WO2023083153A1 - 获取安全分级结果的方法及通信装置 - Google Patents
获取安全分级结果的方法及通信装置 Download PDFInfo
- Publication number
- WO2023083153A1 WO2023083153A1 PCT/CN2022/130474 CN2022130474W WO2023083153A1 WO 2023083153 A1 WO2023083153 A1 WO 2023083153A1 CN 2022130474 W CN2022130474 W CN 2022130474W WO 2023083153 A1 WO2023083153 A1 WO 2023083153A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- security
- network element
- location area
- target location
- information
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 201
- 238000004891 communication Methods 0.000 title claims abstract description 159
- 238000004458 analytical method Methods 0.000 claims abstract description 707
- 230000033001 locomotion Effects 0.000 claims abstract description 12
- 230000006870 function Effects 0.000 claims description 450
- 230000006399 behavior Effects 0.000 claims description 135
- 238000013480 data collection Methods 0.000 claims description 85
- 238000013523 data management Methods 0.000 claims description 64
- 238000007726 management method Methods 0.000 claims description 61
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 53
- 230000015654 memory Effects 0.000 claims description 48
- 238000013507 mapping Methods 0.000 claims description 35
- 238000004590 computer program Methods 0.000 claims description 16
- 230000008569 process Effects 0.000 claims description 13
- 238000007619 statistical method Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 description 68
- 238000012986 modification Methods 0.000 description 29
- 230000004048 modification Effects 0.000 description 29
- 230000011664 signaling Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 9
- 230000009286 beneficial effect Effects 0.000 description 8
- 238000013473 artificial intelligence Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 5
- 238000013461 design Methods 0.000 description 5
- 238000010295 mobile communication Methods 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000007405 data analysis Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000004913 activation Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 208000012661 Dyskinesia Diseases 0.000 description 1
- 101150119040 Nsmf gene Proteins 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/126—Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/63—Location-dependent; Proximity-dependent
Definitions
- the embodiment of the present application relates to the communication field, and more specifically, relates to a method and a communication device for obtaining a security classification result.
- the UE and the base station are connected through the Uu interface, and the UE It can send radio resource control (radio resource control, RRC) signaling and user plane data with the base station.
- RRC radio resource control
- the base station is connected to the access and mobile management function (AMF) network element through the N2 interface, and communicates through the N2 interface protocol.
- AMF access and mobile management function
- An attacker may deploy a fake base station to attract UEs to camp on the fake base station. If the UE camps on the pseudo base station, the pseudo UE part in the pseudo base station can forward or modify part of the information of the real UE camped on the pseudo base station, access the real base station as a real UE, and communicate with the AMF Communication via N2 interface protocol. In this way, the communication content between the real terminal and the network can be sniffed, tampered with, and forged.
- the pseudo-base station equipment is similar in size to a laptop and is easy to move, so the attacker can move to different locations at will to attack.
- An embodiment of the present application provides a method for obtaining a security classification result, which can implement security analysis on a location area, thereby obtaining a security classification result of the location area.
- a method for obtaining a safety classification result comprising: a safety function network element determines to perform a safety analysis on a target location area; the safety function network element determines the safety classification result of the target location area according to first information , the security classification result indicates the degree of potential attack in the target location area, the first information is related to behavior information of terminal devices in the target location area, and the behavior information includes traffic data and/or movement track information.
- the security function network element is a network element having a security analysis function
- the security function network element may be a network element fully responsible for security analysis, or may be a network element having some security related functions.
- the security function network element determines to perform security analysis on the target location area, it can perform security analysis on the target location area according to the first information determined by the behavior information of the terminal equipment in the target location area, thereby obtaining the target location area safety rating results.
- the first information includes behavior information of terminal devices in the target location area
- the safety function network element determines the security classification result of the target location area according to the first information, including: the safety function network Perform statistical analysis on the behavior information of the terminal devices in the target location area to obtain first statistical information, and/or perform abnormal behavior prediction on the behavior information of the terminal devices in the target location area to obtain the first abnormal behavior prediction result; The safety function network element determines the safety classification result of the target location area according to the first statistical information and/or the first abnormal behavior prediction result.
- the method further includes: the security function network element sending a data collection request message to the data collection network element in the target location area, where the data collection request message is used to request the behavior of the terminal device served by the data collection network element information; the security function network element receives from the data collection network element the behavior information of the terminal device served by the data collection network element.
- the data collection request message further includes a first time interval parameter and/or a first threshold, the first time interval parameter is used to indicate the period for reporting the behavior information of the terminal device, and the first threshold is used to indicate the trigger terminal The minimum or maximum value reported by the behavior information of the device.
- the first information includes second information sent by the security analysis network element, and the second information includes: second statistical information, second abnormal behavior prediction results, and/or the security analysis network element
- the security classification result of the managed location area; the second statistical information is obtained by statistically analyzing the behavior information of the terminal equipment in the location area managed by the security analysis network element, and the second abnormal behavior prediction result is the result of the security analysis
- the behavior information of the terminal equipment in the location area managed by the network element is obtained by predicting the abnormal behavior.
- the security classification result of the location area managed by the network element in this security analysis is based on the behavior of the terminal equipment in the location area managed by the network element. determined by the information, the location area managed by the security analysis network element corresponds to the target location area.
- the location area managed by the security analysis network element corresponds to the target location area including the following situations: the location area managed by the security analysis network element is the same as the target location area, and the location area managed by the security analysis network element is the same as the target location area. Partly, the location area managed by the security analysis network element partially overlaps with the target location area.
- the security function network element cooperates with the security analysis network element to perform security analysis on the target location area to obtain the security classification result of the target location area, thereby reducing the processing burden of the security function network element and improving processing efficiency.
- the method further includes: the security function network element sends a security analysis request message to the security analysis network element according to the target location area, and the security analysis request message is used to request the security analysis network element to conduct security analysis.
- the first identifier of the target location area is an identifier used outside the network, such as coordinate information, geographical area identifier or address information
- the second identifier of the target location area is an identifier used inside the network, such as TAI or cell ID .
- the method further includes: the security function network element sending the security classification result of the location area managed by the security analysis network element to the security analysis network element.
- the security function network element sends the security classification result of the location area managed by the security analysis network element to the security analysis network element, so that the security analysis network element can send the security classification result of the managed location area to the policy control function network element or unified data management network element, so that the policy control function network element or unified data management network element determines the security protection mode of the terminal device according to the security classification result of the location area managed by the security analysis network element.
- the security analysis request message further includes an analysis identifier
- the second information further includes the analysis identifier
- the analysis identifier is used to identify the security analysis performed on the target location area.
- the security function network element sends a security analysis request message to a plurality of security analysis network elements, and receives the second information from the plurality of security analysis network elements .
- the security function network element determines according to the analysis identifier that the second information received from multiple security analysis network elements is used to determine the security classification result of the target location area.
- the method further includes: the safety function network element receiving third information from the first network element, where the third information is used to indicate that the safety function network element Perform security analysis on all location areas in the public land mobile network (PLMN) where it is located; the security function network element determines to perform security analysis on the target location area, including: the security function network element determines according to the third information Security analysis is performed on all location areas in the PLMN, including the target location area.
- PLMN public land mobile network
- the first network element may be a policy control function network element, a unified data management network element, an application function network element, and the like.
- the security function network element can perform security analysis on all location areas in the PLMN where the security function network element is located according to the instruction of the first network element, so as to meet the security analysis requirements of the first network element.
- the third information includes an identifier of each location area among all location areas in the PLMN.
- the method further includes: the safety function network element receiving an identifier of the target location area from the first network element; the safety function network element determining the target location area
- Performing security analysis includes: the security function network element determines to perform security analysis on the target location area according to the identifier of the target location area.
- the security function network element can perform security analysis on the target location area according to the instruction of the first network element, so as to meet the security analysis requirements of the first network element.
- the method further includes: the security function network element receiving a security policy request message, where the security policy request message includes location area information of the first terminal device, and the first The location area information of the terminal device is used to indicate that the first terminal device is located in the target location area; the security function network element sends the security protection mode determined for the first terminal device, and the security protection mode is based on the security protection mode of the target location area. Grading results are determined.
- the security function network element can determine a security protection mode for the first terminal device according to the security classification result of the target location area, so as to better ensure the security of the network and the first terminal device. For example, when the security classification result of the target location area is low, the security protection is forcibly enabled, so as to prevent the network or the first terminal device from being attacked to a certain extent.
- the method further includes: the security function network element receiving the first identifier of the first terminal device and the location area information of the first terminal device, and the first terminal The location area information of the device is used to indicate that the first terminal device is located in the target location area; the security function network element determining to perform security analysis on the target location area includes: the security function network element according to the first identification of the first terminal device It is determined that the security enhancement service is allowed for the first terminal device; the security function network element determines to perform security analysis on the target location area according to the location area information of the first terminal device.
- the first identifier of the first terminal device includes one or more of the following: Internet protocol (Internet protocol, IP) address, subscription permanent identifier (SUPI), permanent equipment identifier (permanent equipment identifier, PEI) ), generic public subscription identifier (GPSI), international mobile subscriber identifier (IMSI), international mobile equipment identity (IMEI), IP address and mobile station international integrated services Data network number (mobile station international integrated service digital network number, MSISDN).
- the first identifier of the first terminal device is an identifier used inside the network, for example, the first identifier of the first terminal device includes one or more of the following: SUPI, GPSI.
- the method further includes: the security function network element receiving the second identifier of the first terminal device from the first network element; the security function network element according to the The first identifier of the first terminal device determines that the first terminal device is allowed to perform security enhancement services, including: the security function network element according to the correspondence between the first identifier of the first terminal device and the second identifier of the first terminal device relationship, and determine that the first terminal device is allowed to perform the security enhancement service.
- the security functional network element may determine to allow security enhancement services for the first terminal device according to the second identifier of the first terminal device received from the first network element, so as to meet different requirements of the first network element.
- the second identifier of the first terminal device includes one or more of the following: user name of the external application, third-party user identifier, IP address, SUPI, PEI, GPSI, IMSI, IMEI, IP address and MSISDN.
- the second identifier of the first terminal device is different from the first identifier of the first terminal device, or the second identifier of the first terminal device is the same as the first identifier of the first terminal device, which is not limited in this embodiment of the present application.
- the second identifier of the first terminal device is an identifier used outside the network.
- the second identifier of the first terminal device includes one or more of the following: username of an external application, third-party user identifier, IP address, IP address and MSISDN.
- the method further includes: the security function network element determines that security analysis of the target location area is allowed.
- the method further includes: the security function network element receiving an identifier of the target location area from the first network element; the security function network element determining that the target location area is allowed Performing security analysis on the target location area includes: the security function network element determining that the security analysis on the target location area is allowed according to the corresponding relationship between the location area information of the first terminal device and the identity of the target location area.
- the security function network element can determine the location area that allows security analysis according to the location area identifier received from the first network element, so as to meet different security analysis requirements of the first network element.
- the method further includes: the security function network element sending a security protection mode determined for the first terminal device, the security protection mode is based on the target location area Determined by the safety classification results.
- the security function network element determining to perform security analysis on the target location area includes: the security function network element determining to perform security analysis on the target location area for target attacks;
- the security rating result of the target location area includes the security rating result of the target location area for the target attack, and the security rating result of the target location area for the target attack indicates the degree of potential target attack in the target location area.
- the security function network element determines to perform security analysis on the target location area against the target attack, so as to obtain the security classification result of the target location area against the target attack. Furthermore, it is beneficial to determine a security protection mode that can prevent the target attack for terminal devices in the target location area according to the security classification result of the target location area for the target attack. For example, when the security rating result of the air interface distributed denial of service (DDoS) attack in the target location area indicates that there is a high degree of potential air interface DDoS attack in the target location area, you can enable air interface security protection or enable air interface access. Additional certification.
- DDoS distributed denial of service
- the method further includes: the security function network element receiving the target attack identifier from the first network element; the security function network element determining the target location area
- the security analysis for the target attack includes: the security function network element determines the security analysis for the target attack in the target location area according to the identification of the target attack.
- the method further includes: the security function network element sending a first mapping relationship to a policy control function network element or a unified data management network element, where the first mapping relationship includes An identification of the target location area and a safety classification result of the target location area.
- the security function network element sends the security classification result of the target location area to the policy control function network element or the unified data management network element, so that the policy control function network element or the unified data management network element can be based on the security classification result.
- the terminal devices within the target location area determine the security protection mode.
- a method for obtaining security classification results is provided.
- the method is executed by a policy control function network element or a unified data management network element.
- the method includes: determining to perform security analysis on the target location area; A first security analysis request message, the first security analysis request message including the identity of the target location area; receiving a security classification result of the target location area from the security analysis network element, the security classification result indicating that there is a potential in the target location area the extent of the attack.
- a first security analysis request message is sent to the security analysis network element, so that the security analysis network element can Identify and perform safety analysis on the target location area to obtain the safety classification result of the target location area.
- the security analysis network element can Identify and perform safety analysis on the target location area to obtain the safety classification result of the target location area.
- the determining to perform a security analysis on the target location area includes: determining to perform a security analysis on the target location area against a target attack; the first security analysis request message also includes The identification of the target attack; the security rating result of the target location area includes the security rating result of the target location area for the target attack, and the security rating result of the target location area for the target attack indicates that there is a potential target in the target location area the extent of the attack.
- the security classification result of the target location area against the target attack can be obtained. Furthermore, it is beneficial to determine a security protection mode that can prevent the target attack for terminal devices in the target location area according to the security classification result of the target location area for the target attack. For example, when the security rating result of the air interface DDoS attack in the target location area indicates that there is a high degree of potential air interface DDoS attack in the target location area, air interface security protection may be enabled or additional authentication for air interface access may be enabled.
- the method further includes: receiving third information from an application function network element, where the third information is used to indicate security analysis for all location areas in the PLMN; the Determining to perform security analysis on the target location area includes: determining to perform security analysis on all location areas in the PLMN according to the third information, and all location areas in the PLMN include the target location area.
- security analysis can be performed on all location areas in the PLMN according to the instruction of the application function network element, so as to meet the security analysis requirements of the application function network element.
- the third information includes an identifier of each location area in all location areas in the PLMN.
- the method further includes: receiving an identification of the target location area from the application function network element; performing a security analysis on the target location area for the determination includes: according to the target The identification of the location area determines the security analysis of the target location area.
- security analysis can be performed on the target location area according to the instruction of the application function network element, so as to meet the security analysis requirements of the application function network element.
- the method further includes: receiving an identification of the target attack from an application function network element, and the determining performs a security analysis on the target location area for the target attack, including: According to the identification of the target attack, it is determined to perform security analysis on the target location area for the target attack.
- security analysis can be performed on the target location area against the target attack, so as to meet the security analysis requirements of the application function network element.
- the method before sending the first security analysis request message to the security analysis network element, the method further includes: receiving the first identifier of the first terminal device and the first terminal device The location area information of the device, the location area information of the first terminal device is used to indicate that the first terminal device is located in the target location area; according to the first identification of the first terminal device, it is determined that the security enhancement of the first terminal device is allowed Serve.
- the method further includes: receiving a second identifier of the first terminal device from an application function network element; determining according to the first identifier of the first terminal device Allowing the security enhancement service with the first terminal device includes: determining that the security enhancement service is allowed for the first terminal device according to the correspondence between the first identifier of the first terminal device and the second identifier of the first terminal device .
- the second identification of the first terminal device received from the application function network element it can be determined that the first terminal device is allowed to perform security enhancement services, so as to meet different requirements of the application function network element.
- the method further includes: sending the security protection mode determined for the first terminal device, where the security protection mode is determined according to the security classification result of the target location area .
- a security protection mode can be determined for the determined first terminal device according to the security classification result of the target location area, so as to better ensure the security of the network and the first terminal device. For example, when the security classification result of the target location area is low, the security protection is forcibly turned on, so as to prevent the network or the first terminal device from being attacked to a certain extent.
- a method for obtaining security classification results comprising: a security analysis network element receiving a first security analysis request message from a policy control function network element or a unified data management network element, the first security analysis request The message includes the identification of the target location area; the security analysis network element determines the security classification result of the target location area according to the first information, and the security classification result indicates the degree of potential attack in the target location area, and the first information is related to the target location area It is related to the behavior information of the terminal equipment in the network, the behavior information includes traffic data and/or movement track information; the security analysis network element sends the first mapping relationship to the policy control function network element or the unified data management network element, and the first mapping relationship Including the identification of the target location area and the safety classification result.
- the security analysis network element can determine to perform security analysis on the target location area according to the identity of the target location area included in the first security analysis request message, and then can perform security analysis on the target location area according to the first
- the first information performs security analysis on the target location area, so as to obtain the security classification result of the target location area.
