data of the signaling plane according to different terminal equipment, and then make the above judgment on the length of the data of the signaling plane of each terminal equipment Process to determine whether there is a device that initiates a DOS attack in all terminal devices that interact with the AMF network element.
- the AF network element determines that the DOS attack is an attack based on a protocol vulnerability
- the AF network element can process the DOS attack in a timely manner, and can process the DOS attack in a timely manner without repairing the protocol vulnerability. Further, it is also possible to reduce the number of times that the core network element repairs the protocol loopholes and reduce the load on the core network element.
- the third determination method is to determine whether the terminal device is a device that initiates a DOS attack according to the amount of data on the signaling plane and the length of the data on the signaling plane, that is, when the Monitoring Request message monitors a certain terminal
- the AF network element needs to judge the quantity and length of the data of the signaling plane of each terminal device separately. If the amount of data is less than the threshold and the length of the data of each signaling plane of the terminal device during the monitoring period is less than the preset length, it is determined that the terminal device is not a device that sends a DOS attack.
- the method for determining the amount of data on each signaling plane is the same as the method in the first determination method, and the method for determining the length of data on each signaling plane is the same as the second method.
- the method in the method is the same, and is not repeated here.
- a fourth determination method is provided in the embodiment of the present application, and the specific implementation manner is as follows:
- the AMF network element sends the data of the signal plane of the terminal device to the NEF network element through step 208
- the position information of the terminal device can also be carried in the data, so that the AF network element can obtain the terminal device's information through step 209.
- the data of the signaling plane and the location information of the terminal device Therefore, the AF network element can determine whether the terminal device is a device that sends a DOS attack according to the data of the signaling plane of the terminal device and the location information of the terminal device.
- the AF may determine whether the amount of data on the signaling plane and / or the length of the data on the signaling plane meets the requirements for initiating a DOS attack through one of the first determination method to the third determination method. Conditions, for example, whether the amount of data of the signaling plane is greater than or equal to a threshold, and / or whether the length of the data of the signaling plane is greater than or equal to a preset length. Further, the AF network element needs to determine whether the terminal device is located in a location that can be easily controlled by a third party according to the location information of the terminal device. For example, the location may be a desert environment or a residential area or a business area.
- the correspondence relationship between the location and the degree of difficulty controlled by a third party may be stored in advance.
- the correspondence relationship may be: if the location information of the terminal device indicates that the terminal device is located in a desert environment, the AF network element considers the terminal device It is not easy to be controlled by a third party. If the location information of the terminal device indicates that the terminal device is located in a business district, the AF network element considers that the terminal device is easy to be controlled by a third party.
- other corresponding relationships can also be set in the AF network element. Not one by one.
- the AF network element determines whether the quantity and / or length of the data on the signaling plane of the terminal device meets the conditions for initiating a DOS attack, and the AF network element determines the position Corresponding to the degree of ease, if it is determined that the terminal device is located in a position that can be easily controlled by a third party, the AF network element determines that the terminal device is a device that initiates a DOS attack; when the AF network element determines the amount of data on the signaling plane of the terminal device And / or the length satisfies the conditions for initiating a DOS attack, but the terminal device is located in a location that cannot be easily controlled by a third party, the AF network element determines that the terminal device is not a device that initiates a DOS attack.
- the AF network element can determine whether the terminal device is a device that initiates a DOS attack in conjunction with other information of the terminal device, which can improve the accuracy of the determination result and prevent misjudgment.
- the AF network element may also obtain the other information by sending a request message to the AMF network element, such as In the confirmation message in step 210, a request for acquiring the other information may be carried, for example, the confirmation message carries the request information for obtaining the location information of the terminal device, and then the NEF network element sends the confirmation message to the AMF network element.
- the AF network element Before step 211, the AF network element will obtain the location information of the terminal device sent by the AMF network element, or the confirmation message of step 210 may be a request message for acquiring the other information, and the request message may be used to indicate
- the AF network element receives data from the signaling plane of the terminal device sent by the AMF network element, or, after step 210, the AF network element sends a request message to the NEF network element to obtain the other information, and then the NEF network element sends The request message is forwarded to the AMF network element, and after receiving the request message, the AMF network element feeds back the other information to the AF network element.
- the manner in which the AF network element obtains the other information is not limited in the embodiments of the present application.
- the AF network element may also determine whether the terminal device is a device that initiates a DOS attack in conjunction with the signaling plane data of the terminal device, and details are not described herein again.
- Step 212 The AF network element sends the first instruction information to the NEF network element, and the NEF network element receives the first instruction information.
- the first indication information is used to instruct the AMF network element to initiate a deregistration process for the terminal device.
- the AF network element determines that the terminal device is a device that initiates a DOS attack, it sends instructions to the NEF network element to deregister the terminal device. It should be noted that the first instruction information may also be used to instruct operations that can stop a DOS attack, such as stopping receiving data of a signaling plane sent by the terminal device or stopping providing network services for the terminal device. In this embodiment of the present application, There are no restrictions.
- the terminal device can be prevented from launching a DOS attack in time, and other terminal devices can normally access the network.
- step 211 and step 212 can be combined into one step. That is, the AF network element determines that the terminal device meets the conditions for initiating a DOS attack according to the four determination methods in step 211, and the AF network element executes step 212.
- determining that the terminal device is a device that initiates a DOS attack in step 211 can be understood as a specific action.
- determining that the terminal device is a device that initiates a DOS attack is step 212.
- step 211 and step 212 are taken as two different steps as an example.
- Step 213 The NEF network element sends the first instruction information to the AMF network element, and the AMF network element receives the first instruction information.
- Step 214 The AMF network element sends a deregistration message to the terminal device according to the first instruction information, and the terminal device receives the deregistration message.
- the deregistration message is a Deregistration Request message.
- the Deregistration Request message sent by the AMF network element to the terminal device may include a deregistration type, and the deregistration type may include re-registration. In this way, when the terminal device recovers After normal, the terminal device can initiate the registration process again.
- Step 215 The AMF network element sends a feedback message to the AF network element, and the AF network element receives the feedback message.
- the AMF network element After the AMF network element sends a deregistration message to the terminal device, it can send a feedback message to the AF network element to confirm that the terminal device has performed a deregistration operation.
- the feedback message could be:
- Step 216 The AMF network element initiates deletion of a PDU session established for the terminal device and a QoS policy for the terminal device.
- Step 217 The AMF network element releases the RRC connection with the terminal device.
- the terminal device After receiving the Registration Request message, the terminal device sends a Registration Accept message to the AMF network element, and then the AMF network element and the RAN release the RRC connection with the terminal device to complete the deregistration process for the terminal device.
- Step 218 The AF network element processes the information of the terminal device.
