WO2024027381A1

WO2024027381A1 - Anomaly detection method and communication apparatus

Info

Publication number: WO2024027381A1
Application number: PCT/CN2023/103209
Authority: WO
Inventors: 李论; 吴义壮; 崔洋; 雷骜
Original assignee: 华为技术有限公司
Priority date: 2022-07-30
Filing date: 2023-06-28
Publication date: 2024-02-08
Also published as: CN117528612A

Abstract

Provided in the present application are an anomaly detection method and a communication apparatus. The method comprises: receiving first information from a first network element, the first information comprising information of initialization protocol (SIP) messages related to a terminal device; and, on the basis of the first information, determining whether the terminal device is abnormal, wherein the information of the SIP messages comprises at least one of the following: types of the SIP messages; source addresses of the SIP messages; target addresses of the SIP messages; information of first fields of the SIP messages, the first fields being used for identifying devices used by SIP message senders; information of second fields of the SIP messages, the second fields being used for identifying receiver devices of the SIP messages; and time information of detecting the SIP messages. The types of the SIP messages comprise an SIP INVITE message, an SIP CANCEL message and an SIP BYE message. By means of receiving SIP messages related to terminal devices, abnormal terminal devices can be effectively identified, thereby avoiding interference to other terminal devices.

Description

Abnormality detection method and communication device

This application claims priority to the Chinese patent application filed with the China Patent Office on July 30, 2022, with application number 202210912476.7 and the application title "Method and Communication Device for Anomaly Detection", the entire content of which is incorporated into this application by reference. .

Technical field

Embodiments of the present application relate to the field of communications, and more specifically, to an anomaly detection method and a communications device.

Background technique

In the fifth generation (the ^5th generation, 5G) communication system, the network data analytics function (NWDAF) can perform network-side functional network element (for example, access and mobility management function network) on the terminal device. Analyze the data generated on the network element, session management function network element, etc.) to identify whether the behavior of the terminal device is abnormal, for example, identify whether the terminal device frequently accesses or registers. In the existing solution, NWDAF mainly identifies whether the access and registration information of the terminal device is compliant, thereby identifying whether the terminal device is an abnormal terminal device. When the access and registration information are compliant, the terminal device may also cause interference to other terminal devices, for example, by initiating abnormal calls to other terminal devices. How to identify such abnormal terminal devices has become an urgent problem to be solved.

Contents of the invention

Embodiments of the present application provide an anomaly detection method and a communication device, so that analyzing network elements can effectively detect abnormal terminal equipment.

In a first aspect, an anomaly detection method is provided. The method includes: receiving first information from a first network element, where the first information includes information about an initialization protocol SIP message related to a terminal device; based on the first information Determine whether the terminal device is abnormal; wherein the information of the SIP message includes at least one of the following information: the type of the SIP message, the source address of the SIP message, the destination address of the SIP message, the information of the first field of the SIP message, the SIP The information in the second field of the message is the time information when the SIP message is detected. The types of the SIP message include the SIP INVITE message, the SIP CANCEL message and the SIP hang-up BYE message. The first field is used to identify the sending of the SIP message. The second field is used to identify the receiving device of the SIP message.

Based on the above solution, abnormal terminal equipment can be effectively identified according to SIP messages related to the terminal equipment to avoid causing interference to other terminal equipment.

With reference to the first aspect, in some implementations of the first aspect, the method further includes: determining statistical information of the SIP message based on the first information; determining whether the terminal device is abnormal based on the first information includes: based on the first information The statistical information of SIP messages determines whether the terminal device is abnormal.

In conjunction with the first aspect, in some implementations of the first aspect, the statistical information of the SIP message includes at least one of the following information: the total number of SIP messages of the same type, the total number of SIP messages with the same source address and the same type , the total number of SIP messages with the same destination address and the same type, the number of SIP messages with the same source address and different first fields, first duration information; where the first duration consists of the time information of the first SIP message and the second SIP The time information of the message determines that the source address of the first SIP message and the destination address of the second SIP message are the same, and the type of the first SIP message and the type of the second SIP message are different.

Based on the above solution, the statistical information of the SIP message can be determined based on the SIP messages related to the terminal device, and the abnormal terminal device can be effectively identified based on the statistical information of the SIP message to avoid interference with other terminal devices.

In conjunction with the first aspect, in some implementations of the first aspect, the first analysis network element receives the first information from the first network element; the first analysis network element or the second analysis network element is based on the first The information determines whether the terminal device is abnormal, the first analysis network element is a session management network element or a first network data analysis function network element, and the second analysis network element is a second network data analysis function network element.