- the security analysis network element sends the security analysis results of the target location area to the policy control function network element or the unified data management network element, which is beneficial for the policy control function network element or the unified data management network element to determine the target location according to the security classification results of the target location area
- the security protection method of the terminal equipment in the area so as to better ensure the security of the network and terminal equipment. For example, when the security classification result of the target location area indicates that there is a high degree of potential attack in the target location area, the security protection is forcibly enabled, thereby preventing the network or the terminal device from being attacked to a certain extent.
- the first security analysis request message further includes an identifier of the target attack
- the security rating result of the target location area includes the security rating of the target location area for the target attack
- the security classification result of the target location area for the target attack indicates the degree to which the target location area has potential for the target attack.
- the policy control function network element or the unified data management network element determine a security protection method that can prevent the target attack for the terminal equipment in the target location area according to the security classification result of the target location area for the target attack. For example, when the security rating result of the air interface DDoS attack in the target location area indicates that there is a high degree of potential air interface DDoS attack in the target location area, air interface security protection may be enabled or additional authentication for air interface access may be enabled.
- the first information includes behavior information of terminal devices in the target location area
- the security analysis network element determines the security level of the target location area according to the first information
- the results include: the security analysis network element performs statistical analysis on the behavior information of the terminal equipment in the target location area to obtain the first statistical information, and/or performs abnormal behavior prediction on the behavior information of the terminal equipment in the target location area A first abnormal behavior prediction result is obtained; the security analysis network element determines a security classification result of the target location area according to the first statistical information and/or the first abnormal behavior prediction result.
- the method further includes: the security analysis network element sends a data collection request message to the data collection network element in the target location area, and the data collection request message is used for requesting the behavior information of the terminal equipment served by the data collection network element; the security analysis network element receiving the behavior information of the terminal equipment served by the data collection network element from the data collection network element.
- the data collection request message further includes a first time interval parameter and/or a first threshold, and the first time interval parameter is used to indicate to report behavior information of the terminal device period, the first threshold is used to indicate the minimum or maximum value that triggers the reporting of the behavior information of the terminal device.
- the security analysis network element is a central security analysis network element
- the first information includes second information sent by a distributed security analysis network element, and the second information Including: the second statistical information, the second abnormal behavior prediction result, and/or the security classification result of the location area managed by the distributed security analysis network element;
- the second statistical information is the location managed by the distributed security analysis network element
- the behavior information of the terminal equipment in the area is obtained by statistical analysis.
- the second abnormal behavior prediction result is obtained by predicting the abnormal behavior of the terminal equipment in the location area managed by the distributed security analysis network element.
- the distribution The security classification result of the location area managed by the distributed security analysis network element is determined according to the behavior information of the terminal equipment in the location area managed by the distributed security analysis network element.
- the location area managed by the distributed security analysis network element is consistent with the target corresponding to the location area.
- the location area managed by the distributed security analysis network element corresponds to the target location area including the following situations: the location area managed by the distributed security analysis network element is the same as the target location area, and the location area managed by the distributed security analysis network element The area is a part of the target location area, and the location area managed by the distributed security analysis network element partially overlaps with the target location area.
- the central security analysis network element cooperates with the distributed security analysis network element to perform security analysis on the target location area to obtain the security classification results of the target location area, thereby reducing the processing burden of the central security analysis network element and improving Processing efficiency.
- the central security analysis network element sends a second security analysis request message to the distributed security analysis network element according to the target location area, and the second security analysis request The message is used to request the distributed security analysis network element to perform security analysis on the managed location area.
- the second security analysis request message further includes the target location area identifier. If the first security analysis request message includes the identifier of the target attack, the second security analysis request message also includes the identifier of the target attack.
- the method further includes: the central security analysis network element sends the distributed security analysis network element the security information of the location area managed by the distributed security analysis network element. Grading results.
- the central security analysis network element sends the security classification results of the location area managed by the distributed security analysis network element to the distributed security analysis network element, so that the distributed security analysis network element can
- the classification results are sent to the policy control function network element or the unified data management network element, so that the policy control function network element or the unified data management network element determines the security protection of the terminal equipment according to the security classification result of the location area managed by the distributed security analysis network element Way.
- the second security analysis request message further includes an analysis identifier
- the second information further includes the analysis identifier
- the analysis identifier is used to identify the target location area. security analysis.
- the central security analysis network element sends a second security analysis request message to multiple distributed security analysis network elements, and from multiple The distributed security analysis network element receives the second information.
- the central security analysis network element determines according to the analysis identifier that the second information received from multiple distributed security analysis network elements is used to determine the security classification result of the target location area.
- a communication device in a fourth aspect, includes a processing unit, the processing unit is used to determine the security analysis of the target location area; the processing unit is also used to determine the security level of the target location area according to the first information.
- the security classification result indicates the degree of potential attacks in the target location area
- the first information is related to behavior information of terminal devices in the target location area, where the behavior information includes traffic data and/or movement track information.
- the first information includes behavior information of terminal devices within the target location area
- the processing unit is further configured to: Perform statistical analysis on the behavior information to obtain the first statistical information, and/or perform abnormal behavior prediction on the behavior information of the terminal device in the target location area to obtain the first abnormal behavior prediction result; according to the first statistical information and/or the first The abnormal behavior prediction result determines the safety classification result of the target location area.
- the communication device further includes a transceiver unit configured to send a data collection request message to a data collection network element in the target location area, the data collection request The message is used to request the behavior information of the terminal equipment served by the data collection network element; the transceiver unit is also used to receive the behavior information of the terminal equipment served by the data collection network element from the data collection network element.
- the data collection request message further includes a first time interval parameter and/or a first threshold, and the first time interval parameter is used to indicate the behavior information of the terminal device to be reported period, the first threshold is used to indicate the minimum or maximum value that triggers the reporting of the behavior information of the terminal device.
- the first information includes second information sent by the security analysis network element, and the second information includes: second statistical information, second abnormal behavior prediction results, and /or the security classification result of the location area managed by the security analysis network element;
- the second statistical information is obtained by statistically analyzing the behavior information of the terminal equipment in the location area managed by the security analysis network element, the second abnormal behavior
- the prediction result is obtained by predicting the abnormal behavior of the terminal equipment in the location area managed by the security analysis network element.
- the security classification result of the location area managed by the security analysis network element is based on the location Determined by the behavior information of the terminal equipment in the area, the location area managed by the security analysis network element corresponds to the target location area.
- the transceiver unit is further configured to send a security analysis request message to the security analysis network element according to the target location area, and the security analysis request message is used to request the security analysis The network element performs security analysis on the managed location area.
- the transceiver unit is further configured to send the security classification result of the location area managed by the security analysis network element to the security analysis network element.
- the security analysis request message further includes an analysis identifier
- the second information further includes the analysis identifier
- the analysis identifier is used to identify the security analysis performed on the target location area. analyze.
- the communication device further includes a transceiver unit, configured to receive third information from the first network element, where the third information is used to indicate the security function performing security analysis on all location areas in the PLMN where the network element is located; the processing unit is also used to determine to perform security analysis on all location areas in the PLMN according to the third information, and all location areas in the PLMN include the target location area .
- the first network element may be a policy control function network element, a unified data management network element, an application function network element, and the like.
- the third information includes an identifier of each location area in all location areas in the PLMN.
- the communication device further includes a transceiver unit configured to receive the identifier of the target location area from the first network element; the processing unit is further configured to The identification of the target location area determines the security analysis of the target location area.
- the communication apparatus further includes a transceiver unit configured to receive a security policy request message, where the security policy request message includes location area information of the first terminal device, The location area information of the first terminal device is used to indicate that the first terminal device is located in the target location area; the transceiver unit is also used to send the security protection method determined for the first terminal device, the security protection method is based on the target The result of the security classification of the location area is determined.
- the security policy request message includes location area information of the first terminal device, The location area information of the first terminal device is used to indicate that the first terminal device is located in the target location area; the transceiver unit is also used to send the security protection method determined for the first terminal device, the security protection method is based on the target The result of the security classification of the location area is determined.
- the communication apparatus further includes a transceiver unit configured to receive the first identifier of the first terminal device and the location area information of the first terminal device, the The location area information of the first terminal device is used to indicate that the first terminal device is located in the target location area; the processing unit is also used to determine according to the first identification of the first terminal device that security enhancement services are allowed for the first terminal device ; The processing unit is also used to determine to perform security analysis on the target location area according to the location area information of the first terminal device.
- the transceiving unit is configured to receive the second identifier of the first terminal device from the first network element; the processing unit is further configured to The corresponding relationship between the first identifier of the first terminal device and the second identifier of the first terminal device determines that the security enhancement service is allowed for the first terminal device.
- the processing unit is further configured to determine that security analysis of the target location area is allowed.
- the transceiving unit is further configured to receive the identifier of the target location area from the first network element; the processing unit is further configured to The corresponding relationship between the location area information and the identifier of the target location area is determined to allow security analysis on the target location area.
- the transceiver unit is further configured to send a security protection mode determined for the first terminal device, where the security protection mode is determined according to the security classification result of the target location area of.
- the processing unit is further configured to determine to perform a security analysis on the target location area against target attacks; the security classification result of the target location area includes that the target location area is The security rating result of the target attack, the security rating result of the target location area for the target attack indicates the degree of the potential target attack in the target location area.
- the communication device further includes a transceiver unit configured to receive an identifier of the target attack from the first network element; the processing unit is also configured to The identification of the target attack determines the security analysis of the target location area for the target attack.
- the communication device further includes a transceiver unit, and the transceiver unit is also configured to send the first mapping relationship to the policy control function network element or the unified data management network element, the first mapping relationship A mapping relationship includes the identifier of the target location area and the security classification result of the target location area.
- a communication device in a fifth aspect, includes a transceiver unit and a processing unit, the processing unit is used to determine the security analysis of the target location area; the transceiver unit is used to send the first security analysis to the security analysis network element request message, the first security analysis request message includes the identification of the target location area; the transceiver unit is also used to receive the security classification result of the target location area from the security analysis network element, the security classification result indicates that the target location area exists level of potential attack.
- the processing unit is further configured to determine to perform a security analysis on the target location area against a target attack; the first security analysis request message also includes an identifier of the target attack;
- the security rating result of the target location area includes the security rating result of the target location area for the target attack, and the security rating result of the target location area for the target attack indicates the degree of potential target attack in the target location area.
- the transceiver unit is further configured to receive third information from the application function network element, where the third information is used to indicate security analysis of all location areas in the PLMN;
- the processing unit is further configured to determine to perform security analysis on all location areas in the PLMN according to the third information, and all location areas in the PLMN include the target location area.
- the third information includes an identifier of each location area in all location areas in the PLMN.
- the transceiving unit is further configured to receive an identifier of the target location area from an application function network element; and the processing unit is further configured to determine according to the identifier of the target location area A security analysis is performed on the target location area.
- the transceiver unit is further configured to receive an identifier of the target attack from the application function network element, and the processing unit is further configured to determine the target attack identifier based on the identifier of the target attack Security analysis is performed on the target location area for the target attack.
- the transceiving unit before sending the first security analysis request message to the security analysis network element, is further configured to receive the first identifier of the first terminal device and the first The location area information of the terminal device, the location area information of the first terminal device is used to indicate that the first terminal device is located in the target location area; the processing unit is also used to determine according to the first identification of the first terminal device that the The first terminal device performs security enhancement services.
- the transceiving unit is further configured to receive the second identifier of the first terminal device from an application function network element; the processing unit is further configured to The corresponding relationship between the first identifier of the device and the second identifier of the first terminal device determines that the first terminal device is allowed to perform security enhancement services.
- the transceiver unit is further configured to send the security protection mode determined for the first terminal device, the security protection mode is determined according to the security classification result of the target location area of.
- a communication device in a sixth aspect, includes a transceiver unit and a processing unit, the transceiver unit is used to receive a first security analysis request message from a policy control function network element or a unified data management network element, the first The security analysis request message includes an identifier of the target location area; the processing unit is configured to determine a security classification result of the target location area according to the first information, the security classification result indicates a degree of potential attack on the target location area, the first information and The behavior information of the terminal equipment in the target location area is related, and the behavior information includes traffic data and/or movement track information; the transceiver unit is also used to send the first mapping relationship to the policy control function network element or the unified data management network element, The first mapping relationship includes the identifier of the target location area and the security classification result.
- the first security analysis request message further includes an identification of the target attack
- the security rating result of the target location area includes the security rating of the target location area for the target attack
- the security classification result of the target location area for the target attack indicates the degree to which the target location area has potential for the target attack.
- the first information includes behavior information of terminal devices within the target location area
- the processing unit is further configured to: Perform statistical analysis on the behavior information to obtain the first statistical information, and/or perform abnormal behavior prediction on the behavior information of the terminal device in the target location area to obtain the first abnormal behavior prediction result; according to the first statistical information and/or the first The abnormal behavior prediction result determines the safety classification result of the target location area.
- the transceiver unit is further configured to send a data collection request message to the data collection network element in the target location area, where the data collection request message is used to request the data collection Behavior information of the terminal equipment served by the network element; the transceiver unit is also used to receive the behavior information of the terminal equipment served by the data collection network element from the data collection network element.
- the data collection request message further includes a first time interval parameter and/or a first threshold, and the first time interval parameter is used to indicate the behavior information of the terminal device to be reported period, the first threshold is used to indicate the minimum or maximum value that triggers the reporting of the behavior information of the terminal device.
- the first information includes second information sent by the distributed security analysis network element, and the second information includes: second statistical information, second abnormal behavior prediction results , and/or the security classification result of the location area managed by the distributed security analysis network element;
- the second statistical information is obtained by statistically analyzing the behavior information of the terminal equipment in the location area managed by the distributed security analysis network element
- the second abnormal behavior prediction result is obtained by predicting the abnormal behavior information of the terminal equipment in the location area managed by the distributed security analysis network element
- the security classification result of the location area managed by the distributed security analysis network element It is determined according to the behavior information of the terminal equipment in the location area managed by the distributed security analysis network element, and the location area managed by the distributed security analysis network element corresponds to the target location area.
- the transceiver unit is further configured to send a second security analysis request message to the distributed security analysis network element according to the target location area, the second security analysis request message It is used to request the distributed security analysis network element to perform security analysis on the managed location area.
- the transceiver unit is further configured to send the security classification result of the location area managed by the distributed security analysis network element to the distributed security analysis network element.
- the second security analysis request message further includes an analysis identifier
- the second information further includes the analysis identifier
- the analysis identifier is used to identify the target location area. security analysis.
- a communication device including a processor.
- the processor is coupled with the memory, and can be used to execute instructions in the memory, so as to implement the method in the above first aspect and any possible implementation manner of the first aspect.
- the communication device further includes a memory.
- the communication device further includes a communication interface, and the processor is coupled to the communication interface.
- the communication device is a security function network element.
- the communication interface may be a transceiver, or an input/output interface.
- the communication device is a chip configured in a security function network element.
- the communication interface may be an input/output interface.
- the transceiver may be a transceiver circuit.
- the input/output interface may be an input/output circuit.
- a communication device including a processor.
- the processor is coupled with the memory, and can be used to execute instructions in the memory, so as to implement the method in the above second aspect and any possible implementation manner of the second aspect.
- the communication device further includes a memory.
- the communication device further includes a communication interface, and the processor is coupled to the communication interface.
- the communication device is a policy control function network element or a unified data management network element.
- the communication interface may be a transceiver, or an input/output interface.
- the communication device is a chip configured in a policy control function network element or a unified data management network element.
- the communication interface may be an input/output interface.
- the transceiver may be a transceiver circuit.
- the input/output interface may be an input/output circuit.
- a communication device including a processor.
- the processor is coupled with the memory, and can be used to execute instructions in the memory, so as to implement the third aspect and the method in any possible implementation manner of the third aspect.
- the communication device further includes a memory.
- the communication device further includes a communication interface, and the processor is coupled to the communication interface.
- the communication device is a security analysis network element.
- the communication interface may be a transceiver, or an input/output interface.
- the communication device is a chip configured in a security analysis network element.
- the communication interface may be an input/output interface.
- the transceiver may be a transceiver circuit.
- the input/output interface may be an input/output circuit.
- a processor including: an input circuit, an output circuit, and a processing circuit.
- the processing circuit is configured to receive a signal through the input circuit and transmit a signal through the output circuit, so that the processor executes the method in any possible implementation manner of the first aspect to the third aspect.
- the above-mentioned processor can be one or more chips
- the input circuit can be an input pin
- the output circuit can be an output pin
- the processing circuit can be a transistor, a gate circuit, a flip-flop and various logic circuits, etc. .
- the input signal received by the input circuit may be received and input by, for example but not limited to, the receiver
- the output signal of the output circuit may be, for example but not limited to, output to the transmitter and transmitted by the transmitter
- the circuit may be the same circuit, which is used as an input circuit and an output circuit respectively at different times.
- the embodiment of the present application does not limit the specific implementation manners of the processor and various circuits.