- the AF network element After the AF network element obtains the information of the terminal device, it can generate prompt information to prompt the administrator to check and repair the terminal device. If the AF network element determines that there are multiple terminal devices that initiate the DOS attack, the AF network element can also analyze the location information of the multiple terminal devices to determine the area involved in the DOS attack, etc., so that terminals located in the area can be analyzed. The equipment is defended in advance. Of course, the AF network element can also perform other processing processes, and no further examples are given here.
- steps 218 and 212 to 217 are not limited, that is, step 218 may be performed first, then steps 212 to 217 may be performed, or steps 212 to 217 may be performed first. Step 218 is performed again, and steps 212 to 217 and 218 may also be performed simultaneously.
- steps 212 to 218 are optional steps, that is, they do not have to be performed.
- the AF network element has the ability to acquire the data of the signaling plane of the terminal device that interacts with the AMF network element, so that after acquiring the data of the signaling plane, the data of the signaling plane can be analyzed To determine the device that may launch a DOS attack and prevent the DOS attack in time, the security performance of the mMTC application scenario can be improved.
- the process of preventing the DOS attack by using the data of the signal plane of the terminal device by the AF network element is introduced.
- the core network element sends the data of the signal plane of the terminal device to the AF
- the network element needs to occupy resources. Therefore, in order to save resources and simplify the computational complexity of the AF network element, in another way, the core network element can also prevent DOS attacks.
- FIG. 3 is a flowchart of another example of a device monitoring and deregistration method according to an embodiment of the present application. This example is applied to the communication system shown in FIG. 1 as an example. as follows:
- Step 301 The AF network element sends an instruction message to the NEF network element, and the NEF network element receives the instruction message.
- the indication information is used to instruct the AMF network element to monitor the data on the signaling plane of the terminal device, and the indication information may be the amount of data on the signaling plane that instructs the AMF network element to monitor the interaction with the terminal device. Attribute information such as, type, and packet length may also indicate the frequency of data exchanged between the AMF network element monitoring and the terminal equipment on the signaling plane, of course, it may also be the information of the AMF network element monitoring the interaction between the terminal equipment and the AMF network element. The other parameters of the order data are not limited here.
- the indication information is used as an example to indicate the attribute information of the data of the signaling plane used by the AMF network element monitoring terminal device to interact with the core network element.
- Step 302 The NEF network element sends the instruction message to the AMF network element, and the AMF network element receives the instruction message.
- Step 303 The AMF network element sends a confirmation message to the NEF network element, and the NEF network element receives the confirmation message.
- the confirmation message is used to instruct the AMF network element to receive the instruction message.
- Step 304 The NEF network element sends the confirmation message to the AF network element, and the AF network element receives the confirmation message.
- steps 301 to 304 are optional steps, that is, they do not have to be performed.
- the instruction information in step 301 may also be the monitoring request message in step 201. If the instruction information in step 301 is the monitoring request message in step 201, steps 301 to 304 may be replaced with steps 201 to 206, which are the same. I will not repeat them here.
- Step 305 The terminal device sends data to the AMF network element through signaling, and the AMF receives data on the signaling plane.
- Step 305 is the same as step 207, and details are not described herein again.
- Step 306 The AMF network element determines that the terminal device is a device that initiates a DOS attack according to data on the signaling plane.
- Step 306 is the same as step 211, and details are not described herein again.
- Step 307 The AMF network element sends a deregistration message to the terminal device, and the terminal device receives the deregistration message.
- the AMF network element determines that the terminal device is a device that initiates a DOS attack
- the AMF network element initiates a de-registration process for the terminal device.
- the specific implementation method is the same as that in step 214, and details are not described herein again.
- step 306 and step 307 can be combined into one step. That is, the AMF network element determines that the terminal device meets the conditions for initiating a DOS attack according to step 306, and then the AMF network element executes step 307.
- the step Determining the terminal device as a device that initiates a DOS attack in 307 can be understood as a specific action. For example, determining the terminal device as a device that initiates a DOS attack is step 307.
- step 306 and step 307 are taken as two different steps as an example.
- Step 308 The AMF network element initiates deletion of a PDU session established for the terminal device and a QoS policy for the terminal device.
- Step 309 The AMF network element releases the RRC connection with the terminal device.
- Step 307 is the same as step 214, and steps 308 to 309 are the same as steps 216 to 217, and details are not described herein again.
- Step 310 The AMF network element processes the information of the terminal device.
- the AMF network element After the AMF network element determines that the terminal device is a device that initiates a DOS attack, the AMF network element can also obtain information about the terminal device, such as the terminal device's identity and the data on the signaling plane sent by the terminal device. The Yuan can analyze the area where the DOS attack is initiated according to the information of the terminal device, so that the terminal device in the area can be defended in advance.
- the AMF network element may also send the related information of the terminal device to the AF network element, so that the AF network element initiates the pairing based on the related information of the terminal device.
- Analysis of the DOS attack area can simplify the computational complexity of the AMF network element, or the AMF network element can also send the processing result after processing the relevant information of the terminal device to the AF network element, which can save the AMF network element Signaling overhead with AF network elements.
- steps 307 to 310 are optional steps, that is, they do not have to be performed.
- the execution order of steps 307 to 310 is not limited, that is, step 310 can be executed first and then steps 307 to 309 can be executed, or steps 307 to 310 can be executed sequentially, or they can be executed simultaneously. Steps 307 to 310.
- the AMF network element has the ability to analyze the data on the signaling plane of the terminal device, so that after obtaining the data on the signaling plane, it is determined that the data may be initiated by analyzing the data on the signaling plane.
- a DOS attack device can prevent the DOS attack from occurring in time, which can improve the security performance of the mMTC application scenario.
- the process of preventing a DOS attack through an AF network element or through an AMF network element is respectively introduced.
- the AF network element and the AMF network element can also be used. Get up to stop DOS attacks.
- FIG. 4 is a flowchart of another example of a device monitoring and deregistering method according to an embodiment of the present application.
- the example is applied to the communication system shown in FIG. 1 as an example. as follows:
- Step 401 The AF network element sends a monitoring request message to the NEF network element, and the NEF network element receives the monitoring request message.
- the monitoring request message is used to configure a monitoring event of the core network element on the terminal device, and the monitoring event is used to monitor the processing result of the core network element on the terminal device.
- the core network element The device performs de-registration processing, or the core network element stops receiving data from the signaling plane sent by the terminal device.
- other processing of the terminal device by the core network element may also be performed, which is not limited here.
- a process result of monitoring whether the core network element performs de-registration processing on the terminal device as an example will be taken as an example.
- this AMF network element is taken as an example of one of the AMF network elements that interacts with the AF network element.