With reference to the first aspect, in some implementations of the first aspect, the first analysis network element determines the statistical information of the SIP message based on the first information; the first analysis network element sends the SIP message to the second analysis network element. Statistical information of the message; the second analysis network element determines whether the terminal device is abnormal based on the statistical information of the SIP message.

With reference to the first aspect, in some implementations of the first aspect, the first network element is a user plane network element or an application function network element.

With reference to the first aspect, in some implementations of the first aspect, a session establishment request from the terminal device is received; indication information is sent to the first network element according to the session establishment request, and the indication information indicates that according to the first data packet The detection rule PDR detects the SIP message.

Combined with the first aspect, in some implementations of the first aspect, the information of the second field of the third SIP message is sent to the application function network element, and the source address of the third SIP message is the address of the terminal device; receiving The location information of at least one terminal device from the application function network element, the location information of the at least one terminal device is sent according to the second field of the third SIP message; update the first information, the first information includes the Location information of at least one terminal device.

In connection with the first aspect, in some implementations of the first aspect, the value of the first parameter is determined based on the statistical information of the SIP message; and whether the terminal device is abnormal is determined based on the relationship between the value of the first parameter and the first threshold. , wherein the first parameter includes at least one of the following parameters: the ratio of the total number of SIP BYE messages to the total number of SIP INVITE messages, the ratio of the total number of SIP CANCEL messages to the total number of SIP INVITE messages, the total number of SIP INVITE messages, detection The dispersion degree of the time information to the SIP message, the dispersion degree of the first duration, and the dispersion degree of the location information of the at least one terminal device.

With reference to the first aspect, in some implementations of the first aspect, it is determined whether the terminal device is abnormal based on the relationship between the value of the first parameter and the first threshold, and a first weight, the first weight including the third The weight corresponding to at least one parameter in a parameter.

A second aspect provides an anomaly detection method, which method includes: a first network element determines first information of a terminal device, where the first information includes information on an initialization protocol SIP message related to the terminal device; the first The network element sends the first information to the analysis network element, and the first information is used to determine whether the terminal device is abnormal; wherein the information of the SIP message includes at least one of the following information: the type of the SIP message, the source of the SIP message Address, the target address of the SIP message, the information of the first field of the SIP message, the information of the second field of the SIP message, the time information when the SIP message is detected, the type of the SIP message includes the SIP invitation INVITE message, the SIP rejection CANCEL message As well as the SIP hang-up BYE message, the first field is used to identify the device used by the sender of the SIP message, and the second field is used to identify the recipient device of the SIP message.

Based on the above solution, the first network element determines the information of the initialization protocol SIP message related to the terminal device and sends the information of the SIP message to the analysis network element, so that the analysis network element can determine the information based on the SIP message related to the terminal device. Effectively identify abnormal terminal equipment to avoid interference with other terminal equipment.

Combined with the second aspect, in some implementations of the second aspect, instruction information is received from the analysis network element, and the instruction information instructs to detect the SIP message according to the first packet detection rule PDR.

Combined with the second aspect, in some implementations of the second aspect, the first network element is a user plane network element or an application function network element.

Combined with the second aspect, in some implementations of the second aspect, the analysis network element is a session management network element or a network data analysis function network element.

A third aspect provides an anomaly detection method, which method includes: receiving first information from a first network element, where the first information includes statistical information of an initialization protocol SIP message, and the statistical information of the SIP message is based on The information of the SIP message related to the terminal device is determined; based on the first information, it is determined whether the terminal device is abnormal; wherein the information of the SIP message includes at least one of the following information: the type of the SIP message, the source address of the SIP message, The target address of the SIP message, the information in the first field of the SIP message, the information in the second field of the SIP message, the time information when the SIP message is detected, the type of the SIP message includes the SIP INVITE message, the SIP CANCEL message and the SIP BYE message, the first field is used to identify the sender device of the SIP message, and the second field is used to identify the recipient device of the SIP message.

Combined with the third aspect, in some implementations of the third aspect, the statistical information of the SIP message includes at least one of the following information: the total number of SIP messages of the same type, the total number of SIP messages with the same source address and the same type , the total number of SIP messages with the same destination address and the same type, the number of SIP messages with the same source address and different first fields, first duration information; where the first duration consists of the time information of the first SIP message and the second SIP The time information of the message determines that the source address of the first SIP message and the destination address of the second SIP message are the same, and the type of the first SIP message and the type of the second SIP message are different.