- a processing device including a processor and a memory.
- the processor is used to read instructions stored in the memory, and can receive signals through the receiver and transmit signals through the transmitter, so as to execute the method in any possible implementation manner of the first aspect to the third aspect.
- processors there are one or more processors, and one or more memories.
- the memory may be integrated with the processor, or the memory may be set separately from the processor.
- the memory can be a non-transitory (non-transitory) memory, such as a read-only memory (read only memory, ROM), which can be integrated with the processor on the same chip, or can be set in different On the chip, the embodiment of the present application does not limit the type of the memory and the configuration of the memory and the processor.
- a non-transitory memory such as a read-only memory (read only memory, ROM)
- ROM read only memory
- a related data interaction process such as sending indication information may be a process of outputting indication information from a processor
- receiving capability information may be a process of receiving input capability information from a processor.
- the data output by the processor may be output to the transmitter, and the input data received by the processor may be from the receiver.
- the transmitter and the receiver may be collectively referred to as a transceiver.
- the processing device in the eleventh aspect above may be one or more chips.
- the processor in the processing device may be implemented by hardware or by software.
- the processor When implemented by hardware, the processor may be a logic circuit, an integrated circuit, etc.; when implemented by software, the processor may be a general-purpose processor, which is implemented by reading software codes stored in a memory, which can Integrated in a processor, it can exist independently of that processor.
- a computer program product includes: a computer program (also referred to as code, or instruction), which, when the computer program is executed, causes the computer to perform the above-mentioned first to The method in any possible implementation manner in the third aspect.
- a computer program also referred to as code, or instruction
- a computer-readable storage medium stores a computer program (also referred to as code, or instruction) when it is run on a computer, so that the above-mentioned first aspect to The method in any possible implementation manner of the third aspect is executed.
- a computer program also referred to as code, or instruction
- a fourteenth aspect provides a communication system, including the aforementioned security function network element, or, including the aforementioned policy control function network element and security analysis network element, or, including the aforementioned unified data management network element and security analysis network Yuan.
- FIG. 1 is a schematic diagram of a communication system applicable to the method provided by the embodiment of the present application
- Fig. 2 is a schematic diagram of a fake base station attack
- Fig. 3 is a schematic flowchart of the method provided by the embodiment of the present application.
- Fig. 4 is a schematic flowchart of a method provided by another embodiment of the present application.
- Fig. 5 is a schematic flowchart of a method provided by another embodiment of the present application.
- Fig. 6 is a schematic flowchart of a method provided by another embodiment of the present application.
- Fig. 7 is a schematic flowchart of a method provided by another embodiment of the present application.
- FIG. 8 is a schematic block diagram of a communication device provided by an embodiment of the present application.
- FIG. 9 is a schematic block diagram of a communication device provided by another embodiment of the present application.
- FIG. 10 is a schematic diagram of a chip system provided by an embodiment of the present application.
- the technical solution of the embodiment of the present application can be applied to various communication systems, for example: long term evolution (long term evolution, LTE) system, frequency division duplex (frequency division duplex, FDD) system, time division duplex (time division duplex, TDD) ) system, universal mobile telecommunication system (universal mobile telecommunication system, UMTS), global interconnection microwave access (worldwide interoperability for microwave access, WiMAX) communication system, 5G system or new radio (new radio, NR), the sixth generation (6th generation generation, 6G) system or future communication system, etc.
- the 5G mobile communication system described in this application includes a non-standalone (NSA) 5G mobile communication system or a standalone (standalone, SA) 5G mobile communication system.
- NSA non-standalone
- SA standalone
- the communication system can also be a public land mobile network (public land mobile network, PLMN), a device-to-device (D2D) communication system, a machine-to-machine (M2M) communication system, or an Internet of Things (Internet of Things).
- PLMN public land mobile network
- D2D device-to-device
- M2M machine-to-machine
- Internet of Things Internet of Things
- IoT Internet of Things
- V2X vehicle to everything
- UAV uncrewed aerial vehicle
- At least one of the following or similar expressions refer to any combination of these items, including any combination of single or plural items.
- at least one item (piece) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple .
- words such as “first” and “second” are used to distinguish the same or similar items with basically the same function and effect.
- words such as “first” and “second” do not limit the quantity and execution order, and words such as “first” and “second” do not necessarily limit the difference.
- words such as “exemplary” or “for example” are used as examples, illustrations or illustrations. Any embodiment or design scheme described as “exemplary” or “for example” in the embodiments of the present application shall not be interpreted as being more preferred or more advantageous than other embodiments or design schemes.
- the use of words such as “exemplary” or “such as” is intended to present related concepts in a concrete manner for easy understanding.
- the network architecture and business scenarios described in the embodiments of the present application are for more clearly illustrating the technical solutions of the embodiments of the present application, and do not constitute limitations on the technical solutions provided by the embodiments of the present application. With the evolution of the network architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
- FIG. 1 To facilitate understanding of the embodiment of the present application, an application scenario of the embodiment of the present application is described in detail first with reference to FIG. 1 .
- User equipment can be called terminal equipment, terminal, access terminal, subscriber unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, wireless communication device , User Agent, or User Device.
- the terminal device can also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), a wireless Handheld devices with communication functions, computing devices or other processing devices connected to wireless modems, vehicle-mounted devices, unmanned aerial vehicles, wearable devices, terminal devices in 5G networks or terminal devices in evolved PLMN, etc., the embodiments of this application This is not limited.
- Access network Provides network access functions for authorized users in a specific area, and can use transmission tunnels of different qualities according to user levels and business requirements.
- the access network may be an access network using different access technologies.
- the current access network technologies include: the wireless access network technology used in the third generation (3rd generation, 3G) system, the wireless access network technology used in the fourth generation (4th generation, 4G) system, or the next generation wireless Access network (next generation radio access network, NG-RAN) technology (such as the wireless access technology used in the 5G system, etc.).
- the access network that implements the access network function based on the wireless communication technology may be called a radio access network (radio access network, RAN).
- the wireless access network can manage wireless resources, provide access services for terminals, and complete the forwarding of control signals and user data between terminals and the core network.
- the wireless access network equipment may be, for example, a base station (NodeB), an evolved base station (evolved NodeB, eNB or eNodeB), a next generation base station node (next generation Node Base station, gNB) in a 5G mobile communication system, a future mobile communication system It can also be a wireless controller in a cloud radio access network (cloud radio access network, CRAN) scenario, or the wireless access network device It can be a relay station, an access point, a vehicle-mounted device, a drone, a wearable device, and a network device in a 5G network or a network device in an evolved PLMN.
- the embodiment of the present application does not limit the specific technology and specific equipment form adopted by the radio access network equipment.
- Access management network element mainly used for mobility management and access management, responsible for transferring user policies between user equipment and policy control function (policy control function, PCF) network elements, etc., can be used to implement mobility management entities (mobile management entity, MME) functions other than session management. For example, the function of access authorization (authentication).
- policy control function Policy control function, PCF
- MME mobility management entity
- the access management network element may be an access and mobility management function (access and mobility management function, AMF) network element.
- AMF access and mobility management function
- the access management network element may still be an AMF network element, or may have other names, which are not limited in this application.
- Session management network element mainly used for session management, allocation and management of Internet protocol (IP) addresses of user equipment, selection of manageable user plane functions, endpoints of policy control and charging function interfaces, and downlink data communication, etc.
- IP Internet protocol
- the session management network element may be a session management function (session management function, SMF) network element.
- SMF session management function
- the session management network element may still be an SMF network element, or may have other names, which are not limited in this application.
- User plane network element used for packet routing and forwarding, quality of services (QoS) processing of user plane data, completion of user plane data forwarding, session/flow-based charging statistics, bandwidth limit functions, etc.
- QoS quality of services
- the user plane network element may be a user plane function (user plane function, UPF) network element.
- UPF user plane function
- the user plane network element may still be a UPF network element, or may have other names, which are not limited in this application.
- Data network network element used to provide a network for transmitting data.
- the data network element may be a data network (data network, DN) network element.
- the data network element may still be a DN network element, or may have other names, which are not limited in this application.
- Policy control network element a unified policy framework used to guide network behavior, and provide policy rule information for control plane functional network elements (such as AMF, SMF network elements, etc.).
- the policy control network element may be a policy and charging rules function (policy and charging rules function, PCRF) network element.
- policy control network element may be a policy control function (policy control function, PCF) network element.
- policy control network element may still be a PCF network element, or may have other names, which are not limited in this application.
- Data management network element used to process user equipment identification, access authentication, registration, and mobility management.
- the data management network element may be a unified data management (unified data management, UDM) network element; in the 4G communication system, the data management network element may be a home subscriber server (home subscriber serve, HSS) network element Yuan. In the future communication system, the data management network element may still be a UDM network element, or may have other names, which are not limited in this application.
- UDM unified data management
- HSS home subscriber serve
- Network exposure function network exposure function, NEF
- NEF network exposure function
- Application function Application function
- AF Application function
- 5G core network 5G core network
- 5GC 5G core network
- the AF can also communicate directly with other NFs in the 5GC without using the NEF in the control plane architecture, such as directly communicating with the PCF.
- NWDAF Network data analysis function
- service level agreements service level agreements, SLAs
- SLAs service level agreements
- 3GPP introduces artificial intelligence (AI) into the 5G network and adds a new network function (network function, NF): NWDAF.
- AI artificial intelligence
- NWDAF is mainly used for the analysis of various network data, including network operation data collected from NF, terminal and network-related statistical data obtained from operation administration and maintenance (OAM), and data obtained from third-party AF application data.
- the analysis results generated by NWDAF will also be output to NF, OAM or third-party AF.
- NF OAM
- AF can use the analysis results of NWDAF to perform different optimization operations.
- 5G mobility management-related functions can request NWDAF to predict the mobile trajectory of the terminal.
- NWDAF obtains the historical location information of the terminal from OAM, and generates a mobility prediction model of the terminal by analyzing the historical location information of the terminal.
- NWDAF provides terminal mobility prediction information to 5G mobility management-related functions based on the current location of the terminal, enabling 5G mobility management-related functions to formulate more accurate network policies based on terminal mobility prediction information and complete optimized mobility management operations . For example, the allocation of registration areas based on the statistics of terminal locations, the assistance of handover decisions based on terminal location prediction information, and the pre-selection of mobility anchor points based on terminal mobility trajectories, etc.
- the OAM in the 5G network can also request the NWDAF to provide the analysis results of the service operation data in the network slice to optimize the management of network slice resources.
- NWDAF can provide the OAM with information on whether each slice satisfies the SLA and the distribution of user experience in the slice.
- the OAM system determines whether to adjust the resource allocation of each network slice according to the analysis result of the NWDAF.
- the third-party AF can subscribe to network performance prediction information from NWDAF and adjust the application layer based on the prediction information.
- the network performance prediction information may be the QoS prediction of service data transmission or the load prediction of the network providing services for the terminal.
- NWDAF provides analysis or prediction results to AF periodically or on demand according to AF's subscription request, so that AF can adjust its operating parameters.
- the Internet of Vehicles application can select different driving levels or judge whether to download maps or navigation data in advance according to QoS prediction, and can also select the transmission timing of background traffic according to the prediction of network load.
- N1, N2, N3, N4, N6, Nnwdaf, Nnef, Npcf, Nudm, Naf, Namf, and Nsmf are interface serial numbers.
- interface serial numbers refer to the meaning defined in 3GPP technical standards (technical standards, TS) 23.501.
- AMF, SMF, UPF, NEF, PCF, UDM, NWDAF, etc. shown in Figure 1 can be understood as network elements used to implement different functions in the core network, for example, they can be combined into network slices as required. These core network elements may be independent devices, or may be integrated into the same device to implement different functions. This application does not limit the specific forms of the above network elements.
- the way to enable the security protection needs to be determined according to the security protection policy.
- security protection policies There are three types of security protection policies: enabled (REQUIRED), disabled (NOT NEEDED) and optional (PREFERRED).
- REQUIRED means that the security protection needs to be enabled
- NOT NEEDED means that the security protection is not required to be enabled
- PREFERRED means that the security protection is preferred to be enabled, that is, the security protection can be enabled but the security protection can not be enabled.
- the security protection policy is further subdivided into: the control plane security protection policy and the user plane security protection policy, and the control plane security protection policy and the user plane security protection policy have REQUIRED , NOT NEEDED and PREFERRED three.
- the security protection strategy in the 5G network involves two scenarios, namely the security protection strategy used on the Uu interface between UE and RAN, and the security protection strategy used on the PC5 interface directly connected between UE and UE.
- the UDM on the network side will store the security protection policy corresponding to the service subscribed by the UE. Geographic location is not necessarily related.
- the UE will obtain the PC5 security protection policy of the V2X service granularity from the PCF, specifically: the PCF will send a specific V2X
- the PC5 security protection policy will be determined according to the geographical location of the UE.
- the fake base station (fake base station, FBS) attack as an example of the man-in-the-middle (MITM) attacker, as shown in Figure 2
- FBS fake base station
- MEM man-in-the-middle
- the base station and the AMF are connected through the N2 interface, and communicate through the N2 interface protocol.
- Attackers may deploy fake base stations to attract terminals to camp on fake base stations.
- the pseudo base station includes a base station part and a pseudo UE part.
- the base station part of the fake base station obtains the cell identity of the nearby real base station, and pretends that the cell identity of the real base station is close to the UE, and at the same time broadcasts the master information block (MIB) and System information block (system information block, SIB) and other system messages are used to assist the UE to access the pseudo base station.
- the pseudo base station can change the cell selection information in the SIB message, increase the access threshold, and make it easier for the terminal to camp on the pseudo base station.
- the pseudo UE part in the pseudo base station can forward or modify part of the information of the real UE residing in the pseudo base station, access the real base station as a real UE, and communicate with the AMF through the N2 interface protocol.
- the communication content between the real terminal and the network can be sniffed, tampered with, and forged.
- the pseudo-base station equipment is similar in size to a laptop and is easy to move, so the attacker can move to different locations at will to attack.
- the Uu security protection policy may not be able to guarantee the connection between UEs in different locations and the network. secure communication between.
- the PC5 security protection policy will be determined according to the geographic location of the UE, the PC5 security protection policy may not be able to guarantee the security of the PC5 interface if the attacker can move freely.
- the present application provides a method for obtaining security classification results, in order to obtain security classification results of different location areas, so as to facilitate adjustment of the security protection mode used by UE according to the security classification results of different location areas.
- FIG. 3 shows a method for obtaining security classification results provided by an embodiment of the present application. As shown in FIG. 3 , the method 300 may include S310 and S320, and each step will be described in detail below.
- the security function network element determines to perform security analysis on the target location area.
- a safety function NE is a network element with safety analysis functions.
- a safety function NE may be a network element fully responsible for safety analysis; a safety function NE may also be a network element with some safety-related functions.
- Safety-related functions such as determining Security policies used by terminal devices or network elements, security policies for storing terminal devices or network elements, and security capabilities for storing terminal devices or network elements.
- the security function network element is a policy control function network element, a unified data management network element or a security analysis network element.
- the security analysis network element may be a network data analysis functional network element, or may be a functional network element that relies on artificial intelligence technology to perform security-related analysis on network data.
- performing a security analysis on the target location area refers to obtaining a security classification result of the target location area, and the security classification result of the target location area indicates the degree of potential attacks in the target location area.
- the safety classification result of the target location area may include only one safety classification result, or may include multiple safety classification results.
- the security classification result of the target location area includes only one security classification result
- the security classification result of the target location area corresponds to one or more attacks, that is, the security classification result of the target location area indicates that there is a potential The extent of one or more attacks.
- each security rating result in the multiple security rating results corresponds to one or more attacks, and each security rating result corresponds to a different attack.
- the security rating result of the target location area includes two security rating results, the two security rating results correspond to attack #1 and attack #2 respectively, and the security rating result of attack #1 indicates that there is a potential attack in the target location area#
- the degree of 1 the security classification result corresponding to attack #2 indicates the degree of potential attack #2 in the target location area.
- the safety classification result of the target location area indicates the safety of the target location area. It can be understood that the security of the target location area is opposite to the degree of potential attack in the target location area, that is, the degree of potential attack in the target location area is high, and the security of the target location area is low; the degree of potential attack in the target location area Low, the security of the target location area is high.
- the embodiment of the present application does not limit the content of the security classification result.
- the content of the safety rating result may be high, medium or low.
- the result of the security classification is used to represent the security of the location, if the target location area has a low degree of potential attack, the content of the security classification result of the target location area is high; if the target location area has a medium level of potential attack, Then the content of the security classification result of the target location area is medium; if the degree of potential attack in the target location area is high, the content of the security classification result of the target location area is low.
- the result of security classification is used to indicate the degree of potential attack in the target location area
- the degree of potential attack in the target location area is low
- the content of the security classification result in the target location area is low
- the degree of attack is medium
- the content of the security classification result of the target location area is medium
- the degree of potential attack in the target location area is high
- the content of the security classification result may be that security enhancement is required or security enhancement is not required.