- the monitoring request message is introduced below.
- the monitoring request message may be a Monitoring Request message
- the Monitoring Request message may include the following parameters:
- Parameter (1) -parameter (3) is the same as the corresponding content in step 201, and is not repeated here.
- Monitoring parameters which are data on the signaling plane of the interaction between the terminal device and the core network element.
- the monitoring parameters are the signaling plane of the interaction between the terminal device and the core network element.
- the attribute information of the data may be, for example, the quantity, type, and packet length of data of the signaling plane that is exchanged between the terminal device and the core network element, and of course, it may also be other attribute information, which is not limited herein.
- this monitoring parameter will be taken as an example of the quantity, type, and packet length of data on the signaling plane between the terminal device and the core network element.
- the processing method for monitoring parameters meeting preset conditions may be that the amount of data on the signaling plane that interacts with the core network element in a unit time exceeds a threshold
- the terminal device performs de-registration processing.
- the unit time may be 1 min or 10 s.
- the processing method for monitoring parameters that meet the preset conditions may also be de-registration processing for the terminal device that will send data of a specific type of signaling plane.
- the specific type is preset by the AF network element, for example, it may be data of a signaling plane for requesting video data, or the specific type may be a core network element statistic based on the quantity of data of the interactive signaling plane It is concluded that the data of the specific type of signaling plane is that the quantity received in a unit time is greater than or equal to a threshold. For example, the core network element determines that all terminal devices that interact with the core network element in the unit time , The data of the signaling plane used to request the voice data exceeds the threshold, the core network element determines that the specific type is the signaling plane used to request the voice data Data, of course, the parameter meets a preset condition monitoring processing mode may be other circumstances, this is not limited.
- Monitoring type which is the processing result of whether the core network element has performed de-registration processing on the terminal device.
- the parameters in the Monitoring Request message include at least the monitoring type, and the AF network element may set the parameters in the Monitoring Request message according to actual conditions, which is not limited herein.
- the timing of the Monitoring Request message of the AF network element is the same as that in step 201, which is not limited herein.
- Step 402 The NEF network element stores the monitoring request message.
- Step 403 The NEF network element sends the monitoring request information to the AMF network element, and the AMF network element receives the monitoring request message.
- Step 404 The AMF network element configures a monitoring event.
- the AMF network element can deregister the terminal devices that meet the conditions. For example, the amount of data on the signaling plane that interacts with the core network element in a unit time exceeds the threshold.
- Terminal device for de-registration processing, or de-registration processing for terminal devices that send data of a specific type of signaling plane which can prevent DOS attacks initiated by terminal devices in time, so that the network of the communication system will not be congested, and other The terminal device can access the network normally.
- Step 405 The AMF network element sends a monitoring response message to the NEF network element, and the NEF receives the monitoring response message.
- Step 406 The NEF network element sends the monitoring response message to the AF network element, and the AF network element receives the monitoring response message.
- steps 401 to 406 are optional steps, that is, they do not have to be performed.
- Step 407 The terminal device sends data to the AMF network element through signaling, and the AMF receives data on the signaling plane.
- Steps 402 to 407 are the same as steps 202 to 207, and details are not described herein again.
- step 407 may be performed multiple times.
- the monitoring event configured in the Monitoring Request message is the result of monitoring the processing of the AMF network element on the terminal device during the monitoring period, and the terminal device continuously sends the AMF to the AMF during the monitoring period.
- the network element sends data of the three signaling planes, and step 407 needs to be performed three times.
- the number of execution times of step 407 is not limited. In FIG. 4, step 407 is performed twice as an example.
- Step 408 The AMF network element sends a deregistration message to the terminal device according to the data of the signaling plane sent by the terminal device, and the terminal device receives the deregistration message.
- steps 401 to 406 are performed before step 408, when the AMF network element receives the data sent by the terminal device from the signaling plane, it performs de-registration processing on the terminal device that meets the conditions according to the configured monitoring event. .
- steps 401 to 406 are not performed before step 408, a processing method for the terminal device that sends data of the signaling plane may be set in the AMF network element in advance. The processing method may be that the terminal device and the core will be processed within a unit time. A terminal device whose amount of signaling plane data exchanged between network elements exceeds a threshold is deregistered, or a terminal device that sends data of a specific type of signaling plane is deregistered. Of course, other processing may also be performed. Method, so that when the AMF network element receives the data on the signaling plane, it processes the terminal device that sends the data on the signaling plane according to a preset processing mode.
- an AF network element is used to configure a monitoring event to an AMF network element, and the monitoring event is described in the following five cases, respectively.
- the AMF network element performs the first registration in step 211.
- the first example of this determination method is to determine whether the amount of data on the signaling plane sent by the terminal device exceeds a threshold, which may be preset by the AF network element. For example, the threshold may be 10M or 20M, etc., then AMF The network element sends a deregistration message to the terminal device.
- the AMF network element only needs to perform the above processing on the data of the signal plane of the terminal device. If the monitoring object of the monitoring event is the interaction with the AMF network element For all terminal devices, the AMF network element needs to determine whether the data on the signaling plane sent by each terminal device exceeds the threshold. For example, if AMF determines that the data on the signaling plane sent by N terminal devices exceeds the threshold, the AMF network element needs A deregistration message is sent to each of the N terminal devices, and details are not described herein again.
- the AMF network element receives a message sent by the terminal device. After the data on the plane is determined, it is determined whether the type of the data on the signaling plane is the specific type. If yes, the AMF network element sends a deregistration message to the terminal device, and details are not described herein again.
- the monitoring event when the monitoring event is deregistering a terminal device that sends data of a specific type of signaling plane, and the specific type is determined by the AMF network element according to the type of data of the signaling plane actually received,
- the AMF network element uses the second example in the first determination method in step 211 to determine the type of the data of the signaling plane sent by N terminal equipments among the multiple terminal equipments that interact with the AMF network element, so that The registration messages are sent to the N terminal devices, and details are not described herein again.
- the monitoring object of the monitoring event is all terminal devices that interact with the AMF network element.
- the AMF network element uses the second determination method in step 211 to determine the connection with the AMF network.
- the length of the data of the signaling plane sent by the N terminal devices of the multiple terminal devices that are meta-interactive is greater than a preset length, and the preset length may be a message allowed to be transmitted in a data link layer protocol that can be applied to the terminal device.
- the length corresponding to the maximum transmission unit of the data may also be other lengths, so that a registration message is sent to the N terminal devices, and details are not described herein again.
- the monitoring event is performed by a terminal device that will interact with the core network element in a unit time in which the amount of data on the signaling plane exceeds a threshold and the length of the data on the signaling plane is greater than a preset length.