Combined with the third aspect, in some implementations of the third aspect, the first analysis network element receives the first information from the first network element; the first analysis network element or the second analysis network element is based on the first The information determines whether the terminal device is abnormal, the first analysis network element is a session management network element or a first network data analysis function network element, and the second analysis network element is a first network data analysis function network element or a second network data Analyze functional network elements.

Wherein, if the second analysis network element determines whether the terminal device is abnormal, the method further includes the first analysis network element sending statistical information of the SIP messages of the terminal device to the second analysis network element.

Combined with the third aspect, in some implementations of the third aspect, the first network element includes a user plane network element or an application function network element.

Combined with the third aspect, in some implementations of the third aspect, before receiving the first information from the first network element, a session establishment request from the terminal device is received; and the session establishment request is sent to the first network element according to the session establishment request. Send instruction information, the instruction information indicating detecting the SIP message according to the first packet detection rule PDR.

Combined with the third aspect, in some implementations of the third aspect, after receiving the first information from the first network element, the information of the second field of the third SIP message is sent to the application function network element, and the third The source address of the SIP message is the address of the terminal device; receiving the location information of at least one terminal device from the application function network element, the location information of the at least one terminal device is sent according to the second field of the third SIP message ; Update the first information, which includes the location information of the at least one terminal device.

Combined with the third aspect, in some implementations of the third aspect, the value of the first parameter is determined based on the statistical information of the SIP message; and whether the terminal device is abnormal is determined based on the relationship between the value of the first parameter and the first threshold. , wherein the first parameter includes at least one of the following parameters: the total number of SIP BYE messages accounted for the total number of SIP INVITE messages, the total number of SIP CANCEL messages accounted for the total number of SIP INVITE messages, the total number of SIP INVITE messages, SIP detected The time dispersion of the message, the dispersion of the first duration, and the dispersion of the location information of the at least one terminal device.

In conjunction with the third aspect, in some implementations of the third aspect, whether the terminal device is abnormal is determined based on a relationship between the value of the first parameter and the first threshold, and a first weight, the first weight including the third The weight corresponding to at least one parameter in a parameter.

A fourth aspect provides an anomaly detection method, which method includes: the first network element determines the information of the SIP message related to the terminal device; the first network element determines the SIP message of the terminal device based on the information of the SIP message. Statistical information, the statistical information of the SIP message is used to determine whether the terminal device is abnormal; the first network element sends the statistical information of the SIP message to the analysis network element; wherein the information of the SIP message includes at least one of the following information: The type of SIP message, the source address of the SIP message, the destination address of the SIP message, the information of the first field of the SIP message, the information of the second field of the SIP message, the time information of detecting the SIP message, the type of the SIP message includes SIP In the INVITE message, the SIP CANCEL message and the SIP BYE message, the first field is used to identify the sender device of the SIP message, and the second field is used to identify the recipient device of the SIP message.

Based on the above solution, the first network element can determine the statistical information of the SIP message based on the SIP message related to the terminal device. By sending the statistical information of the SIP message to the analyzing network element, the analyzing network element can effectively identify the abnormal terminal device and avoid Cause interference to other terminal equipment.

Combined with the fourth aspect, in some implementations of the fourth aspect, the statistical information of the SIP message includes at least one of the following information: the total number of SIP messages of the same type, the total number of SIP messages with the same source address and the same type , the number of SIP messages with the same source address and different first fields, first duration information; wherein the first duration is determined by the time information of the first SIP message and the time information of the second SIP message, and the first SIP message The source address and the destination address of the second SIP message are the same, and the type of the first SIP message and the type of the second SIP message are different.

Combined with the fourth aspect, in some implementations of the fourth aspect, the analysis network element is a session management network element or a network data analysis function network element.

Combined with the fourth aspect, in some implementations of the fourth aspect, the first network element includes a user plane network element or an application function network element.

In connection with the fourth aspect, in some implementations of the fourth aspect, the first network element receives indication information from the analysis network element, and the indication information instructs to detect the SIP message according to the first packet detection rule PDR.

In a fifth aspect, a communication device is provided. The device includes a transceiver unit and a processing unit. The transceiver unit is configured to receive first information from the first network element. The first information includes an initialization protocol SIP message related to the terminal device. information; the processing unit is configured to determine whether the terminal device is abnormal based on the first information; wherein the information of the SIP message includes at least one of the following information: the type of the SIP message, the source address of the SIP message, the The target address, the information of the first field of the SIP message, the information of the second field of the SIP message, the time information of detecting the SIP message, the type of the SIP message includes the SIP invitation INVITE message, the SIP rejection CANCEL message and the SIP hang-up BYE message, the first field is used to identify the device used by the sender of the SIP message, and the second field is used to identify the device of the recipient of the SIP message.