- security enhancement is required if there is a high degree of potential attack in the target location area; the result of the security classification of the target location area is that security enhancement is required; if the degree of potential attack in the target location area is low, the result of the security classification of the target location area is that no security enhancement is required .
- the content of the security rating result may be the probability of potential attacks. For example, if the probability of a potential attack in the target location area is 70%, the security classification result of the target location area is also 70%.
- the embodiment of the present application does not limit how the security function network element determines to perform security analysis on the target location area.
- the safety function network element determines by default to perform security analysis on all location areas in the PLMN where the safety function network element is located (hereinafter, the PLMN where the safety function network element is located is recorded as the first PLMN), and the first All location areas within the PLMN include the target location area.
- the security function network element performs security analysis on all location areas in the PLMN where it is located.
- the security function network element determines by default to perform security analysis on all location areas served by the security function network element, and all location areas served by the security function network element include the target location area.
- the security function network element determines the location information of the security function network element service according to the pre-configuration information. It should be noted that all location areas in the first PLMN may include location areas not served by the safety function network element in addition to all location areas served by the safety function network element.
- the security function network element performs security analysis on all location areas served by the security function network element.
- the security function network element receives third information from the first network element, and the third information is used to indicate that security analysis is performed on all location areas in the first PLMN; the security function network element receives the third information from the first PLMN; The information determines that security analysis is performed on all location areas in the first PLMN, and all location areas in the first PLMN include the target location area.
- the security function network element determines to perform security analysis on all location areas in the first PLMN, the security function network element performs security analysis on all location areas in the first PLMN.
- the first network element is a policy control function network element, a unified data management network element, or an application function network element.
- the third information includes the first identifier of each location area in all location areas in the first PLMN.
- the security function network element determines to perform security analysis on all location areas in the first PLMN according to the first identifier of each location area in all location areas in the first PLMN.
- the first identifier of the location area may include one or more of the following: coordinate information, geographic area identifier (geographical area identifier), address information, TAI, and cell ID. It should be noted that the first identifiers of different location areas in the first PLMN are different.
- the third information is 1-bit information. When the third information is "0", the third information is used to indicate that security analysis is performed on all location areas in the first PLMN; or, when the third information When it is "1", the third information is used to indicate that security analysis is performed on all location areas in the first PLMN.
- the security function network element determines whether to perform security analysis on all location areas in the first PLMN according to the value of the third information.
- the third information includes a first identifier of a preset first location area.
- the security function network element determines to perform security analysis on all location areas in the first PLMN according to a preset first identifier of a location area. For example, a preset location area is location area #A, then when the third information includes the first identifier of location area #A, the safety function network element determines to perform security analysis on all location areas in the first PLMN.
- the first network element is an application function network element
- the third information includes a security protection policy of the first service
- the first service is a service supported by the application function network element.
- the security functional network element determines to perform security analysis on all location areas in the first PLMN.
- the security function network element receives fourth information from the first network element, and the fourth information is used to indicate security analysis for all location areas served by the security function network element; the security function network element according to the first Four Information Determination Perform security analysis on all location areas of the service.
- the fourth information includes the first identifier of each location area in all location areas served by the security function network element.
- the security function network element determines to perform security analysis on all location areas served by the security function network element according to the first identifier of each location area in all location areas served by the security function network element. It should be noted that the identifiers of different location areas served by the security function network element are different.
- the fourth information is 1-bit information.
- the fourth information is used to indicate that security analysis is performed on all location areas served by the security function network element; or, when the fourth When the information is "1", the fourth information is used to indicate to perform security analysis on all location areas served by the security function network element.
- the security function network element determines whether to perform security analysis on all location areas served according to the value of the fourth information.
- the fourth information includes the first identifier of the preset second location area, where the second location area belongs to the location area served by the security function network element.
- the security function network element determines to perform security analysis on all location areas served according to the preset first identifier of the second location area.
- the preset second location area is location area #B, then when the fourth information includes the first identifier of location area #B, the security function network element determines to perform security analysis on all location areas served.
- the security function network element receives the first identification of the target location area from the first network element; the security function network element determines to perform security analysis on the target location area according to the first identification of the target location area.
- the security function network element performs security analysis on the target location area corresponding to the first identifier.
- the first identifier of the target location area may be coordinate information, a geographical area identifier or address information; when the first identifier of the target location area is in When the identifier is used inside the network, the first identifier of the target location area can be TAI or cell ID.
- the security function network element pre-configures the second identifier of the target location area, the pre-configuration information is used to indicate the security analysis of the target location area, and the security function network element according to the pre-configured target location area The second identifier determines that security analysis is performed on the target location area.
- the second identification of the location area includes one or more of the following: coordinate information, geographical area identification, address information, TAI, cell ID.
- the first identifier of the location area is different from the second identifier of the location area, or the first identifier of the location area is the same as the second identifier of the location area, which is not limited in this embodiment of the present application.
- the second identifier of the target location area is an identifier used inside the network.
- the security function network element receives the first identifier of the first terminal device and the location area information of the first terminal device, and the location area information of the first terminal device is used to indicate that the first terminal device is located at the target location Area: the security function network element determines according to the first identification of the first terminal device that security enhancement services are allowed for the first terminal device; the security function network element determines the target location area where the first terminal device is located according to the location information of the first terminal device Conduct security analysis.
- the security analysis is performed on the location area where the terminal equipment that is allowed to perform the security enhancement service is located, and the security analysis is performed on all location areas, which can reduce the processing burden of the signaling used for data collection and the security function network element.
- allowing the security enhancement service for the first terminal device refers to allowing the security protection policy used by the first terminal device to be determined according to the security classification result of the location area where the first terminal device is located.
- the first identifier of the terminal device includes one or more of the following: IP address, SUPI, PEI, GPSI, IMSI, IMEI, IP address, and MSISD).
- the first identifier of the terminal device is an identifier used inside the network, for example, the first identifier of the terminal device includes one or more of the following: SUPI, GPSI.
- the location area information of the first terminal device includes: a first identifier of the location area where the first terminal device is located or a second identifier of the location area where the first terminal device is located.
- the location area information of the first terminal device includes the ID of the cell accessed by the first terminal device and/or the TAI of the first terminal device.
- the security function network element determines that the security enhancement service is allowed for the first terminal device, including: pre-configuring the first identifier of the first terminal device in the security function network element, and the pre-configuration information is used to indicate that the first terminal device is allowed
- the device performs the security enhancement service
- the security function network element determines that the first terminal device is allowed to perform the security enhancement service according to the preconfigured first identifier of the first terminal device.
- the determination by the security function network element to allow the security enhancement service for the first terminal device includes: the security function network element receives the second identifier of the first terminal device from the first network element, and the second identifier of the first terminal device The identifier is used to indicate that the security enhancement service is allowed for the first terminal device; after the security function network element receives the first identifier of the first terminal device, according to the first identifier of the first terminal device and the second identifier of the first terminal device, The determination of the correspondence relationship allows the security enhancement service to be performed on the first terminal device. It should be noted that the security function network element is pre-configured with a correspondence between the first identifier of the first terminal device and the second identifier of the first terminal device.
- the determination by the security function network element to allow the security enhancement service for the first terminal device includes: the security function network element receives the second identifier of the first terminal device from the first network element, and the second identifier of the first terminal device The identifier is used to indicate that the security enhancement service is allowed for the first terminal device; the security function network element determines the first identifier of the first terminal device according to the second identifier of the first terminal device; the security function network element receives the second identifier of the first terminal device After an identification, it is determined that the security enhancement service is allowed on the terminal device. It should be noted that the security function network element is pre-configured with a correspondence between the first identifier of the first terminal device and the second identifier of the first terminal device.
- the second identifier of the terminal device includes one or more of the following: user name of the external application, third-party user identifier, IP address, SUPI, PEI, GPSI, IMSI, IMEI, IP address and MSISDN.
- the second identifier of the terminal device is different from the first identifier of the terminal device, or the second identifier of the terminal device is the same as the first identifier of the terminal device, which is not limited in this embodiment of the present application.
- the second identifier of the terminal device is an identifier used outside the network.
- the second identifier of the terminal device includes one or more of the following: user name of an external application, third-party user identifier, IP address, IP address and MSISDN.
- Determining that the first terminal device is allowed to perform the security enhancement service according to the second identifier of the first terminal device received from the first network element can meet different requirements of the first network element.
- the security function network element acquires the first identifier of the first terminal device and the location area information of the first terminal device, including: the security function network element receives an access management policy association establishment request/modification message (AM policy association establishment/ modification), the access management policy association establishment request/modification message includes the first identifier of the first terminal device and the location area information of the first terminal device.
- AM policy association establishment/ modification an access management policy association establishment request/modification message
- the access management policy association establishment request/modification message includes the first identifier of the first terminal device and the location area information of the first terminal device.
- obtaining the first identifier of the first terminal device and the location area information of the first terminal device by the security function network element includes: the security function network element receiving a UE policy association establishment request/modification message (UE policy association establishment/modification ), the UE policy association establishment request/modification message includes the first identifier of the first terminal device and the location area information of the first terminal device.
- UE policy association establishment/modification UE policy association establishment/modification
- the obtaining the first identifier of the first terminal device and the location area information of the first terminal device by the security function network element includes: the security function network element receives a session management policy association establishment request/modification message (SM policy association establishment/ modification), the session management policy association establishment request/modification message includes the first identifier of the first terminal device and the location area information of the first terminal device.
- SM policy association establishment/ modification session management policy association establishment request/modification message
- the safety function network element obtains the first identification of the first terminal device and the location area information of the first terminal device, including: the safety function network element receives subscription data management acquisition (Nudm_subscription data management_Get, Nudm_SDM_Get)/subscription data management A subscription (Nudm_SDM_Subscribe) message, the subscription data management acquisition/subscription message includes the first identifier of the first terminal device and the location area information of the first terminal device.
- subscription data management acquisition/subscription message includes the first identifier of the first terminal device and the location area information of the first terminal device.
- the security function network element acquires the first identifier of the first terminal device and the location area information of the first terminal device, including: the security function network element receives an access management policy association establishment request/modification message, and the access management policy
- the association establishment request/modification message includes the first identifier of the first terminal device; if it is determined according to the first identifier of the first terminal device that the security enhancement service is allowed for the first terminal device, the security function network element obtains the first terminal device's Location area information. For example, the security function network element obtains the location area information of the first terminal device from the session management network element or the access and mobility management function network element.
- the security function network element acquires the first identifier of the first terminal device and the location area information of the first terminal device, including: the security function network element receives the UE policy association establishment request/modification message, the UE policy association establishment request/ The modification message includes the first identifier of the first terminal device; when it is determined according to the first identifier of the first terminal device that the security enhancement service is allowed for the first terminal device, the security function network element acquires the location area information of the first terminal device. For example, the security function network element obtains the location area information of the first terminal device from the session management network element or the access and mobility management function network element.
- the security function network element acquires the first identifier of the first terminal device and the location area information of the first terminal device, including: the security function network element receives a session management policy association establishment request/modification message, and the session association policy association establishment
- the request/modification message includes the first identification of the first terminal device; if it is determined according to the first identification of the first terminal device that the security enhancement service is allowed for the first terminal device, the security function network element acquires the location area of the first terminal device information.
- the security function network element obtains the location area information of the first terminal device from the session management network element or the access and mobility management function network element.
- the safety function network element acquires the first identifier of the first terminal device and the location area information of the first terminal device, including: the safety function network element receives the subscription data management acquisition/subscription message, and the subscription data management acquisition/subscription message Including the first identifier of the first terminal device; when it is determined according to the first identifier of the first terminal device that the security enhancement service is allowed for the first terminal device, the security function network element acquires the location area information of the first terminal device. For example, the security function network element obtains the location area information of the first terminal device from the session management network element or the access and mobility management function network element.
- the security function network element receives the first identifier of the first terminal device and the location area information of the first terminal device, and the location area information of the first terminal device is used to indicate that the first terminal device is located at the target location area; the security function network element determines according to the first identification of the first terminal device that security enhancement services are allowed for the first terminal device; the security function network element determines that security analysis of the target location area is allowed; the security function network element determines that the target location area Conduct security analysis.
- Performing security analysis on location areas where security analysis is allowed, rather than all location areas, can reduce the signaling for data collection and the processing burden on the security function network element.
- the security function network element determines that the security enhancement service is allowed for the first terminal device, and determines that the security analysis of the target location area is allowed, including: pre-configuring the first identifier and target of the first terminal device in the security function network element The corresponding relationship of the second identifier of the location area, the pre-configured information is used to indicate that the security enhancement service is allowed for the first terminal device located in the target location area; the security function network element obtains the first identifier of the first terminal device and the first terminal The location area information of the device, when the security function network element satisfies the corresponding relationship according to the first identifier of the first terminal device and the location area information of the first terminal device, determine that the security enhancement service is allowed for the first terminal device, and determine that the target location area for security analysis.
- the determination by the security function network element to allow the security enhancement service for the first terminal device, and the determination to allow the security analysis of the target location area include: the second identifier of the preconfigured target location area in the security function network element, the The pre-configuration information is used to indicate the security analysis of the target location area; the security function network element receives the second identification of the first terminal device from the first network element, and the second identification of the first terminal device is used to indicate that the first terminal device is allowed to The device performs security enhancement services; after receiving the first identification of the first terminal device and the location area information of the first terminal device, the security function network element, according to the first identification of the first terminal device and the second identification of the first terminal device, The corresponding relationship determines that the security enhancement service is allowed to be performed on the first terminal device; and according to the preconfigured first identifier of the target location area, it is determined that the security analysis on the target location area is allowed. It should be noted that the security function network element is pre-configured with a correspondence between the first identifier
- the determination by the security function network element to allow the security enhancement service for the first terminal device, and the determination to allow the security analysis of the target location area include: pre-configuring the first identifier of the first terminal device in the security function network element, The pre-configuration information is used to indicate that the security enhancement service is allowed for the first terminal device; the security function network element receives the first identifier of the target location area from the first network element, and the first identifier of the target location area is used to indicate that the target location area is allowed to Perform security analysis on the location area; after receiving the first identifier of the first terminal device and the location area information of the first terminal device, the security function network element determines that the first terminal device is allowed to A security enhancement service is performed, and it is determined according to the first identification of the target location area that security analysis on the target location area is allowed.
- the security function network element determines to allow the security enhancement service for the first terminal device, and determines to allow the security analysis of the target location area, including: the security function network element receives the first terminal device from the first network element The second identification, and the safety function network element receiving the first identification of the target location area from the first network element; after the safety function network element receives the first identification of the first terminal device and the location area information of the first terminal device, according to According to the corresponding relationship between the first identification of the first terminal device and the second identification of the first terminal device, it is determined that the security enhancement service is allowed for the first terminal device, and it is determined that the security of the target location area is allowed according to the first identification of the target location area. analyze.
- the second identifier of the first terminal device and the first identifier of the target location area received by the security function network element may be carried in the same signaling, or may be carried in different signalings, and this embodiment of the present application does not Do limited.
- the security function network element may no longer perform security analysis on the target location area.
- the security function network element may no longer perform security analysis on the target location area.
- the security function network element determining to perform security analysis on the target location area includes: the security function network element determining to perform security analysis on the target location area for target attacks.
- the target attack may include one or more of the following: air interface distributed denial of service (distributed denial of service, DDoS) attack, fake base station attack, DDoS attack against the core network, which is not specifically limited here.
- performing a security analysis on a target location area against a target attack refers to obtaining a security classification result of the target location area against a target attack, and the security classification result of the target location area against a target attack indicates that there is a potential target attack in the target location area degree.
- the embodiment of the present application does not limit how the security function network element determines to perform security analysis on the target location area for the target attack.
- the security function network element performs security analysis on all attacks in the target location area by default, and all attacks include target attacks.
- all attacks refer to all attacks that the network and/or terminal equipment may suffer.
- the security function network element receives the identification of the target attack from the first network element, and the security function network element determines to perform security analysis on the target location area for the target attack according to the identification of the target attack.
- the security function network element receives the correspondence between the identifier of the target attack and the first identifier of the target location area from the first network element.
- the safety function network element determines a safety classification result of the target location area according to the first information.
- the first information is related to behavior information of terminal devices within the target location area.
- the behavior information of the terminal device may be used to describe the communication characteristics or movement parameters of the terminal device.
- the behavior information of the terminal device includes one or more of the following: traffic data of the terminal device, movement track information, terminal device and network The time of communication, the type of information communicated between the terminal device and the network, the location information of the terminal device, and the wake-up time of the terminal device.
- the behavior information of the terminal device may also include other data and/or information related to the behavior of the terminal device, and this embodiment of the present application does not limit that the behavior information of the terminal device only includes the above one or multiple items.