- the AMF network element uses the third determination method in step 211 to determine to send a de-registration message to N terminal equipments among the plurality of terminal equipments that interact with the AMF network element, and details are not described herein again.
- the AMF network element sends deregistration messages to N terminal devices as an example. It should be noted that, in the embodiment of the present application, the deregistration message is the same as the deregistration message in step 214, and details are not described herein again.
- Step 409 The AMF network element initiates deletion of a PDU session established for the terminal device and a QoS policy for the terminal device.
- Step 410 The AMF network element releases the RRC connection with the terminal device.
- Steps 409 to 410 are the same as steps 216 to 217, and details are not described herein again.
- Step 411 The AMF network element sends a first message to the AF, and the AF network element receives the first message.
- the first message is used to indicate that the N terminal devices have performed the deregistration process, that is, the AMF network element sends the processing result of the terminal device to the AF network element.
- Step 412 The AF network element determines that K terminal devices among the N terminal devices are devices that initiate a DOS attack.
- the AF network element after receiving the first message, the AF network element obtains the location information of the N terminal devices, and the obtaining method of the location information of each of the N terminal devices may be the same as the fourth method in step 211.
- the method for obtaining the location information of the terminal device in the determination method is the same, and details are not described herein again.
- After the AF network element obtains the position information of the N terminal devices it is determined whether each terminal device in the N terminal devices is located in a position where the probability of being attacked by a third party is greater than a preset probability.
- the specific determination method is the same as the fourth method in step 211.
- the corresponding content in the determination method is the same, and will not be repeated here, so that it is determined that K terminal devices of the N terminal devices are located at a position where the probability of being attacked by a third party is greater than the preset probability, that is, the K terminal devices are initiated DOS attack device.
- the AF network element can combine other information of the terminal device, such as location information, to perform a more comprehensive analysis on whether the terminal device is a device that initiates a DOS attack, which can improve the accuracy of the above determination process.
- Step 413 The AF network element sends the second instruction information to the AMF network element, and the AMF network element receives the second instruction information.
- the second indication information is used to instruct the AMF network element to initiate a registration process for N-K terminal devices.
- the AF network element determines that the N-K terminal devices are not devices that initiate a DOS attack according to the location information of the terminal device, the second instruction information is sent to the AMF network element, so that the N-K terminal devices resume communication with the AMF network element.
- Step 414 The AMF network element sends third instruction information to the N-K terminal devices, and the N-K terminal devices receive the third instruction information.
- the third indication information is used to instruct the N-K terminal devices to re-register.
- the specific registration process is the same as in the prior art, and is not repeated here.
- Step 415 The AF network element processes the information of the K terminal devices.
- Step 415 is the same as step 218, and details are not described herein again.
- steps 409 to 415 are optional steps, that is, they do not have to be performed.
- the core network element can directly deregister the terminal device that has the possibility of initiating a DOS attack, thereby preventing the DOS attack from occurring in time, and sending the processing result to the application function network element.
- the network element performs a more comprehensive analysis of the terminal equipment that is likely to initiate a DOS attack, thereby improving the accuracy of judgment and further improving the security performance of the mMTC application scenario.
- the methods provided in the embodiments of the present application are introduced from the perspective of an application server, a core network element, and an interaction between the application server and the core network element.
- the application server and the core network element may include a hardware structure and / or a software module, and implement the foregoing in the form of a hardware structure, a software module, or a hardware structure plus a software module.
- Each function. Whether one of the above functions is executed by a hardware structure, a software module, or a hardware structure plus a software module depends on the specific application of the technical solution and the design constraint conditions.
- the device monitoring apparatus 500 may be an application server, which can implement the function of the application server in the method provided in the embodiment of the present application; the device monitoring apparatus 500 may also be capable of supporting the application server to implement the function of the application server in the method provided in the embodiment of the present application. installation.
- the device monitoring apparatus 500 may be a hardware structure, a software module, or a hardware structure plus a software module.
- the device monitoring apparatus 500 may be implemented by a chip system. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
- the device monitoring apparatus 500 may include an obtaining unit 501 and a processing unit 502.
- the obtaining unit 501 may be used to perform step 209 in the embodiment shown in FIG. 2 and / or other processes for supporting the technology described herein.
- the obtaining unit 501 is used for the device monitoring device 500 to communicate with other modules, and may be a circuit, a device, an interface, a bus, a software module, a transceiver, or any other device that can implement communication.
- the processing unit 502 may be configured to perform step 211 or step 218 in the embodiment shown in FIG. 2 and / or other processes for supporting the technology described herein.
- the device monitoring apparatus 500 further includes a sending unit 503.
- the sending unit 503 may be configured to perform step 212 in the embodiment shown in FIG. 2 and / or use Other processes that support the techniques described herein.
- the sending unit 503 is used for the device monitoring device 500 to communicate with other modules, and may be a circuit, a device, an interface, a bus, a software module, a transceiver, or any other device that can implement communication.
- the device monitoring device 600 may be a core network element and can implement the functions of the core network element in the method provided in the embodiment of the present application; the device monitoring device 600 may also be capable of supporting an application server to implement the method provided in the embodiment of the present application.
- Function device of core network element may be a hardware structure, a software module, or a hardware structure plus a software module.
- the device monitoring apparatus 600 may be implemented by a chip system. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
- the device monitoring apparatus 600 may include an obtaining unit 601 and a processing unit 602.
- the obtaining unit 601 may be configured to perform step 305 in the embodiment shown in FIG. 3, and / or other processes for supporting the technology described herein.
- the obtaining unit 601 is used for the device monitoring device 700 to communicate with other modules, and may be a circuit, a device, an interface, a bus, a software module, a transceiver, or any other device that can implement communication.
- the processing unit 602 may be used to perform step 306 in the embodiment shown in FIG. 3, and / or other processes for supporting the technology described herein.
- the device monitoring apparatus 600 further includes a sending unit 603, which may be configured to perform step 307 in the embodiment shown in FIG. 3, and / or use Other processes that support the techniques described herein.
- the sending unit 603 is used for the device monitoring device 600 to communicate with other modules, and may be a circuit, a device, an interface, a bus, a software module, a transceiver, or any other device that can implement communication.
- the de-registration device 700 may be a core network element, which can implement the functions of the core network element in the method provided in the embodiment of the present application; the de-registration device 700 may also be capable of supporting the core network element to implement the provided in the embodiment of the application A device for the function of a core network element in a method.
- the de-registering device 700 may be a hardware structure, a software module, or a hardware structure plus a software module.
- the de-registration device 700 may be implemented by a chip system. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
- the de-registration device 700 may include an obtaining unit 701 and a processing unit 702.
- the obtaining unit 701 may be configured to perform step 407 in the embodiment shown in FIG. 4 and / or other processes for supporting the technology described herein.