With reference to the fifth aspect, in some implementations of the fifth aspect, the processing unit is further configured to determine the statistical information of the SIP message based on the first information; the processing unit is specifically configured to determine the terminal based on the statistical information of the SIP message. Whether the equipment is abnormal.

Combined with the fifth aspect, in some implementations of the fifth aspect, the statistical information of the SIP message includes at least one of the following information: Items: the total number of SIP messages of the same type, the total number of SIP messages with the same source address and the same type, the number of SIP messages with the same source address and different first fields, first duration information; where the first duration is represented by the first The time information of the SIP message and the time information of the second SIP message determine that the source address of the first SIP message and the destination address of the second SIP message are the same, and the type of the first SIP message and the type of the second SIP message are different. .

Combined with the fifth aspect, in some implementations of the fifth aspect, the first network element is a user plane network element or an application function network element.

With reference to the fifth aspect, in some implementations of the fifth aspect, the transceiver unit is also configured to receive a session establishment request from the terminal device; and send indication information to the first network element according to the session establishment request. The indication information Indicates that the SIP message is detected according to the first packet detection rule PDR.

In connection with the fifth aspect, in some implementations of the fifth aspect, the transceiver unit is also configured to send the information of the second field of the third SIP message to the application function network element, and the source address of the third SIP message is The address of the terminal device; receiving location information of at least one terminal device from the application function network element, the location information of the at least one terminal device being sent according to the second field of the third SIP message; the processing unit is also configured to The first information is updated, and the first information includes location information of the at least one terminal device.

With reference to the fifth aspect, in some implementations of the fifth aspect, the processing unit is specifically configured to determine the value of the first parameter based on the statistical information of the SIP message; based on the relationship between the value of the first parameter and the first threshold. Determine whether the terminal device is abnormal, wherein the first parameter includes at least one of the following parameters: the ratio of the total number of SIP BYE messages to the total number of SIP INVITE messages, the ratio of the total number of SIP CANCEL messages to the total number of SIP INVITE messages, SIP The total number of INVITE messages, the dispersion of the time information of the detected SIP messages, the dispersion of the first duration, and the dispersion of the location information of the at least one terminal device.

With reference to the fifth aspect, in some implementations of the fifth aspect, the processing unit is specifically configured to determine whether the terminal device is abnormal based on the relationship between the value of the first parameter and the first threshold, and the first weight. The first weight includes a weight corresponding to at least one parameter in the first parameter.

In a sixth aspect, a communication device is provided. The device includes a processing unit and a transceiver unit. The first network element determines the first information of the terminal device, and the first information includes the information of the initialization protocol SIP message related to the terminal device; The first network element sends the first information to the analysis network element, and the first information is used to determine whether the terminal device is abnormal; wherein the information of the SIP message includes at least one of the following information: type of SIP message, SIP The source address of the message, the destination address of the SIP message, the information of the first field of the SIP message, the information of the second field of the SIP message, the time information when the SIP message is detected, the type of the SIP message includes the SIP invitation INVITE message, the SIP reject message When receiving a CANCEL message and a SIP hang-up BYE message, the first field is used to identify the device used by the sender of the SIP message, and the second field is used to identify the device of the recipient of the SIP message.

In conjunction with the sixth aspect, in some implementations of the sixth aspect, instruction information is received from the analysis network element, and the instruction information instructs to detect the SIP message according to the first packet detection rule PDR.

Combined with the sixth aspect, in some implementations of the sixth aspect, the first network element is a user plane network element or an application function network element.

Combined with the sixth aspect, in some implementations of the sixth aspect, the analysis network element is a session management network element or a network data analysis function network element.

In a seventh aspect, a communication device is provided. The device includes a transceiver unit and a processing unit. The transceiver unit is used to receive statistical information of the initialization protocol SIP message from the first network element. The statistical information of the SIP message is based on the communication with the terminal. The information of the device-related SIP message is determined; the processing unit is used to determine whether the terminal device is abnormal based on the first information; wherein the information of the SIP message includes at least one of the following information: the type of the SIP message, the SIP message The source address, the destination address of the SIP message, the information of the first field of the SIP message, the information of the second field of the SIP message, the time information when the SIP message is detected, the type of the SIP message includes the SIP INVITE message, the SIP CANCEL message and SIP BYE message, the first field is used to identify the sender device of the SIP message, and the second field is used to identify the receiver device of the SIP message.