- the behavior information of the terminal device may not include the above one or multiple items, but include other data and/or information related to the behavior of the terminal device.
- the first information includes behavior information of terminal devices in the target location area
- the safety function network element determines the security classification result of the target location area according to the first information.
- the information and/or the first abnormal behavior prediction result determines a security rating result for the target location area.
- the security function network element determines the security classification result of the target location area according to the proportion of terminal devices with abnormal behavior among the terminal devices in the target location area.
- the proportion of terminal devices with abnormal behavior among the terminal devices in the target location area is greater than the preset threshold, it is considered that there is a high degree of potential attack in the target location area, and the security classification result of the target location area is low or requires security enhancement; If the proportion of terminal devices with abnormal behavior among the terminal devices in the target location area is less than or equal to the preset threshold, it is considered that the degree of potential attack in the target location area is low, and the security classification result of the target location area is high or not. Security enhancements are required.
- the first statistical information is information formed by statistically summarizing and calculating the behavior information of the terminal devices in the target location area, and this information can be used to describe the characteristics of the behavior information of the terminal devices in the target location area, for example, the first A statistical information may include one or more of the following: the average communication frequency of the terminal equipment within a certain period of time in the target location area, the average communication traffic of the terminal equipment in the target location area, and the maximum movement of the terminal equipment in the target location area Distance and the average number of terminal devices within the target location area within a certain period of time.
- the first statistical information may also include one or more of the following: the maximum value and/or minimum value of the communication frequency determined according to the communication frequency of the terminal device within a period of time, and the location information of the terminal device within a period of time The maximum and/or minimum value of the determined moving speed, the maximum value of the range of motion determined according to the position information of the terminal device within a period of time, the maximum value and/or maximum value of the communication flow determined according to the communication flow information of the terminal device within a period of time or minimum.
- the abnormal behavior of the terminal device may include one or more of the following: the moving speed of the terminal device exceeds the maximum value of the moving speed range or is lower than the minimum value of the moving speed range, and the moving distance of the terminal device exceeds the maximum value of the normal moving distance in a short period of time ,
- the communication frequency exceeds the maximum value of the communication frequency range or is lower than the minimum value of the communication frequency range
- the data communication flow exceeds the maximum value of the communication flow range or is lower than the minimum value of the communication flow range.
- the embodiment of the present application does not limit the manner of statistically analyzing the behavior information of the terminal device, nor does it limit the manner of predicting the abnormal behavior of the behavior information of the terminal device.
- the step of statistically analyzing the behavior information of the terminal device by the security function network element includes: the security function network element acquires the behavior information of the terminal device, and the behavior information is behavior information of a terminal device at multiple time points, or The behavior information of multiple terminal devices in the same location area of multiple terminal devices; if the behavior information is the behavior information of a terminal device at multiple time points, the security function network element can count the behavior information of multiple time points Time interval, so as to determine the time frequency, average communication traffic or average moving speed of the terminal device; if the behavior information is the behavior information of multiple terminal devices in the same location area, the security function network element can count the location area The number of terminal devices, so as to determine the average flow information of multiple terminal devices, the average speed information of multiple terminal devices, and the like.
- the way of predicting the abnormal behavior of the behavior information of the terminal device includes: the AI model in the security function network element can train the activity frequency of the general terminal device according to the mobile data, communication frequency and other data of a large number of different terminal devices.
- the AI model can be used as a baseline for normal terminal equipment. If the data such as mobile data and communication frequency of a certain terminal equipment are significantly different from the AI model, it can be considered that the terminal equipment is abnormal.
- the embodiment of the present application does not limit the manner in which the security function network element acquires the behavior information of the terminal device in the target location area.
- the security function network element may collect behavior information of terminal devices in the target location area by itself.
- the security function network element may determine the data and/or information to be collected according to the target attack. For example, if the target attack involves the abnormal communication of the terminal equipment but does not involve the abnormal movement of the terminal equipment, then the security function network element collects the traffic data of the terminal equipment but does not collect the movement track information of the terminal equipment. It should be noted that the data and/or information to be collected for different attacks may be partially or completely the same, or partially or completely different.
- the security function network element may request the behavior information of the terminal device served by the data collection network element from the data collection network element in the target location area.
- the data collection network element can be one or more of the following network elements: access and mobility management function network element, session management function network element, user plane function network element, application function network element, policy control function network element, unified data Management function network element.
- the security function network element sends a data collection request message to the data collection network element in the target location area, and the data collection request message is used to request the behavior information of the terminal equipment served by the data collection network element; the security function network element receives the information from the data collection network element.
- the network element data collects the behavior information of the terminal equipment served by the network element.
- the data collection request message is a data service request message, such as an event exposure (Namf_EventExposure) message requesting to collect information from the AMF, a Nsmf_EventExposure message requesting to collect information from the SMF, and the like.
- the data collection network element sends a data collection service response message to the safety function network element, and the data collection service response message includes the behavior information of the terminal equipment served by the data collection network element.
- the data collection request message sent by the security function network element may be to subscribe to a data collection event. For example, if there is a service-oriented interface between the security function network element and the data collection network element, the security function network element can request the data collection network element for the behavior information of the terminal equipment served by the data collection network element by invoking the data collection subscription service; If there is no service interface between the functional network element and the data collection network element, the security function network element can request the data collection network element for the behavior information of the terminal equipment served by the data collection network element through the network element with the service interface.
- the security function network element may send a data collection request message to the multiple data collection network elements.
- the data collection network element may also include a second identifier of the target location area, and the second identifier of the target location area is used to indicate that the data
- the collecting network element collects the behavior information of the terminal equipment in the target location area.
- the security function network element may send a data collection request message to the data collection network element according to the target location area and the target attack determination. For example, if the target attack is a DDoS attack against the core network, the security function network element determines the access and mobility management function network element serving the target location area, and sends a data collection request to the access and mobility management function network element information.
- the data collection request message further includes a first time interval parameter and/or a first threshold, the first time interval parameter is used to indicate the period for reporting the behavior information of the terminal device, and the first threshold is used to indicate the triggering of the behavior of the terminal device The minimum or maximum value reported by the information.
- the data collection request message includes the first time interval parameter, the data collection network element periodically sends the behavior information of the terminal device to the safety function network element according to the first time interval parameter.
- the data collection network element sends the terminal device that is greater than or equal to the first threshold value to the security function network element according to the first threshold value.
- Behavior information of the device if the first threshold is used to indicate the maximum value that triggers the reporting of the behavior information of the terminal device, the data collection network element sends the behavior information of the terminal device that is less than or equal to the first threshold to the security function network element according to the first threshold .
- the first threshold is used to indicate one or more of the following: maximum and/or minimum values of communication frequency, maximum and/or minimum values of moving speed, maximum and/or minimum values of communication traffic.
- the safety function network element determines the safety of the target location area according to the periodically received behavior information of the terminal device. Grading results.
- the first information includes the second information sent by the security analysis network element.
- the security function network element receives the second information from the security analysis network element, and the second information includes: the second statistical information, the second abnormal behavior prediction result, and/or the security classification result of the location area managed by the security analysis network element , the second statistical information is obtained by statistically analyzing the behavior information of the terminal equipment in the location area managed by the security analysis network element, and the second abnormal behavior prediction result is the behavior of the terminal equipment in the location area managed by the security analysis network element The information is obtained by predicting abnormal behavior, and the security classification result of the location area managed by the security analysis network element is determined according to the behavior information of the terminal equipment in the location area managed by the security analysis network element. Wherein, the location area managed by the security analysis network element corresponds to the target location area.
- the location area managed by the security analysis network element is the target location area, or the location area managed by the security analysis network element is a part of the target location area.
- the safety function network element determines the safety classification result of the target location area according to the second information.
- the security function network element is a central security analysis network element
- the security analysis network element is a distributed security analysis network element.
- the distributed security analysis network element is used to perform preliminary security analysis on the managed location area, that is, to conduct preliminary statistics and analysis on the collected data to obtain preliminary analysis data (such as second statistical information and/or second abnormal behavior prediction results).
- the central security analysis network element is used to receive the preliminary analysis data from the distributed security analysis network elements, and perform final analysis on the preliminary analysis data to obtain the security classification result of the location area.
- the security classification result of the target location area is the security classification result of the location area managed by the security analysis network element.
- the security function network element receives the second information respectively sent by multiple security analysis network elements, that is, the first information includes multiple second information, and the multiple security The sum of the location areas managed by the analysis network element is the target location area.
- the safety function network element determines the safety classification result of the target location area according to the plurality of second pieces of information.
- the security functional network element determines the security classification result of each location area managed by the security analysis network element according to each second information, that is, the security classification result of the target location area includes the location areas managed by the plurality of security analysis network elements safety rating results.
- the security analysis network element sends the second information to the security function network element according to the request of the policy control function network element or the unified data management network element. That is, the security analysis network element receives the security analysis request message from the policy control function network element or the unified data management network element, and the security analysis request message is used to request security analysis for the location area managed by the security analysis network element; the security analysis network element according to The security analysis request message acquires the behavior information of the terminal equipment in the managed location area, and determines the second information according to the behavior information of the terminal equipment in the managed location area; the security analysis network element sends the second information to the security function network element.
- the security analysis request message is used to request the security analysis network element to perform security-related analysis on a certain analysis service, for example, to request the security analysis network element to analyze the security risk of a certain potential attack, for example, the security analysis request message It is an analysis information request (Nnwdaf_AnalyticsInfo_Request) or an analysis subscription service subscription (Nnwdaf_AnalyticsSubscription_Subscribe) message that requests the NWDAF network element to analyze the abnormal behavior of the UE.
- an analysis information request Nnwdaf_AnalyticsInfo_Request
- an analysis subscription service subscription Nnwdaf_AnalyticsSubscription_Subscribe
- the security analysis request message further includes a second time interval parameter, and the second time interval parameter is used to indicate a period for reporting the second information.
- the security analysis network element periodically sends the second information to the security function network element according to the second time interval parameter.
- the security functional network element determines the security classification result of the target location area according to the periodically received second information.
- the method 300 further includes: the security function network element sending the security classification result of the location area managed by the security analysis network element to the security analysis network element. Further, the security analysis network element sends the security classification result of the location area managed by the security analysis network element to the policy control function network element or the unified data management network element.
- the security analysis request message also includes an analysis identifier, which is used to identify the policy control function network element
- multiple security analysis request messages sent by the unified data management network element are used for the same security analysis, or in other words, the analysis identifier is used to identify the security analysis performed on the target location area.
- the security analysis network element sends the security classification result of the location area managed by the security analysis network element to the policy control function network element or the unified data management network element
- the analysis identification is also included.
- the policy control function network element or the unified data management network element receives multiple second information from multiple security analysis network elements, it determines according to the analysis identifier that the security classification results of the multiple location areas belong to the same security analysis.
- the security analysis network element sends the second information to the security function network element according to the request of the security function network element. That is, the security function network element sends a security analysis request message to the security analysis network element, and the security analysis request message is used to request the security analysis network element to perform security analysis on the managed location area; the security analysis network element obtains the managed location according to the security analysis request message The behavior information of the terminal equipment in the area, and determine the second information according to the behavior information of the terminal equipment in the managed location area; the security analysis network element sends the second information to the security function network element.
- the security analysis request message further includes a second time interval parameter, and the second time interval parameter is used to indicate a period for reporting the second information.
- the security analysis network element periodically sends the second information to the security function network element according to the second time interval parameter.
- the security functional network element determines the security classification result of the target location area according to the periodically received second information.
- the security analysis request message also includes an analysis identifier, which is used to identify multiple security analysis request messages sent by the security function network element It is used for the same security analysis, or in other words, the analysis identifier is used to identify the security analysis performed on the target location area.
- the second information sent by the security analysis network element to the security function network element also includes the analysis identifier. After receiving multiple pieces of second information from multiple security analysis network elements, the security function network element determines that the multiple pieces of second information are used to determine the security classification result of the target location area according to the analysis identifier included in the second information.
- the method 300 further includes: the security function network element determining a security protection mode for the first terminal device, where the security protection mode is determined according to a security classification result of the target location area.
- the security protection mode includes a Uu interface security protection mode and/or a PC5 interface security protection mode
- the Uu interface security protection mode includes a Uu interface user plane security protection mode and/or a Uu interface control plane security protection mode, and a PC5 interface security protection mode.
- the security protection mode includes a user plane security protection mode of the PC5 interface and/or a control plane security protection mode of the PC5 interface.
- the security function network element sends the security protection mode determined for the first terminal device.
- the embodiment of the present application does not limit how to determine the security protection mode according to the security classification result of the target location area.
- the security protection mode is determined to be security protection; if the security classification result of the target location area is high or security enhancement is not required, the security protection mode is determined Whether to enable security protection or not to enable security protection; if the security classification result of the target location area is medium, it may be determined whether to enable security protection according to the transmission and processing performance of the first terminal device and the network.
- the security protection mode is determined to be enabling air interface security protection or enabling additional authentication for air interface access.
- the security function network element may periodically determine a security protection enabling mode for the first terminal device.
- the security function network element can dynamically adjust the security protection activation mode of the first terminal device according to the security of the target location area, so as to better ensure the security of the network and the first terminal device.
- the security function network element sending the security protection mode determined for the first terminal device includes: the security function network element sending a registration acceptance message to the access and mobility management function network element, the registration acceptance message including the security protection mode.
- the security function network element sending the security protection mode determined for the first terminal device includes: the security function network element sends a session management policy association modification message to the session management network element, and the session management policy association modification message includes the security protection mode. Way.
- the method 300 further includes: the security function network element receiving a security policy request message, where the security policy request message includes location area information of the first terminal device.
- the security function network element determines a security protection mode for the first terminal device according to the security classification result of the target location area.
- the security function network element receiving the security policy request message includes: the security function network element receives the access management policy association establishment request/modification message from the access and mobility management function network element, the access management policy association establishment request/ The modification message includes location area information of the first terminal device.
- the security function network element receiving the security policy request message includes: the security function network element receives the UE policy association establishment request/modification message from the access and mobility management function network element, and the UE policy association establishment request/modification message includes the first Location area information of a terminal device.
- the security function network element receiving the security policy request message includes: the security function network element receives the session management policy association establishment request/modification message from the session management function network element, and the session management policy association establishment request/modification message includes the first The location area information of the terminal device.
- the receiving of the security policy request message by the security function network element includes: the security function network element receives the subscription data management acquisition/subscription message from the entry and mobility management function network element, and the subscription data management acquisition/subscription message includes the first terminal Location area information of the device.
- receiving the security policy request message by the security function network element includes: the security function network element receives a subscription data management acquisition/subscription message from the session management function network element, and the subscription data management acquisition/subscription message includes the location of the first terminal device area information.
- the method 300 further includes: the security function network element sends the first mapping to the policy control function network element or the unified data management network element relationship, the first mapping relationship includes the identifier of the target location area and the security classification result of the target location area.
- the identifier of the target location area is the first identifier of the target location area or the second identifier of the target location area.
- the first mapping relationship includes the target location area identifier, the target attack identifier, and the target location area security rating against the target attack result.
- the security function network element can determine the security of the target location area according to the behavior information of the terminal equipment in the target location area after performing security analysis on the target location area by default or according to the instruction of the first network element.
- the classification result is beneficial to determine whether to perform security enhancement on the terminal equipment in the target location area according to the security classification result of the target location area, so as to better ensure the security of the network and the terminal equipment. For example, when the security classification result of the target location area is low, the security protection is forcibly enabled, so as to prevent the network or terminal equipment from being attacked to a certain extent.
- the security classification result of the target location area against the target attack can be obtained. Furthermore, it is beneficial to determine a security protection mode that can prevent the target attack for terminal devices in the target location area according to the security classification result of the target location area for the target attack. For example, when the security rating result of the air interface DDoS attack in the target location area indicates that there is a high degree of potential air interface DDoS attack in the target location area, air interface security protection may be enabled or additional authentication for air interface access may be enabled.
- S320 may be executed by a network element with a security analysis function, for example, by a security analysis network element.
- FIG. 4 shows a method for obtaining security classification results provided by an embodiment of the present application.
- the method 400 may include S401 to S410 , and each step will be described in detail below.
- the PCF or UDM determines a security protection policy according to AF requirements.
- the AF signs a contract with the network operator, and the network operator pre-configures the Uu interface security protection policy used by the UE to the UDM according to the requirements of the AF.
- the AF signs a contract with the network operator, and the network operator pre-configures the PCF with the PC5 port security protection policy used by the UE according to the requirements of the AF.
- the AF sends an AF request (request) message to send the UE's security requirements on the PC5 interface to the PCF, and the network side determines the PC5 interface security protection strategy used by the UE according to the AF requirements, wherein the AF request message can be forwarded by the NEF to the PCF, or directly to the PCF.