- the obtaining unit 701 is configured to perform communication between the deregistering device 700 and other modules, and may be a circuit, a device, an interface, a bus, a software module, a transceiver, or any other device that can implement communication.
- the processing unit 702 may be used to perform step 408 in the embodiment shown in FIG. 4 and / or other processes for supporting the technology described herein.
- the de-registration device 700 further includes a sending unit 703, which may be configured to perform step 411 in the embodiment shown in FIG. 4 and / or use Other processes that support the techniques described herein.
- the sending unit 703 is configured to perform communication between the de-registering device 700 and other modules, and may be a circuit, a device, an interface, a bus, a software module, a transceiver, or any other device that can implement communication.
- FIG. 8 shows a schematic structural diagram of a device monitoring device 800.
- the device monitoring apparatus 800 may be an application server, which can implement the function of the application server in the method provided in the embodiment of the present application; the device monitoring apparatus 800 may also be capable of supporting the application server to implement the function of the application server in the method provided in the embodiment of the present application. installation.
- the device monitoring device 800 may be a hardware structure, a software module, or a hardware structure plus a software module.
- the device monitoring apparatus 800 may be implemented by a chip system. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
- the device monitoring apparatus 800 may include a receiving unit 801 and a processing unit 802.
- the receiving unit 801 may be configured to perform step 411 in the embodiment shown in FIG. 4 and / or other processes for supporting the technology described herein.
- the receiving unit 801 is used for the device monitoring device 800 to communicate with other modules, and may be a circuit, a device, an interface, a bus, a software module, a transceiver, or any other device that can implement communication.
- the processing unit 802 may be configured to perform step 412 or step 415 in the embodiment shown in FIG. 4 and / or other processes for supporting the technology described herein.
- each functional module in each embodiment of the present application may be integrated into one process. In the device, it can also exist alone physically, or two or more modules can be integrated into one module.
- the above integrated modules can be implemented in the form of hardware or software functional modules.
- FIG. 9 shows a device monitoring apparatus 900 provided in an embodiment of the present application.
- the device monitoring apparatus 900 may be an application server in the embodiment shown in FIG. 2 or a core network element in the embodiment shown in FIG. 3. , Can implement the function of the application server in the method provided in the embodiment of FIG. 2 or the function of the core network element in the embodiment shown in FIG. 3; the device monitoring device 900 can also support the application server to implement the diagram of the application
- the device provided by the embodiment shown in the method shown in FIG. 2 is an apparatus that functions as an application server, or the device that can support the application server to implement the functions of the core network element in the method provided by the embodiment shown in FIG. 3 of this application.
- the device monitoring device 900 may be a chip system. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
- the device monitoring apparatus 900 includes at least one processor 920, which is used to implement or support the device monitoring apparatus 900 to implement the function of an application server in the method provided by the embodiment shown in FIG. 2 of the present application or implement the implementation shown in FIG. 3 of the present application.
- the processor 920 may determine whether the terminal device is a device that initiates a denial of service DOS attack according to the attribute information of the data on the signaling plane. For details, refer to the detailed description in the method example, and details are not described herein.
- the device monitoring apparatus 900 may further include at least one memory 930 for storing program instructions and / or data.
- the memory 930 and the processor 920 are coupled.
- the coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, and may be electrical, mechanical or other forms for information exchange between devices, units or modules.
- the processor 920 may operate in cooperation with the memory 930.
- the processor 920 may execute program instructions stored in the memory 930. At least one of the at least one memory may be included in a processor. When the processor 920 executes the program instructions in the memory 930, the method shown in FIG. 2 or FIG. 3 may be implemented.
- the device monitoring device 900 may further include a communication interface 910 for communicating with other devices through a transmission medium, so that the devices used in the device monitoring device 900 may communicate with other devices.
- the other device may be a terminal device.
- the processor 920 may use the communication interface 910 to send and receive data.
- connection medium between the communication interface 910, the processor 920, and the memory 930 is not limited in the embodiment of the present application.
- the memory 930, the processor 920, and the communication interface 910 are connected by a bus 940 in FIG. 9.
- the bus is shown by a thick line in FIG. 9.
- the connection modes of other components are only schematically illustrated. It is not limited.
- the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only a thick line is used in FIG. 9, but it does not mean that there is only one bus or one type of bus.
- the processor 920 may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, and a discrete hardware component, which may be implemented Or execute each method, step, and logic block diagram disclosed in the embodiments of the present application.
- a general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in combination with the embodiments of the present application may be directly implemented by a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
- the memory 930 may be a non-volatile memory, such as a hard disk (HDD) or a solid-state drive (SSD), and may also be a volatile memory (volatile memory). For example, random-access memory (RAM).
- the memory is, but is not limited to, any other medium that can be used to carry or store desired program code in the form of instructions or data structures and can be accessed by a computer.
- the memory in the embodiment of the present application may also be a circuit or any other device capable of realizing a storage function, and is configured to store program instructions and / or data.
- the deregistration device 1000 provided in the embodiment of the present application, wherein the deregistration device 1000 may be a core network element, which can implement the functions of the core network element in the method provided in the embodiment of the application; the deregistration device 1000 may also be a device capable of supporting a core network element to implement the functions of the core network element in the method provided in the embodiment of the present application.
- the de-registration device 1000 may be a chip system. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
- the de-registration device 1000 includes at least one processor 1020, which is used to implement or support the de-registration device 1000 to implement the functions of the core network element in the method provided in the embodiment of the present application.
- the processor 1020 may perform de-registration processing on N terminal devices among the M terminal devices.
- the de-registration device 1000 may further include at least one memory 1030 for storing program instructions and / or data.
- the memory 1030 and the processor 1020 are coupled.
- the coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, and may be electrical, mechanical or other forms for information exchange between devices, units or modules.
- the processor 1020 may operate in cooperation with the memory 1030.
- the processor 1020 may execute program instructions stored in the memory 1030. At least one of the at least one memory may be included in a processor. When the processor 1020 executes the program instructions in the memory 1030, the method shown in FIG. 4 may be implemented.
- the unregistering device 1000 may further include a communication interface 1010 for communicating with other devices through a transmission medium, so that the devices in the unregistering device 1000 can communicate with other devices.
- the other device may be a terminal device.
- the processor 1020 can use the communication interface 1010 to send and receive data.
- the embodiments of the present application are not limited to the specific connection medium between the communication interface 1010, the processor 1020, and the memory 1030.
- the memory 1030, the processor 1020, and the communication interface 1010 are connected by a bus 1040 in FIG. 10, and the bus is indicated by a thick line in FIG. 10.
- the connection modes between other components are only schematically illustrated. It is not limited.