- AF request request
- the network side determines the PC5 interface security protection strategy used by the UE according to the AF requirements, wherein the AF request message can be forwarded by the NEF to the PCF, or directly to the PCF.
- security protection policy of the Uu interface or the security protection policy of the PC5 interface are security protection policies used by the UE to use the service corresponding to the AF.
- the AF also sends fifth information to the PCF or UDM, to instruct to perform security analysis on one or more location areas.
- the network operator acquires the fifth information and pre-configures it in the UDM when signing a contract with the AF, or the AF sends the fifth information to the PCF.
- the fifth information includes first identifiers of one or more location areas.
- the fifth information includes the first identifier of each location area in all location areas in the PLMN where the PCF or UDM is located (hereinafter the PLMN where the PCF or UDM is located is denoted as the second PLMN).
- the PLMN where the PCF or UDM is located is denoted as the second PLMN.
- the first identifier of the location area reference may be made to the above S310. It should be noted that identifiers of different location areas in the second PLMN are different.
- the fifth information includes a first identifier of a preset first location area, so as to indicate that security analysis is performed on all location areas in the second PLMN.
- the fifth information when the fifth information does not carry the first identifier of any location area, the fifth information is used to indicate to perform security analysis on all location areas in the second PLMN.
- the fifth information includes preset information for instructing to perform security analysis on all location areas in the second PLMN.
- the preset information may be preset value information, such as 1-bit information or full-area analysis indication information, and the specific content is not limited here.
- the fifth information further includes attack identifiers corresponding to one or more location areas, so as to indicate that security analysis is performed on one or more location areas for a specific attack.
- the fifth information includes a preset attack identifier, so as to indicate that security analysis is performed on all attacks in one or more location areas.
- the fifth information when the fifth information does not carry any attack identifier, the fifth information is used to instruct to perform security analysis on all attacks in one or more location areas.
- the fifth information includes a correspondence relationship between the first identifier of the location area and the identifier of the attack.
- the security protection policy and the fifth information sent by AF to PCF or UDM can be carried in the same signaling or in different signaling.
- PCF or UDM can also obtain security protection by signing a contract with the operator network
- the policy and the fifth information are not limited in this embodiment of the present application.
- the PCF or UDM determines a location analysis list.
- the PCF or UDM determines a location analysis list according to the security protection policy, and the location analysis list includes the first identifier of each location area in all location areas in the second PLMN or a second ID. That is to say, if the PCF or UDM does not receive the fifth information from the AF, the PCF or UDM performs security analysis on all location areas in the second PLMN by default.
- the second identifier of the location area reference may be made to the above S310.
- the PCF or UDM may also determine an attack analysis list according to the security protection policy, and the attack analysis list includes all attack identifiers. That is to say, if the PCF or UDM does not obtain the fifth information from the AF, the PCF or UDM performs security analysis on all location areas in the second PLMN for all attacks by default.
- the PCF or UDM determines the location analysis list according to the fifth information.
- the fifth information includes first identifiers of one or more location areas
- the location analysis list determined by the PCF or UDM according to the fifth information includes the first identifiers or second identifiers of the one or more location areas.
- the fifth information includes the first identifier of the preset first location area, then the location analysis list determined by the PCF or UDM according to the fifth information includes the first identifier of each location area in all location areas in the second PLMN or a second ID.
- the PCF or UDM performs security analysis on all location areas in the second PLMN for all attacks by default.
- the PCF or UDM performs security analysis on all location areas in the second PLMN for all attacks by default.
- the PCF or UDM also determines an attack analysis list according to the fifth information, and the attack analysis list includes attack identifiers corresponding to one or more location areas. logo.
- the PCF or UDM further determines an attack analysis list according to the fifth information, and the attack analysis list includes all attack identifiers.
- the PCF or UDM further determines an attack analysis list according to the fifth information, and the attack analysis list includes all attack identifiers.
- the location analysis list and/or attack analysis list determined by the PCF or UDM are shown in Table 1.
- the identifier of the location area 1 may be the first identifier or the second identifier of the location area 1
- the identifier of the location area 2 may be the first identifier or the second identifier of the location area 2.
- the NEF may determine the location analysis list and/or the attack analysis list, and then the NEF sends the location analysis list and/or the attack analysis list to the PCF or the UDM.
- the PCF or UDM sends subscription information to the security analysis network element.
- the subscription information is used to subscribe to the safety classification results of the location area.
- Subscription information includes a list of location analyzes determined by PCF or UDM.
- the subscription information also includes the attack analysis list.
- the security analysis network element acquires behavior information of the UE.
- the security analysis network element After the security analysis network element receives the subscription information from the PCF or UDM, it obtains the behavior information of the UE according to the location analysis list included in the subscription information, or obtains the behavior information of the UE according to the location analysis list and the attack analysis list included in the subscription information.
- S404 includes: the security analysis network element determines the UE behavior information to be obtained according to the PCF or UDM subscription information, according to the location analysis list and/or the attack analysis list, and determines the target network element and the data collection request message, wherein the target network element Contains one or more network elements.
- the security analysis network element sends a data collection request message to the target network element, and the data collection request message is used to request to obtain the behavior information of the UE served by the target network element from the target network element; the security analysis network element receives the behavior information of the UE served by the target network element information.
- the target network element may be AMF, SMF, UPF, AF, PCF and UDM, which are not specifically limited here. It should be noted that, in FIG. 4, only the security analysis network element obtains the behavior information of the UE from the SMF or AMF as an example.
- the security analysis network element determines a security classification result of the location area.
- the security analysis network element determines the security classification result of the location area corresponding to the location analysis list, and the location area corresponding to the location analysis list is the location area identified by the identifier of the location area included in the location analysis list.
- the location analysis list includes the identifier of location area 1 and the identifier of location area 2, and the location areas corresponding to the location analysis list are location area 1 and location area 2.
- the security classification result reference may be made to S310 above.
- the security analysis network element determines the security classification result of the location area corresponding to the location analysis list according to the behavior information of the UE obtained from the target network element. Specifically, for a manner in which the security analysis network element determines the security classification result of the location area according to the behavior information of the UE, reference may be made to the description in S320 above.
- the security analysis network element determines security classification results for specific attacks in different location areas.
- the attack analysis list includes the identifier of the attack A corresponding to the location area 1, and the security analysis network element determines the security classification result of the location area 1 for the attack A.
- the security analysis network element sends the first mapping relationship to the PCF or the UDM.
- the first mapping relationship includes a correspondence relationship between location area identifiers and security classification results.
- the first mapping relationship may include a correspondence between location area identifiers, attack identifiers, and security classification results.
- the first mapping relationship sent by the security analysis network element to the PCF or UDM is shown in Table 2.
- the security classification result 1 indicates the extent of potential attacks in location area 1
- the security classification result 2 indicates the extent of potential attacks in location area 2.
- Table 2 only uses the one-to-one correspondence between location area identifiers and security classification results as an example. If the security classification results of multiple location areas are the same, the identifiers of the multiple location areas can be related to A safety classification result corresponds to.
- the first mapping relationship sent by the security analysis network element to the PCF or UDM is shown in Table 3 or Table 4.
- the security classification result 3 indicates the degree of potential attack A and attack B in the location area 1
- the security classification result 4 indicates the degree of potential attack C and attack D in the location area.
- Table 3 only uses the one-to-one correspondence between location area identifiers and security classification results as an example. If the security classification results of multiple location areas are the same, the identifiers of the multiple location areas can be related to A safety classification result corresponds to.
- the security classification result 5 indicates the degree of potential attack A in location area 1
- the security classification result 6 indicates the degree of potential attack B in location area 1
- the security classification result 7 indicates the degree of potential attack C in the location area.
- the rating result 8 indicates the extent to which potential attacks D exist in the location area. It should be noted that in Table 4, only the one-to-one correspondence between the attack identifier and the security classification result is used as an example. If the security classification results for different attacks in different location areas are the same, then the identifiers and different The identification of the attack may correspond to a security rating result.
- the security analysis network element may periodically receive the behavior information of the UE served by the target network element , further, the security analysis network element determines the security classification result of the location area according to the periodically received behavior information of the UE, and periodically sends the first mapping relationship to the PCF or the UDM.
- the PCF or UDM after receiving the first mapping relationship from the security analysis network element, stores the first mapping relationship locally.
- UE#1 sends a registration request message or a session establishment request message to the SMF or the SMF.
- UE#1 sends a registration request message to the AMF.
- UE#1 sends a session establishment request message to the SMF.
- S408 SMF or AMF sends request message #1 to PCF or UDM.
- the request message #1 is used to request to obtain the security protection mode used by UE#1, and the request message #1 includes the location area information of UE#1.
- the location area information of UE#1 includes the first identifier or the second identifier of the location area where UE#1 is located.
- the AMF sends a request message #1 to the PCF according to the registration request message.
- the request message #1 may be an access management policy association establishment request/modification message, a UE policy association establishment request/modification message, a subscription data management acquisition/subscription message, or a new request message not defined in existing standards, Not too specific.
- the SMF sends a request message #1 to the UDM according to the session establishment request message.
- the request message #1 may be a session management policy association establishment request/modification message, a subscription data management acquisition/subscription message, or a new request message that is not defined in the existing standard, and is not specifically limited.
- the PCF or UDM may also request the location information of UE#1 from the SMF or AMF.
- the PCF or UDM determines a security protection mode for UE#1.
- the PCF or UDM determines a security protection mode for UE#1 according to the security classification result of the location area where UE#1 is located. That is, after receiving the request message #1, the PCF or UDM determines the security classification result corresponding to the location area information of UE#1 from the stored first mapping relationship according to the location area information of UE#1 included in the request message #1, Then, according to the security classification result, a security protection mode is determined for UE#1.
- the security protection mode is determined to be security protection; if the security classification result of the location area where UE#1 is located is high or does not require Security enhancement, then determine whether the security protection mode is enabled or disabled; if the security classification result of the location area where UE#1 is located is medium, it can be determined whether to enable security protection according to the transmission and processing performance of UE#1 and the network. Protect. Also for example, if the location area where UE#1 is located has a low security rating for DDoS attacks on the air interface or security enhancement is required, then the security protection mode is determined as enabling air interface security protection or enabling additional authentication for air interface access.
- the PCF or UDM can receive the first mapping relationship from the security analysis network element, when the security classification result of the location area where UE#1 is located changes, the PCF or UDM can The grading result is updated with the security protection opening mode determined by the first terminal device.
- the PCF or UDM sends the security protection mode of UE#1 to UE#1.
- PCF or UDM can subscribe to the security analysis network element for the security classification result of the location area by default, or can set the security classification result of the location area to the security analysis network element according to the instruction of AF, so as to benefit PCF or
- the UDM determines the security protection mode for the UE according to the security classification result of the location area, which can better ensure the security of the network and the UE.
- FIG. 5 shows a method for obtaining security classification results provided by an embodiment of the present application.
- the method 500 may include S501 to S511 , and each step will be described in detail below.
- the PCF or UDM determines the internal identity and location analysis list of a specific UE.
- the PCF or UDM determines the internal identity and location analysis list of a specific UE according to preconfigured information.
- the pre-configured information may be configured by the AF in the PCF or UDM through the home network operator of the PCF or UDM.
- a specific UE may be a high-end user of a service corresponding to the AF, and has additional security requirements.
- the preconfigured information includes the correspondence between the internal identity and the external identity of at least one UE (denoted as UE group 1), and the PCF or UDM may determine that the internal identity of the specific UE includes the internal identity of each UE in UE group 1.
- the PCF or UDM defaults to provide security enhancement services for all location areas of the specific UE in the PLMN where the PCF or UDM is located, that is, the location analysis list includes the location area where the PCF or UDM is located. Identification of all location areas within the PLMN.
- the identifier of the location area may be the first identifier of the location area or the second identifier of the location area. For the description of the first identifier of the location area and the second identifier of the location area, reference may be made to S310 above.
- the location analysis list includes the identifier of each location area in the location area group 1.
- the PCF or UDM may also determine an attack analysis list according to preconfigured information. If the pre-configured information does not include the identification of the attack, the PCF or UDM analyzes the location area by default for all attacks, that is, the attack analysis list includes the identification of all attacks; if the pre-configured information includes at least one attack (denoted as attack group 1 ), the attack analysis list includes the identification of each attack in the attack group 1.
- the method 500 also includes S502, the PCF or UDM receives the request message #2 from the AF.
- the request message #2 includes an external identifier of at least one UE (denoted as UE group 2), and the request message #2 is used to request security enhancement services for the UE group 2, or the request message #2 is used to request that the UE group 2 not Perform security enhancement services.
- the PCF or UDM may determine the internal identity of each UE in the UE group 2 according to the stored correspondence between the internal identity and the external identity of different UEs.
- the request message #2 also includes an identifier of at least one location area (denoted as location area group 2), which is used to request the UE group 2 to perform security enhancement services on the location area group 2, or to use The UE group 2 is requested not to perform the security enhancement service on the location area group 2.
- location area group 2 an identifier of at least one location area (denoted as location area group 2), which is used to request the UE group 2 to perform security enhancement services on the location area group 2, or to use The UE group 2 is requested not to perform the security enhancement service on the location area group 2.
- the request message #2 also includes an identification of at least one attack (denoted as attack group 2), used to request security analysis for at least location area group 2 for attack group 2, or used to request location area group 2 Group 2 does not conduct security analysis against attack group 2.
- attack group 2 an identification of at least one attack (denoted as attack group 2), used to request security analysis for at least location area group 2 for attack group 2, or used to request location area group 2 Group 2 does not conduct security analysis against attack group 2.
- the PCF or UDM determines the identification and location analysis list of the specific UE according to the preconfigured information and the request message #2.
- the PCF or UDM also determines the attack analysis list according to the preconfigured information and the request message.
- the internal identity of the specific UE determined by PCF or UDM includes the internal identity of each UE in UE group 2, or the internal identity of the specific UE includes the UE group
- the internal identity of each UE in 1 and the internal identity of each UE in UE group 2, or the internal identity of a specific UE includes the internal identity of UEs in UE group 1 except UE group 2.
- UE group 1 includes UE#1 and UE#2, and UE group 2 includes UE#2 and UE#3, then the internal identifier of a specific UE includes the internal identifiers of UE#1 and UE#3, or includes UE#1 To the internal identity of UE#3, or including the internal identity of UE#1.
- the location analysis list determined by PCF or UDM includes the identifier of each location area in location area group 2, or includes the identifier of each location area in location area group 1.
- the location analysis list determined by PCF or UDM includes the identification of each attack in attack group 2, or includes the identification and sum of each attack in attack group 1.
- the internal identifier, the location analysis list and the attack analysis list of the specific UE determined by the PCF or UDM are shown in Table 5. It should be noted that in Table 5, it is only taken as an example that different UE internal identities correspond to the same location analysis list and attack analysis list, and different UE internal identities may also correspond to different location analysis lists and attack analysis lists.
- the PCF or UDM confirms by default that security analysis needs to be performed on all location areas of the PLMN where the PCF or UDM is located.
- the PCF or UDM default determined location analysis list includes all location areas in the PLMN where the PCF or UDM is located, or the default determined location analysis list is a preset value, and the preset value is used to represent all location areas in the PLMN where the PCF or UDM is located.
- the PCF or UDM confirms by default that security analysis needs to be performed on all attacks.
- the PCF or UDM confirms that the attack analysis list includes all attack identifiers by default, or determines that the attack analysis list is a preset value by default, and the preset value is used to represent all attacks.
- UE#1 sends a registration request message or a session establishment request message to the SMF or the SMF.
- UE#1 sends a registration request message to the AMF.
- UE#1 sends a session establishment request message to the SMF.
- S504 SMF or AMF sends request message #1 to PCF or UDM.
- the request message #1 is used to request to obtain the security protection mode used by UE#1.
- the AMF sends a request message #1 to the PCF according to the registration request message, the request message #1 includes the internal identity of UE#1 and the location area information of UE#1, and the location area information of UE#1 includes UE#1 The first identifier or the second identifier of the location area #1 where #1 is located.
- the request message #1 may be an access management policy association establishment request/modification message, a UE policy association establishment request/modification message, a subscription data management acquisition/subscription message, or a new request message not defined in existing standards, Not too specific.
- the SMF sends a request message #1 to the UDM according to the session establishment request message, and the request message #1 includes the internal identifier of the UE #1.
- the request message #1 may be a session management policy association establishment request/modification message, a subscription data management acquisition/subscription message, or a new request message that is not defined in the existing standard, and is not specifically limited.
- the method 500 further includes: S505, the PCF or the UDM obtains the location area information of the UE#1 from the SMF or the AMF. Specifically, if the previously determined internal identity of the specific UE includes the internal identity of UE#1, the PCF or UDM acquires the location area information of UE#1 from the SMF or AMF.
- S506 to S509 may be skipped, and S510 may be directly executed.
- the PCF or UDM sends subscription information to the security analysis network element.
- the PCF or UDM after receiving the request message #1, the PCF or UDM first determines whether the internal identity of the specific UE includes the internal identity of UE#1, and if the internal identity of the specific UE includes the internal identity of UE#1, then continue to determine the location analysis list Whether to include the ID of the location area #1 where UE#1 is located, if the location analysis list includes the ID of the location area #1, the PCF or UDM sends subscription information to the security analysis network element, and the subscription information includes the ID of the location area #1.
- the subscription information also includes the attack analysis list.
- the PCF or UDM after receiving the request message #1, the PCF or UDM first determines whether the internal identity of the specific UE includes the internal identity of UE#1, and if the internal identity of the specific UE includes the internal identity of UE#1, continue to determine the location analysis Whether the list includes preset information used to indicate all location areas in the PLMN where the PCF or UDM is located. If the location analysis list includes preset information, the PCF or UDM sends subscription information to the security analysis network element. The subscription information includes the location area# 1 logo
- the security analysis network element acquires behavior information of the UE.
- the security analysis network element determines the security classification result of the location area #1.
- the security analysis network element determines the security classification result of location area #1 according to the acquired UE behavior information. Specifically, for a manner in which the security analysis network element determines the security classification result of the location area according to the behavior information of the UE, reference may be made to the descriptions in S320 and S405 above.
- the security analysis network element determines the security classification result of location area #1 for a specific attack.
- the attack analysis list includes the identifier of the attack A corresponding to the location area #11, and the security analysis network element determines the security classification result of the location area #1 for the attack A.
- the security analysis network element sends the first mapping relationship to the PCF or the UDM.
- the first mapping relationship includes a correspondence relationship between the identifier of the location area #1 and the security classification result.
- the first mapping relationship may include the correspondence between the identifier of the location area #1, the attack identifier, and the security classification result.
- the PCF or UDM determines a security protection mode for UE#1.
- the PCF or UDM sends the security protection mode of UE#1 to UE#1.
- PCF or UDM provides security enhancement services to specific UEs according to pre-configured information and/or AF's request instead of security enhancement services to all UEs, thereby greatly reducing the network data collection cost. Signaling and security analysis processing burden on network elements.
- FIG. 6 shows a method for obtaining security classification results provided by an embodiment of the present application. As shown in FIG. 6, the method 600 may include S601 to S612, and each step will be described in detail below.
- S601 to S603 are the same as S401 to S403 in the method 400 .
- the central security analysis network element sends a security analysis request message to the distributed security analysis network element.
- the security analysis request message is used to request the distributed security analysis network element to perform security analysis on the managed location area, and the security analysis request message includes an analysis identifier.
- the central security analysis network element After the central security analysis network element receives the subscription information from PCF or UDM, it determines the analysis identifier corresponding to the location analysis list and the distributed security analysis network element according to the location analysis list included in the subscription information, and reports to the determined distributed security analysis network element.
- the network element sends a security analysis request message.
- the correspondence between the distributed security analysis network element and the location analysis list means that the location area managed by the distributed security analysis network element is the location area identified by the identifier of the location area included in the location analysis list.
- the location analysis list includes the identification of location area 1 and the identification of location area 2, then the central security analysis network element can determine the distributed security analysis network element 1 and the distributed security analysis network element 2 corresponding to the location analysis list.
- the distributed security analysis network element 1 manages the location area 1
- the distributed security analysis network element 2 manages the location area 2.
- the security analysis request message also includes an attack analysis list.
- the attack analysis list included in the security analysis request message includes the identification of the attack corresponding to the location area managed by the distributed security analysis network element.
- S605 is the same as S404 in method 400.
- the distributed security analysis network element sends the second information to the central security analysis network element.
- the second information includes analysis identifiers and second statistical information and/or second abnormal behavior prediction results
- the second statistical information is statistical analysis of UE behavior information in the location area managed by the distributed security analysis network element
- the obtained second abnormal behavior prediction result is obtained by performing abnormal behavior prediction on UE behavior information in the location area managed by the distributed security analysis network element.
- the second information includes the analysis identifier and the security classification result of the location area managed by the distributed security analysis network element.
- the central security analysis network element determines the security classification result of the location area.
- the central security analysis network element determines the security classification result of the location area corresponding to the location analysis list, and the location area corresponding to the location analysis list is the location area identified by the identifier of the location area included in the location analysis list.
- the central security analysis network element determines the security classification result of the location area according to the second statistical information and/or the second abnormal behavior prediction result. It should be noted that, according to the analysis identification included in the second information, the central security analysis network element determines the second statistical information and/or the second abnormal behavior prediction result to determine the security classification result of the location area corresponding to the location analysis list.
- the central security analysis network element summarizes the security classification results of the location areas managed by the distributed security analysis network elements included in the second information, so as to determine the security classification results of the location areas corresponding to the location analysis list. It should be noted that, according to the analysis identifier included in the second information, the central security analysis network element determines the security classification result of the location area managed by the distributed security analysis network element to determine the security classification result of the location area corresponding to the location analysis list.
- S608 to S612 are the same as S406 to S410 in the method 400 .
- the central security analysis network element cooperates with the distributed security analysis network elements to determine the security classification results of different location areas, which can reduce the burden of a single security analysis network element and improve processing efficiency.
- FIG. 7 shows a method for obtaining security classification results provided by an embodiment of the present application. As shown in FIG. 7 , the method 700 may include S701 to S712, each step will be described in detail below.
- S701 to S702 are the same as S401 to S402 in the method 400 .
- the PCF or UDM sends a security analysis request message to the distributed security analysis network element.
- the security analysis request message is used to request the distributed security analysis network element to perform security analysis on the managed location area, and the security analysis request message includes an analysis identifier.
- the PCF or UDM determines the analysis identifier and the distributed security analysis network element corresponding to the location analysis list according to the location analysis list, and sends a security analysis request message to the determined distributed security analysis network element.
- the correspondence between the distributed security analysis network element and the location analysis list means that the location area managed by the distributed security analysis network element is the location area identified by the identifier of the location area included in the location analysis list.
- the location analysis list includes the identification of location area 1 and the identification of location area 2, then the central security analysis network element can determine the distributed security analysis network element 1 and the distributed security analysis network element 2 corresponding to the location analysis list.
- the distributed security analysis network element 1 manages the location area 1
- the distributed security analysis network element 2 manages the location area 2.
- the security analysis request message also includes the attack analysis list.
- the attack analysis list included in the security analysis request message includes the identification of the attack corresponding to the location area managed by the distributed security analysis network element.
- S704 is the same as S404 in the method 400 .
- the distributed security analysis network element sends the first mapping relationship to the PCF or the UDM.
- the first mapping relationship includes the identifier of the location area managed by the distributed security analysis network element, the security classification result and the analysis identifier of the location area managed by the distributed security analysis network element.
- the PCF or UDM summarizes the security classification results of the location areas managed by the distributed security analysis network elements included in the first mapping relationship, so as to determine the security classification results of the location areas corresponding to the location analysis list. It should be noted that, according to the analysis identifier included in the first mapping relationship, the PCF or UDM determines the security classification result of the location area managed by the distributed security analysis network element to determine the security classification result of the location area corresponding to the location analysis list.
- the method 700 further includes S706 to S708.
- the distributed security analysis network element sends the second information to the central security analysis network element.
- the second information includes second statistical information and/or second abnormal behavior prediction results, where the second statistical information is obtained by performing statistical analysis on behavior information of UEs in the location area managed by the distributed security analysis network element,
- the second abnormal behavior prediction result is obtained by predicting the abnormal behavior of UE behavior information in the location area managed by the distributed security analysis network element.
- the central security analysis network element determines the security classification result of the location area managed by the distributed security analysis network element.
- the central security analysis network element determines the security classification result of the location area managed by the distributed security analysis network element according to the second statistical information and/or the second abnormal behavior prediction result.
- the central security analysis network element sends the security classification result of the location area managed by the distributed security analysis network element to the distributed security analysis network element.
- S709 to S612 are the same as S407 to S410 in the method 400 .
- the central security analysis network element cooperates with the distributed security analysis network elements to determine the security classification results of different location areas, which can reduce the burden of a single security analysis network element and improve processing efficiency.
- FIG. 8 is a schematic block diagram of a communication device 800 provided by an embodiment of the present application.
- the communication device 800 may include: a transceiver unit 810 and a processing unit 820 .
- the communication device 800 may be the security function network element in the above method embodiment, or may be a chip for realizing the function of the security function network element in the above method embodiment.
- the communication device 800 may correspond to the security function network element in the method 300 according to the embodiment of the present application, and the communication device 800 may include a method unit for executing the security function network element in the method 300 in FIG. 3 . Moreover, each unit in the communication device 800 and the above-mentioned other operations and/or functions are respectively intended to implement a corresponding flow of the method 300 in FIG. 3 .
- the processing unit 820 may be used to execute S310 and S320 in the method 300 .
- the transceiving unit 810 may be used to execute steps involving data and/or information transceiving in the method 300, for example, the transceiving unit 810 is used to send the first mapping relationship to a policy control function network element or a unified data management network element.
- the communication device 800 may be the PCF or UDM in the above method embodiment, or a chip for implementing the functions of the PCF or UDM in the above method embodiment.
- the communication device 800 may correspond to the PCF or UDM in the method 400 to the method 700 according to the embodiment of the present application, and the communication device 800 may include an or a unit of a method performed by the UDM. Moreover, each unit in the communication device 800 and the above-mentioned other operations and/or functions are respectively intended to implement the corresponding processes of the method 400 in FIG. 4 to the method 700 in FIG. 7 .
- the transceiver unit 810 is used to execute S501, S504 to S506, S509, and S511 in the method 500
- the processing unit 820 is used to execute S502 and S510 in the method 500.
- the transceiver unit 810 is used to execute S603 , S608 , S610 and S612 in the method 600
- the processing unit 820 is used to execute S601 , S602 and S611 in the method 600 .
- the transceiver unit 810 is used to execute S703 , S705 , S710 and S712 in the method 700
- the processing unit 820 is used to execute S701 , S702 and S711 in the method 700 .
- the communication device 800 may be a security analysis network element (including a central security analysis network or a distributed security analysis network element) in the above method embodiments, or it may be a In the method embodiment, a chip for securely analyzing functions of network elements.
- a security analysis network element including a central security analysis network or a distributed security analysis network element
- the communication device 800 may correspond to the security analysis network element in the method 400 to the method 700 according to the embodiment of the present application, and the communication device 800 may include a method for executing the method 400 in FIG. 4 to the method 700 in FIG. 7 A unit of a method performed by a security analysis network element in .
- each unit in the communication device 800 and the above-mentioned other operations and/or functions are respectively intended to implement the corresponding processes of the method 400 in FIG. 4 to the method 700 in FIG. 7 . It should be understood that the specific process for each unit to perform the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, details are not repeated here.
- the transceiver unit 810 is used to execute S403 , S404 and S406 in the method 400
- the processing unit 820 is used to execute S405 in the method 400 .
- the transceiver unit 810 is used to execute S506 , S507 and S509 in the method 500
- the processing unit 820 is used to execute S508 in the method 500 .
- the communication device 800 is a central security analysis network element and is used to execute the method 600 in FIG. S607 in.
- the communication device 800 is a central security analysis network element and is used to execute the method 700 in FIG.
- the transceiver unit 810 is used to execute S604 to S606 in the method 600.
- the transceiving unit 810 is configured to execute S703 to S706 and S708 in the method 700 .
- transceiver unit 810 in the communication device 800 may correspond to the communication interface 920 in the communication device 900 shown in FIG. 9, and the processing unit 820 in the communication device 800 may correspond to the communication interface 920 shown in FIG. Processor 910 in device 900 .
- the chip includes a transceiver unit and a processing unit.
- the transceiver unit may be an input-output circuit or a communication interface;
- the processing unit may be a processor or a microprocessor or an integrated circuit integrated on the chip.
- the transceiver unit 810 is used to realize the signal sending and receiving operation of the communication device 800
- the processing unit 820 is used to realize the signal processing operation of the communication device 800 .
- the communication device 800 further includes a storage unit 830, and the storage unit 830 is used for storing instructions.
- FIG. 9 is a schematic block diagram of a communication device 900 provided by an embodiment of the present application.
- the communication device 900 includes: at least one processor 910 and a communication interface 920 .
- the processor 910 is coupled with the memory for executing instructions stored in the memory to control the communication interface 920 to send and/or receive signals.
- the communication device 900 further includes a memory 930 for storing instructions.
- processor 910 and the memory 930 may be combined into one processing device, and the processor 910 is configured to execute the program codes stored in the memory 930 to implement the above functions.
- the memory 930 may also be integrated in the processor 910 , or be independent of the processor 910 .
- the chip When the communication device 900 is a chip, the chip includes a transceiver unit and a processing unit.
- the transceiver unit may be an input-output circuit or a communication interface
- the processing unit may be a processor or a microprocessor or an integrated circuit integrated on the chip.
- FIG. 10 is a schematic diagram of a chip system according to an embodiment of the present application.
- the chip system here may also be a system composed of circuits.
- the chip system 1000 shown in FIG. 10 includes: a logic circuit 1010 and an input/output interface (input/output interface) 1020, the logic circuit is used to couple with the input interface, and transmit data through the input/output interface (for example, the first instruction information) to execute the methods described in FIG. 3 to FIG. 7 .
- the embodiment of the present application also provides a processing device, including a processor and an interface.
- the processor may be used to execute the methods in the foregoing method embodiments.
- the above processing device may be a chip.
- the processing device may be a field programmable gate array (field programmable gate array, FPGA), an application specific integrated circuit (ASIC), or a system chip (system on chip, SoC). It can be a central processor unit (CPU), a network processor (network processor, NP), a digital signal processing circuit (digital signal processor, DSP), or a microcontroller (micro controller unit) , MCU), can also be a programmable controller (programmable logic device, PLD) or other integrated chips.
- CPU central processor unit
- NP network processor
- DSP digital signal processor
- microcontroller micro controller unit
- PLD programmable logic device
- each step of the above method can be completed by an integrated logic circuit of hardware in a processor or an instruction in the form of software.
- the steps of the methods disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor.
- the software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register.
- the storage medium is located in the memory, and the processor reads the information in the memory, and completes the steps of the above method in combination with its hardware. To avoid repetition, no detailed description is given here.
- the processor in the embodiment of the present application may be an integrated circuit chip, which has a signal processing capability.
- each step of the above-mentioned method embodiments may be completed by an integrated logic circuit of hardware in a processor or instructions in the form of software.
- the above-mentioned processor may be a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components .
- DSP digital signal processor
- ASIC application-specific integrated circuit
- FPGA field-programmable gate array
- a general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.
- the memory in the embodiments of the present application may be a volatile memory or a nonvolatile memory, or may include both volatile and nonvolatile memories.
- the non-volatile memory can be read-only memory (read-only memory, ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically programmable Erases programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
- Volatile memory can be random access memory (RAM), which acts as external cache memory.
- the present application also provides a computer program product, the computer program product including: computer program code, when the computer program code is run on the computer, the computer is made to execute the computer program described in Fig. 3 to Fig. 7 .
- the method of any one of the embodiments is illustrated.
- the present application also provides a computer-readable medium, the computer-readable medium stores program codes, and when the program codes are run on a computer, the computer is made to perform the operations shown in Fig. 3 to Fig. 7 .
- the method of any one of the embodiments is illustrated.
- the present application further provides a system, which includes the aforementioned security analysis network element, and PCF or UDM.
- the system also includes AF.
- all or part of them may be implemented by software, hardware, firmware or any combination thereof.
- software When implemented using software, it may be implemented in whole or in part in the form of a computer program product.
- the computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part.
- the computer instructions may be stored in, or transmitted from, one computer-readable storage medium to another computer-readable storage medium.
- the computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media.
- the available medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a high-density digital video disc (digital video disc, DVD)), or a semiconductor medium (for example, a solid state disk (solid state disc, SSD)) etc.
- a magnetic medium for example, a floppy disk, a hard disk, a magnetic tape
- an optical medium for example, a high-density digital video disc (digital video disc, DVD)
- a semiconductor medium for example, a solid state disk (solid state disc, SSD)
- the disclosed systems, devices and methods may be implemented in other ways.
- the device embodiments described above are only illustrative.
- the division of the units is only a logical function division. In actual implementation, there may be other division methods.
- multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented.