- the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only a thick line is used in FIG. 10, but it does not mean that there is only one bus or one type of bus.
- the processor 1020 may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, and a discrete hardware component, which may be implemented Or execute each method, step, and logic block diagram disclosed in the embodiments of the present application.
- a general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in combination with the embodiments of the present application may be directly implemented by a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
- the memory 1030 may be a non-volatile memory, such as a hard disk drive (HDD) or a solid-state drive (SSD), and may also be a volatile memory (volatile memory). For example, random-access memory (RAM).
- the memory is, but is not limited to, any other medium that can be used to carry or store desired program code in the form of instructions or data structures and can be accessed by a computer.
- the memory in the embodiment of the present application may also be a circuit or any other device capable of realizing a storage function, and is configured to store program instructions and / or data.
- the device monitoring apparatus 1100 may be an application server in the embodiment shown in FIG. 4, and can implement the application in the method provided in the embodiment in FIG. 4.
- the function of the server; the device monitoring device 1100 may also be a device capable of supporting an application server to implement the functions of the application server in the method provided by the embodiment shown in FIG. 4 of the present application.
- the device monitoring device 1100 may be a chip system. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
- the device monitoring device 1100 includes at least one processor 1120, which is used to implement or support the device monitoring device 1100 to implement the function of an application server in the method provided by the embodiment shown in FIG. 4 of this application.
- the processor 1120 may determine that K terminal devices of the N terminal devices are devices that initiate a denial of service DOS attack according to the received first message and the location information of the N terminal devices. For details, see the method example. The detailed description is not repeated here.
- the device monitoring device 1100 may further include at least one memory 1130 for storing program instructions and / or data.
- the memory 1130 and the processor 1120 are coupled.
- the coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, and may be electrical, mechanical or other forms for information exchange between devices, units or modules.
- the processor 1120 may operate in cooperation with the memory 1130.
- the processor 1120 may execute program instructions stored in the memory 1130. At least one of the at least one memory may be included in a processor. When the processor 1120 executes the program instructions in the memory 1130, the method shown in FIG. 4 may be implemented.
- the device monitoring device 1100 may further include a communication interface 1110 for communicating with other devices through a transmission medium, so that the devices used in the device monitoring device 1100 may communicate with other devices.
- the other device may be a terminal device.
- the processor 1120 may use the communication interface 1110 to send and receive data.
- the embodiments of the present application are not limited to the specific connection medium between the communication interface 1110, the processor 1120, and the memory 1130.
- the memory 1130, the processor 1120, and the communication interface 1110 are connected by a bus 1140 in FIG. 11.
- the bus is indicated by a thick line in FIG. 11.
- the connection modes between other components are only schematically illustrated. It is not limited.
- the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only a thick line is used in FIG. 11, but it does not mean that there is only one bus or one type of bus.
- the processor 1120 may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, and a discrete hardware component, which may be implemented Or execute each method, step, and logic block diagram disclosed in the embodiments of the present application.
- a general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in combination with the embodiments of the present application may be directly implemented by a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
- the memory 1130 may be a non-volatile memory, such as a hard disk (HDD) or a solid-state drive (SSD), and may also be a volatile memory (volatile memory). For example, random-access memory (RAM).
- the memory is, but is not limited to, any other medium that can be used to carry or store desired program code in the form of instructions or data structures and can be accessed by a computer.
- the memory in the embodiment of the present application may also be a circuit or any other device capable of realizing a storage function, and is configured to store program instructions and / or data.
- An embodiment of the present application further provides a computer-readable storage medium including instructions that, when run on a computer, cause the computer to execute the method performed by the application server described in any one of the embodiments in FIG. 2 to FIG. 4.
- An embodiment of the present application further provides a computer-readable storage medium including instructions that, when run on a computer, causes the computer to execute a method performed by a core network element in any one of the embodiments shown in FIG. 2 to FIG. 4. .
- the chip system includes a processor and may further include a memory, which is configured to implement a function of an application server in the foregoing method.
- the chip system can be composed of chips, and can also include chips and other discrete devices.
- the chip system includes a processor and may further include a memory, which is used to implement the functions of the core network element in the foregoing method.
- the chip system can be composed of chips, and can also include chips and other discrete devices.
- the chip system includes a processor and may further include a memory, which is used to implement the functions of the terminal device in the foregoing method.
- the chip system can be composed of chips, and can also include chips and other discrete devices.
- An embodiment of the present application provides a system, where the system includes the application server and the core network element described above.
- the methods provided in the embodiments of the present application may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
- software When implemented in software, it may be implemented in whole or in part in the form of a computer program product.
- the computer program product includes one or more computer instructions.
- the computer program instructions When the computer program instructions are loaded and executed on a computer, the processes or functions according to the embodiments of the present invention are wholly or partially generated.
- the computer may be a general-purpose computer, a special-purpose computer, a computer network, a network device, a user equipment, or other programmable device.
- the computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be from a website site, a computer, a server, or a data center. Transmission by wire (such as coaxial cable, optical fiber, digital subscriber line (DSL) or wireless (such as infrared, wireless, microwave, etc.) to another website site, computer, server, or data center.
- a computer-readable storage medium may be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that includes one or more available media integrations.