- the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
位置区域的标识 | 安全分级结果 |
位置区域1的标识 | 安全分级结果1 |
位置区域2的标识 | 安全分级结果2 |
Claims (33)
- 一种获取安全分级结果的方法,其特征在于,包括:安全功能网元确定对目标位置区域进行安全分析;所述安全功能网元根据第一信息确定所述目标位置区域的安全分级结果,所述安全分级结果表示所述目标位置区域存在潜在攻击的程度,所述第一信息与所述目标位置区域内的终端设备的行为信息相关,所述行为信息包括流量数据和/或移动轨迹信息。
- 根据权利要求1所述的方法,其特征在于,所述第一信息包括所述目标位置区域内的终端设备的行为信息,所述安全功能网元根据第一信息确定所述目标位置区域的安全分级结果,包括:所述安全功能网元对所述目标位置区域内的终端设备的行为信息进行统计分析得到第一统计信息,和/或,对所述目标位置区域内的终端设备的行为信息进行异常行为预测得到第一异常行为预测结果;所述安全功能网元根据所述第一统计信息和/或第一异常行为预测结果,确定所述目标位置区域的安全分级结果。
- 根据权利要求2所述的方法,其特征在于,所述方法还包括:所述安全功能网元向所述目标位置区域中的数据收集网元发送数据收集请求消息,所述数据收集请求消息用于请求所述数据收集网元服务的终端设备的行为信息;所述安全功能网元接收来自所述数据收集网元的所述数据收集网元服务的终端设备的行为信息。
- 根据权利要求3所述的方法,其特征在于,所述数据收集请求消息还包括第一时间间隔参数和/或第一阈值,所述第一时间间隔参数用于指示上报终端设备的行为信息的周期,所述第一阈值用于指示触发终端设备的行为信息上报的最小值或最大值。
- 根据权利要求1所述的方法,其特征在于,所述第一信息包括安全分析网元发送的第二信息,所述第二信息包括:第二统计信息、第二异常行为预测结果、和/或所述安全分析网元管理的位置区域的安全分级结果;所述第二统计信息是对所述安全分析网元管理的位置区域内的终端设备的行为信息进行统计分析得到的,所述第二异常行为预测结果是对所述安全分析网元管理的位置区域内的终端设备的行为信息进行异常行为预测得到的,所述安全分析网元管理的位置区域的安全分级结果是根据所述安全分析网元管理的位置区域内的终端设备的行为信息确定的,所述安全分析网元管理的位置区域与所述目标位置区域对应。
- 根据权利要求5所述的方法,其特征在于,所述方法还包括:所述安全功能网元根据所述目标位置区域向所述安全分析网元发送安全分析请求消息,所述安全分析请求消息用于请求所述安全分析网元对管理的位置区域进行安全分析。
- 根据权利要求5或6所述的方法,其特征在于,所述方法还包括:所述安全功能网元向所述安全分析网元发送所述安全分析网元管理的位置区域的安全分级结果。
- 根据权利要求6所述的方法,其特征在于,所述安全分析请求消息还包括分析标 识,所述第二信息还包括所述分析标识,所述分析标识用于标识对所述目标位置区域进行的安全分析。
- 根据权利要求1至8中任一项所述的方法,其特征在于,所述方法还包括:所述安全功能网元接收来自第一网元的第三信息,所述第三信息用于指示对所述安全功能网元所在的公共陆地移动网络PLMN内的所有位置区域进行安全分析;所述安全功能网元确定对目标位置区域进行安全分析,包括:所述安全功能网元根据所述第三信息确定对所述PLMN内的所有位置区域进行安全分析,所述PLMN内的所有位置区域包括所述目标位置区域。
- 根据权利要求9所述的方法,其特征在于,所述第三信息包括所述PLMN内的所有位置区域中每个位置区域的标识。
- 根据权利要求1至8中任一项所述的方法,其特征在于,所述方法还包括:所述安全功能网元接收来自第一网元的所述目标位置区域的标识;所述安全功能网元确定对目标位置区域进行安全分析,包括:所述安全功能网元根据所述目标位置区域的标识确定对所述目标位置区域进行安全分析。
- 根据权利要求1至11中任一项所述的方法,其特征在于,所述方法还包括:所述安全功能网元接收安全策略请求消息,所述安全策略请求消息包括第一终端设备的位置区域信息,所述第一终端设备的位置区域信息用于指示所述第一终端设备位于所述目标位置区域;所述安全功能网元发送为所述第一终端设备确定的安全保护方式,所述安全保护方式是根据所述目标位置区域的安全分级结果确定的。
- 根据权利要求1至8中任一项所述的方法,其特征在于,所述方法还包括:所述安全功能网元接收第一终端设备的第一标识和所述第一终端设备的位置区域信息,所述第一终端设备的位置区域信息用于指示所述第一终端设备位于所述目标位置区域;所述安全功能网元确定对目标位置区域进行安全分析,包括:所述安全功能网元根据所述第一终端设备的第一标识确定允许对所述第一终端设备进行安全增强服务;所述安全功能网元根据所述第一终端设备的位置区域信息确定对所述目标位置区域进行安全分析。
- 根据权利要求13所述的方法,其特征在于,所述方法还包括:所述安全功能网元接收来自第一网元的所述第一终端设备的第二标识;所述安全功能网元根据所述第一终端设备的第一标识确定允许对所述第一终端设备进行安全增强服务,包括:所述安全功能网元根据所述第一终端设备的第一标识和所述第一终端设备的第二标识的对应关系,确定允许对所述第一终端设备进行安全增强服务。
- 根据权利要求13或14所述的方法,其特征在于,所述方法还包括:所述安全功能网元确定允许对所述目标位置区域进行安全分析。
- 根据权利要求15所述的方法,其特征在于,所述方法还包括:所述安全功能网元接收来自所述第一网元的所述目标位置区域的标识;所述安全功能网元确定允许对所述目标位置区域进行安全分析,包括:所述安全功能网元根据所述第一终端设备的位置区域信息和所述目标位置区域的标识的对应关系,确定允许对所述目标位置区域进行安全分析。
- 根据权利要求13至16中任一项所述的方法,其特征在于,所述方法还包括:所述安全功能网元发送为所述第一终端设备确定的安全保护方式,所述安全保护方式是根据所述目标位置区域的安全分级结果确定的。
- 根据权利要求1至17中任一项所述的方法,其特征在于,所述安全功能网元确定对目标位置区域进行安全分析,包括:所述安全功能网元确定对所述目标位置区域针对目标攻击进行安全分析;所述目标位置区域的安全分级结果包括所述目标位置区域对于所述目标攻击的安全分级结果,所述目标位置区域对于所述目标攻击的安全分级结果表示所述目标位置区域存在潜在的所述目标攻击的程度。
- 根据权利要求18所述的方法,其特征在于,所述方法还包括:所述安全功能网元接收来自第一网元的所述目标攻击的标识;所述安全功能网元确定对所述目标位置区域针对目标攻击进行安全分析,包括:所述安全功能网元根据所述目标攻击的标识确定对所述目标位置区域针对所述目标攻击进行安全分析。
- 根据权利要求1至19中任一项所述的方法,其特征在于,所述方法还包括:所述安全功能网元向策略控制功能网元或统一数据管理网元发送第一映射关系,所述第一映射关系包括所述目标位置区域的标识和所述目标位置区域的安全分级结果。
- 一种获取安全分级结果的方法,所述方法由策略控制功能网元或统一数据管理网元执行,其特征在于,所述方法包括:确定对目标位置区域进行安全分析;向安全分析网元发送第一安全分析请求消息,所述第一安全分析请求消息包括所述目标位置区域的标识;接收来自所述安全分析网元的所述目标位置区域的安全分级结果,所述安全分级结果表示所述目标位置区域存在潜在攻击的程度。
- 根据权利要求21所述的方法,其特征在于,所述确定对目标位置区域进行安全分析,包括:确定对所述目标位置区域针对目标攻击进行安全分析;所述第一安全分析请求消息还包括所述目标攻击的标识;所述目标位置区域的安全分级结果包括所述目标位置区域对于所述目标攻击的安全分级结果,所述目标位置区域对于所述目标攻击的安全分级结果表示所述目标位置区域存在潜在的所述目标攻击的程度。
- 根据权利要求21或22所述的方法,其特征在于,所述方法还包括:接收来自应用功能网元的第三信息,所述第三信息用于指示对公共陆地移动网络PLMN内的所有位置区域进行安全分析;所述确定对目标位置区域进行安全分析,包括:根据所述第三信息确定对所述PLMN内的所有位置区域进行安全分析,所述PLMN内的所有位置区域包括所述目标位置区域。
- 根据权利要求21或22所述的方法,其特征在于,所述方法还包括:接收来自应用功能网元的所述目标位置区域的标识;所述确定对目标位置区域进行安全分析,包括:根据所述目标位置区域的标识确定对所述目标位置区域进行安全分析。
- 根据权利要求22所述的方法,其特征在于,所述方法还包括:接收来自应用功能网元的所述目标攻击的标识;所述确定对所述目标位置区域针对目标攻击进行安全分析,包括:根据所述目标攻击的标识,确定对所述目标位置区域针对所述目标攻击进行安全分析。
- 一种获取安全分级结果的方法,其特征在于,包括:安全分析网元接收来自策略控制功能网元或统一数据管理网元的第一安全分析请求消息,所述第一安全分析请求消息包括目标位置区域的标识;所述安全分析网元根据第一信息确定所述目标位置区域的安全分级结果,所述安全分级结果表示所述目标位置区域存在潜在攻击的程度,所述第一信息与所述目标位置区域内的终端设备的行为信息相关,所述行为信息包括流量数据和/或移动轨迹信息;所述安全分析网元向策略控制功能网元或统一数据管理网元发送第一映射关系,所述第一映射关系包括所述目标位置区域的标识和所述安全分级结果。
- 根据权利要求26所述的方法,其特征在于,所述第一安全分析请求消息还包括目标攻击的标识,所述目标位置区域的安全分级结果包括所述目标位置区域对于所述目标攻击的安全分级结果,所述目标位置区域对于所述目标攻击的安全分级结果表示所述目标位置区域存在潜在的所述目标攻击的程度。
- 一种通信装置,其特征在于,用于实现如权利要求1至27中任意一项所述的方法。
- 一种通信装置,其特征在于,包括至少一个处理器,所述至少一个处理器与至少一个存储器耦合,所述至少一个处理器用于执行所述至少一个存储器中存储的计算机程序或指令,以使所述通信装置执行如权利要求1至27中任一项所述的方法。
- 一种芯片,其特征在于,包括处理器和通信接口,所述通信接口用于接收数据和/或信息,并将接收到的数据和/或信息传输至所述处理器,所述处理器处理所述数据和/或信息,以使得执行如权利要求1至27中任一项所述的方法。
- 一种计算机可读存储介质,其特征在于,其上存储有计算机程序,所述计算机程序被执行时,以使得执行如权利要求1至27中任一项所述的方法。
- 一种包含指令的计算机程序产品,其特征在于,当其在计算机上运行时,使得计算机执行如权利要求1至27中任一项所述的方法。
- 一种获取安全分级结果的方法,所述方法由策略控制功能网元或统一数据管理网元执行,其特征在于,所述方法包括:策略控制功能网元或统一数据管理网元确定对目标位置区域进行安全分析;所述策略控制功能网元或统一数据管理网元向安全分析网元发送第一安全分析请求 消息,所述第一安全分析请求消息包括所述目标位置区域的标识;所述策略控制功能网元或统一数据管理网元发送所述安全分析网元的所述目标位置区域的安全分级结果,所述安全分级结果表示所述目标位置区域存在潜在攻击的程度。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2022388446A AU2022388446A1 (en) | 2021-11-11 | 2022-11-08 | Method for obtaining security classification result and communication apparatus |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111331286.8A CN116112930A (zh) | 2021-11-11 | 2021-11-11 | 获取安全分级结果的方法及通信装置 |
CN202111331286.8 | 2021-11-11 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023083153A1 true WO2023083153A1 (zh) | 2023-05-19 |
Family
ID=86266116
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/130474 WO2023083153A1 (zh) | 2021-11-11 | 2022-11-08 | 获取安全分级结果的方法及通信装置 |
Country Status (3)
Country | Link |
---|---|
CN (1) | CN116112930A (zh) |
AU (1) | AU2022388446A1 (zh) |
WO (1) | WO2023083153A1 (zh) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016096836A1 (en) * | 2014-12-19 | 2016-06-23 | Telefonaktiebolaget Lm Ericsson (Publ) | Network node and method for detecting false base stations |
US9462010B1 (en) * | 2015-07-07 | 2016-10-04 | Accenture Global Services Limited | Threat assessment level determination and remediation for a cloud-based multi-layer security architecture |
CN108646722A (zh) * | 2018-07-18 | 2018-10-12 | 杭州安恒信息技术股份有限公司 | 一种工业控制系统信息安全仿真模型及终端 |
CN111489831A (zh) * | 2020-04-10 | 2020-08-04 | 智慧足迹数据科技有限公司 | 公共卫生事件风险评估方法及装置 |
CN111866003A (zh) * | 2020-07-27 | 2020-10-30 | 中国联合网络通信集团有限公司 | 一种终端的风险评估方法和装置 |
CN112653669A (zh) * | 2020-12-04 | 2021-04-13 | 智网安云(武汉)信息技术有限公司 | 网络终端安全威胁预警方法、系统及网络终端管理装置 |
WO2021168713A1 (zh) * | 2020-02-26 | 2021-09-02 | 华为技术有限公司 | 通信方法及装置 |
-
2021
- 2021-11-11 CN CN202111331286.8A patent/CN116112930A/zh active Pending
-
2022
- 2022-11-08 AU AU2022388446A patent/AU2022388446A1/en active Pending
- 2022-11-08 WO PCT/CN2022/130474 patent/WO2023083153A1/zh active Application Filing
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016096836A1 (en) * | 2014-12-19 | 2016-06-23 | Telefonaktiebolaget Lm Ericsson (Publ) | Network node and method for detecting false base stations |
US9462010B1 (en) * | 2015-07-07 | 2016-10-04 | Accenture Global Services Limited | Threat assessment level determination and remediation for a cloud-based multi-layer security architecture |
CN108646722A (zh) * | 2018-07-18 | 2018-10-12 | 杭州安恒信息技术股份有限公司 | 一种工业控制系统信息安全仿真模型及终端 |
WO2021168713A1 (zh) * | 2020-02-26 | 2021-09-02 | 华为技术有限公司 | 通信方法及装置 |
CN111489831A (zh) * | 2020-04-10 | 2020-08-04 | 智慧足迹数据科技有限公司 | 公共卫生事件风险评估方法及装置 |
CN111866003A (zh) * | 2020-07-27 | 2020-10-30 | 中国联合网络通信集团有限公司 | 一种终端的风险评估方法和装置 |
CN112653669A (zh) * | 2020-12-04 | 2021-04-13 | 智网安云(武汉)信息技术有限公司 | 网络终端安全威胁预警方法、系统及网络终端管理装置 |
Also Published As
Publication number | Publication date |
---|---|
AU2022388446A1 (en) | 2024-05-30 |
CN116112930A (zh) | 2023-05-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109997334B (zh) | 具有用于3gpp网络中物联网应用的间接连接的中继和收费的会话管理 | |
CN111405493B (zh) | 用于基于机器类型通信组的服务的协调分组 | |
US11483801B2 (en) | Resource configuration method and apparatus | |
EP4075868A1 (en) | Routing configuration method and device | |
US20210345237A1 (en) | Communication Method and Communications Apparatus | |
US20220338106A1 (en) | Slice control method and apparatus | |
US20230171672A1 (en) | Route configuration method and apparatus | |
US20210385723A1 (en) | Policy Management Method and Apparatus | |
US20240073848A1 (en) | Network Slice in a Wireless Network | |
US20170156047A1 (en) | A node and method for providing authentication of a wireless device in a roaming state | |
WO2023213177A1 (zh) | 一种通信方法及装置 | |
WO2023071770A1 (zh) | 获取数据分析结果的方法及通信装置 | |
CN108810977B (zh) | 一种通信方法、通信设备及具有存储功能的设备 | |
WO2023083153A1 (zh) | 获取安全分级结果的方法及通信装置 | |
WO2023078183A1 (zh) | 一种数据收集方法及通信装置 | |
WO2024032654A1 (zh) | 一种定位方法、装置及存储介质 | |
WO2023016243A1 (zh) | 一种用于传输业务的方法和装置 | |
EP4096308A1 (en) | Multiple access in a visited network | |
WO2022174780A1 (zh) | DDoS攻击检测的方法和装置 | |
EP4207850A1 (en) | Data analysis method and apparatus | |
WO2023061207A1 (zh) | 一种通信方法、通信装置及通信系统 | |
US20240031929A1 (en) | Connection Establishment | |
WO2023035872A1 (zh) | 确定用户面路径的方法及通信装置 | |
US20240205781A1 (en) | User equipment trajectory-assisted handover | |
US20240073996A1 (en) | Network Slice Management based on Inactivity |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22891947 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: AU2022388446 Country of ref document: AU |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2022891947 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2022388446 Country of ref document: AU Date of ref document: 20221108 Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2022891947 Country of ref document: EP Effective date: 20240524 |