- the available media may be magnetic media (for example, floppy disks, hard disks, Magnetic tape), optical media (for example, digital video disc (DVD) for short), or semiconductor media (for example, SSD).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Telephonic Communication Services (AREA)
Abstract
Description
Claims (20)
- 一种设备监控方法,其特征在于,包括:获取终端设备与核心网网元之间交互的信令面的数据;根据所述信令面的数据的属性信息确定所述终端设备是否为发起拒绝服务DOS攻击的设备。
- 根据权利要求1所述的方法,其特征在于,所述属性信息包括所述信令面的数据的数量和/或所述信令面的数据的长度。
- 根据权利要求2所述的方法,其特征在于,所述属性信息包括所述信令面的数据的数量,根据所述信令面的数据的属性信息确定所述终端设备是否为发起DOS攻击的设备,包括:若所述信令面的数据的数量大于或等于阈值,则确定所述终端设备为发起DOS攻击的设备。
- 根据权利要求2所述的方法,其特征在于,所述属性信息包括所述信令面的数据的长度,根据所述信令面的数据的属性信息确定所述终端设备是否为发起DOS攻击的设备,包括:若所述信令面的数据的长度大于或等于预设长度,则确定所述终端设备为发起DOS攻击的设备。
- 根据权利要求1-4中任一项所述的方法,其特征在于,在根据所述信令面的数据的属性信息确定所述终端设备为发起DOS攻击的设备之前,所述方法还包括:获取所述终端设备的位置信息;根据所述信令面的数据的属性信息确定所述终端设备为发起DOS攻击的设备,包括:根据所述位置信息和所述信令面的数据的属性信息确定所述终端设备为发起DOS攻击的设备。
- 根据权利要求1-5中任一项所述的方法,其特征在于,在根据所述信令面的数据的属性信息确定所述终端设备为发起DOS攻击的设备之后,所述方法还包括:向所述核心网网元发送第一指示信息,所述第一指示信息用于指示所述核心网网元对所述终端设备发起去注册流程。
- 一种去注册方法,其特征在于,包括:获取M个终端设备与核心网网元之间交互的信令面的数据;对所述M个终端设备中的N个终端设备进行去注册处理,其中,接收的所述N个终端设备中的每个终端设备的信令面的数据中均包括第一类型的信令面的数据,M为正整数,N为大于或等于0的整数,M大于或等于N。
- 根据权利要求7所述的方法,其特征在于,所述第一类型的信令面的数据为在单位时间内接收的数量大于或等于阈值的信令面的数据。
- 根据权利要求7或8所述的方法,其特征在于,在对所述M个终端设备中的N个终端设备进行去注册处理之后,所述方法还包括:向应用服务器发送第一消息,所述第一消息用于指示对所述N个终端设备进行了所述去注册处理。
- 根据权利要求9所述的方法,其特征在于,在向应用服务器发送第一消息之后,所述方法还包括:接收第二指示信息,所述第二指示信息用于指示对N-K个终端设备进行注册处理,K为小于或等于N的整数。
- 一种设备监控装置,其特征在于,包括:获取单元,用于获取终端设备与核心网网元之间交互的信令面的数据;处理单元,用于根据所述信令面的数据的属性信息确定所述终端设备是否为发起拒绝服务DOS攻击的设备。
- 根据权利要求11所述的装置,其特征在于,所述属性信息包括所述信令面的数据的数量和/或所述信令面的数据的长度。
- 根据权利要求12所述的装置,其特征在于,所述属性信息包括所述信令面的数据的数量,所述处理单元具体用于:若所述信令面的数据的数量大于或等于阈值,则确定所述终端设备为发起DOS攻击的设备。
- 根据权利要求12所述的装置,其特征在于,所述属性信息包括所述信令面的数据的长度,所述处理单元具体用于:若所述信令面的数据的长度大于或等于预设长度,则确定所述终端设备为发起DOS攻击的设备。
- 根据权利要求11-14中任一项所述的装置,其特征在于,所述获取单元还用于:获取所述终端设备的位置信息;所述处理单元具体用于:根据所述位置信息和所述信令面的数据的属性信息确定所述终端设备为发起DOS攻击的设备。
- 根据权利要求11-15中任一项所述的装置,其特征在于,所述装置还包括:发送单元,用于向所述核心网网元发送第一指示信息,所述第一指示信息用于指示所述核心网网元对所述终端设备发起去注册流程。
- 一种去注册装置,其特征在于,包括:获取单元,用于获取M个终端设备与核心网网元之间交互的信令面的数据;处理单元,用于对所述M个终端设备中的N个终端设备进行去注册处理,其中,接收的所述N个终端设备中的每个终端设备的信令面的数据中均包括第一类型的信令面的数据,M为正整数,N为大于或等于0的整数,M大于或等于N。
- 根据权利要求17所述的装置,其特征在于,所述第一类型的信令面的数据为在单位时间内接收的数量大于或等于阈值的信令面的数据。
- 根据权利要求17或18所述的装置,其特征在于,所述装置还包括:发送单元,用于向应用服务器发送第一消息,所述第一消息用于指示对所述N个终端设备进行了所述去注册处理。
- 根据权利要求19所述的装置,其特征在于,所述获取单元还用于:接收第二指示信息,所述第二指示信息用于指示对N-K个终端设备进行注册处理,K为小于或等于N的整数。
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
RU2020119534A RU2020119534A (ru) | 2018-05-24 | 2019-04-25 | Оборудование и способ мониторинга устройства и оборудование и способ для дерегистрации |
BR112020008191-4A BR112020008191A2 (pt) | 2018-05-24 | 2019-04-25 | Método e dispositivo de monitoramento, e método e dispositivo de exclusão de registro |
AU2019272212A AU2019272212B2 (en) | 2018-05-24 | 2019-04-25 | Device monitoring method and apparatus and deregistration method and apparatus |
EP19806675.5A EP3687135B1 (en) | 2018-05-24 | 2019-04-25 | Device monitoring, and deregistration method and apparatus |
US16/901,176 US11689565B2 (en) | 2018-05-24 | 2020-06-15 | Device monitoring method and apparatus and deregistration method and apparatus |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810510495.0 | 2018-05-24 | ||
CN201810510495.0A CN110535808B (zh) | 2018-05-24 | 2018-05-24 | 一种设备监控、去注册方法及装置 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/901,176 Continuation US11689565B2 (en) | 2018-05-24 | 2020-06-15 | Device monitoring method and apparatus and deregistration method and apparatus |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019223490A1 true WO2019223490A1 (zh) | 2019-11-28 |
Family
ID=68615664
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/084382 WO2019223490A1 (zh) | 2018-05-24 | 2019-04-25 | 一种设备监控、去注册方法及装置 |
Country Status (7)
Country | Link |
---|---|
US (1) | US11689565B2 (zh) |
EP (1) | EP3687135B1 (zh) |
CN (1) | CN110535808B (zh) |
AU (1) | AU2019272212B2 (zh) |
BR (1) | BR112020008191A2 (zh) |
RU (1) | RU2020119534A (zh) |
WO (1) | WO2019223490A1 (zh) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11522879B2 (en) * | 2020-05-20 | 2022-12-06 | At&T Intellectual Property I, L.P. | Scrubber for distributed denial of service attacks targetting mobile networks |
CN113891340B (zh) * | 2020-07-02 | 2023-10-27 | 中国移动通信集团安徽有限公司 | 自适应流控方法、装置、计算设备和存储介质 |
CN114531681A (zh) * | 2020-10-30 | 2022-05-24 | 华为技术有限公司 | 一种异常终端控制方法及装置 |
CN112543198B (zh) * | 2020-12-03 | 2023-06-02 | 恒安嘉新(北京)科技股份公司 | 一种蜜罐监测方法、蜜罐核心网元、设备及存储介质 |
CN114884941B (zh) * | 2022-04-12 | 2023-09-05 | 中国电信股份有限公司 | 针对边缘计算平台的业务处理方法、装置、系统及介质 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101959133A (zh) * | 2009-07-15 | 2011-01-26 | 华为技术有限公司 | M2m用户设备的操作控制方法、系统和m2m用户设备 |
CN103702382A (zh) * | 2013-11-26 | 2014-04-02 | 中国十七冶集团有限公司 | 一种基于投票方法的物联网dai安全路由协议 |
CN104333529A (zh) * | 2013-07-22 | 2015-02-04 | 中国电信股份有限公司 | 一种云计算环境下http dos攻击的检测方法及系统 |
WO2017171296A1 (en) * | 2016-04-01 | 2017-10-05 | Samsung Electronics Co., Ltd. | Method and equipmnent for controlling ciot for ue |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020002625A1 (en) | 2000-04-17 | 2002-01-03 | Mark Vange | System and method for reformatting data traffic |
CN100550912C (zh) * | 2006-11-23 | 2009-10-14 | 华为技术有限公司 | 对非法头域进行检测和过滤的系统和方法 |
EP1986391A1 (en) * | 2007-04-23 | 2008-10-29 | Mitsubishi Electric Corporation | Detecting anomalies in signalling flows |
KR101107742B1 (ko) * | 2008-12-16 | 2012-01-20 | 한국인터넷진흥원 | 에스아이피(sip) 기반 서비스의 보호를 위한 sip 침입 탐지 및 대응 시스템 |
US8711791B2 (en) * | 2010-12-20 | 2014-04-29 | Telefonaktiebolaget L M Ericsson (Publ) | Denial of service (DoS) attack prevention through random access channel resource reallocation |
CN102523217A (zh) * | 2011-12-16 | 2012-06-27 | 淮安信息职业技术学院 | 基于jain sip的安全通信方法 |
CN105636049B (zh) * | 2014-11-05 | 2019-05-10 | 中国移动通信集团公司 | 控制用户信令的方法、装置及移动性管理实体 |
CN105791215A (zh) * | 2014-12-22 | 2016-07-20 | 上海粱江通信系统股份有限公司 | 基于sip协议的通信网攻击的检测方法 |
CN105337966B (zh) * | 2015-10-16 | 2018-10-02 | 中国联合网络通信集团有限公司 | 针对网络攻击的处理方法和装置 |
CN114189815B (zh) * | 2016-01-18 | 2024-02-09 | 三星电子株式会社 | 移动通信系统中终端通信的方法和装置 |
EP3313114B1 (en) * | 2016-10-18 | 2021-06-09 | Nokia Solutions and Networks Oy | Detection and mitigation of signalling anomalies in wireless network |
US11051192B2 (en) * | 2017-08-11 | 2021-06-29 | Convida Wireless, Llc | Network data analytics in a communications network |
EP3756324A4 (en) * | 2018-02-23 | 2021-10-06 | Nokia Technologies Oy | NETWORK SECURITY |
-
2018
- 2018-05-24 CN CN201810510495.0A patent/CN110535808B/zh active Active
-
2019
- 2019-04-25 EP EP19806675.5A patent/EP3687135B1/en active Active
- 2019-04-25 WO PCT/CN2019/084382 patent/WO2019223490A1/zh unknown
- 2019-04-25 RU RU2020119534A patent/RU2020119534A/ru unknown
- 2019-04-25 AU AU2019272212A patent/AU2019272212B2/en active Active
- 2019-04-25 BR BR112020008191-4A patent/BR112020008191A2/pt not_active IP Right Cessation
-
2020
- 2020-06-15 US US16/901,176 patent/US11689565B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101959133A (zh) * | 2009-07-15 | 2011-01-26 | 华为技术有限公司 | M2m用户设备的操作控制方法、系统和m2m用户设备 |
CN104333529A (zh) * | 2013-07-22 | 2015-02-04 | 中国电信股份有限公司 | 一种云计算环境下http dos攻击的检测方法及系统 |
CN103702382A (zh) * | 2013-11-26 | 2014-04-02 | 中国十七冶集团有限公司 | 一种基于投票方法的物联网dai安全路由协议 |
WO2017171296A1 (en) * | 2016-04-01 | 2017-10-05 | Samsung Electronics Co., Ltd. | Method and equipmnent for controlling ciot for ue |
Non-Patent Citations (1)
Title |
---|
See also references of EP3687135A4 |
Also Published As
Publication number | Publication date |
---|---|
RU2020119534A (ru) | 2021-12-13 |
EP3687135A4 (en) | 2020-12-09 |
BR112020008191A2 (pt) | 2020-12-08 |
CN110535808A (zh) | 2019-12-03 |
EP3687135A1 (en) | 2020-07-29 |
EP3687135B1 (en) | 2023-05-24 |
AU2019272212A1 (en) | 2020-05-14 |
AU2019272212B2 (en) | 2021-09-30 |
US20200314140A1 (en) | 2020-10-01 |
CN110535808B (zh) | 2021-03-30 |
US11689565B2 (en) | 2023-06-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11523268B2 (en) | Communications method and apparatus | |
WO2019223490A1 (zh) | 一种设备监控、去注册方法及装置 | |
US20210250771A1 (en) | Method For Determining Class Information And Apparatus | |
US20230217240A1 (en) | Apparatus and method of determining an operation mode on a wireless network | |
CN110381554B (zh) | 通信方法、装置、系统和计算机存储介质 | |
US11463935B2 (en) | Methods and functions for handling local breakout | |
CN112312466A (zh) | 一种事件报告的发送方法、装置及系统 | |
CN112105053B (zh) | 一种拥塞控制方法及装置 | |
US11895533B2 (en) | Method for controlling connection between terminal and network, and related apparatus | |
CN110636572A (zh) | 通信方法及装置 | |
US20240224098A1 (en) | Network verification method and apparatus | |
CN113795019B (zh) | 一种通信控制方法和通信设备 | |
CN110351722B (zh) | 一种信息发送方法、密钥生成方法以及装置 | |
WO2020249126A1 (zh) | 安全校验方法及装置 | |
WO2023213177A1 (zh) | 一种通信方法及装置 | |
WO2021159415A1 (zh) | 通信方法、装置及系统 | |
CN103458499A (zh) | 一种脱网处理方法和设备 | |
KR102318746B1 (ko) | 가상 id를 이용하여 복수의 pdu 세션들을 처리하는 방법 및 상기 방법을 수행하는 smf | |
US20240291849A1 (en) | Method for obtaining security classification result and communication apparatus | |
US20240098747A1 (en) | Transmitting Periodic Cadence Reports to a Network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19806675 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2019806675 Country of ref document: EP Effective date: 20200422 |
|
ENP | Entry into the national phase |
Ref document number: 2019272212 Country of ref document: AU Date of ref document: 20190425 Kind code of ref document: A |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112020008191 Country of ref document: BR |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 112020008191 Country of ref document: BR Kind code of ref document: A2 Effective date: 20200424 |