Combined with the seventh aspect, in some implementations of the seventh aspect, the statistical information of the SIP message includes at least one of the following information: the total number of SIP messages of the same type, the total number of SIP messages with the same source address and the same type , the total number of SIP messages with the same destination address and the same type, the number of SIP messages with the same source address and different first fields, first duration information; where the first duration consists of the time information of the first SIP message and the second SIP The time information of the message determines that the source address of the first SIP message and the destination address of the second SIP message are the same, and the type of the first SIP message and the type of the second SIP message are different.

In conjunction with the seventh aspect, in some implementations of the seventh aspect, the communication device is a session management network element or a network data analysis function network element.

Combined with the seventh aspect, in some implementations of the seventh aspect, the first network element includes a user plane network element or an application function network element.

In conjunction with the seventh aspect, in some implementations of the seventh aspect, the transceiver unit is also configured to receive a session establishment request from the terminal device; and send indication information to the first network element according to the session establishment request. The indication information Indicates that the SIP message is detected according to the first packet detection rule PDR.

In conjunction with the seventh aspect, in some implementations of the seventh aspect, the transceiver unit is also configured to send the information of the second field of the third SIP message to the application function network element, and the source address of the third SIP message is the address of the terminal device; receiving the location information of at least one terminal device from the application function network element, the location information of the at least one terminal device being sent according to the second field of the third SIP message; updating the first information, The first information includes location information of the at least one terminal device.

In connection with the seventh aspect, in some implementations of the seventh aspect, the processing unit is further configured to determine the value of the first parameter based on the statistical information of the SIP message; based on the relationship between the value of the first parameter and the first threshold. Determine whether the terminal device is abnormal, wherein the first parameter includes at least one of the following parameters: the total number of SIP BYE messages accounts for the total number of SIP INVITE messages, the total number of SIP CANCEL messages accounts for the total number of SIP INVITE messages, the total number of SIP INVITE messages The total number, the dispersion of the time when the SIP message is detected, the dispersion of the first duration, and the dispersion of the location information of the at least one terminal device.

In conjunction with the seventh aspect, in some implementations of the seventh aspect, the processing unit is specifically configured to determine whether the terminal device is abnormal based on the relationship between the value of the first parameter and the first threshold, and the first weight. The first weight includes a weight corresponding to at least one parameter in the first parameter.

In an eighth aspect, a communication device is provided. The device includes a transceiver unit and a processing unit. The processing unit is used to determine the information of the SIP message related to the terminal device; the processing unit is also used to determine the terminal according to the information of the SIP message. Statistical information of the SIP message of the device. The statistical information of the SIP message is used to determine whether the terminal device is abnormal. The first network element sends the statistical information of the SIP message to the analysis network element. The information of the SIP message includes the following information. At least one of: the type of the SIP message, the source address of the SIP message, the destination address of the SIP message, the information of the first field of the SIP message, the information of the second field of the SIP message, the time information of detecting the SIP message, the SIP Message types include SIP INVITE messages, SIP CANCEL messages, and SIP BYE messages. The first field is used to identify the sender device of the SIP message, and the second field is used to identify the recipient device of the SIP message.

Combined with the eighth aspect, in some implementations of the eighth aspect, the statistical information of the SIP message includes at least one of the following information: the total number of SIP messages of the same type, the total number of SIP messages with the same source address and the same type , the total number of SIP messages with the same destination address and the same type, the number of SIP messages with the same source address and different first fields, first duration information; where the first duration consists of the time information of the first SIP message and the second SIP The time information of the message determines that the source address of the first SIP message and the destination address of the second SIP message are the same, and the type of the first SIP message and the type of the second SIP message are different.

Combined with the eighth aspect, in some implementations of the eighth aspect, the analysis network element is a session management network element or a network data analysis function network element.

Combined with the eighth aspect, in some implementations of the eighth aspect, the first network element includes a user plane network element or an application function network element.

Combined with the eighth aspect, in some implementations of the eighth aspect, the first network element receives indication information from the analysis network element, and the indication information instructs to detect the SIP message according to the first packet detection rule PDR.

In a ninth aspect, a communication device is provided, including a processor. The processor is coupled to the memory and can be used to execute instructions in the memory to implement the method in any one of the above first to fourth aspects and possible implementation manners. Exemplarily, the communication device further includes a memory. The communication device also includes a communication interface, and the processor is coupled to the communication interface.

In a tenth aspect, a processor is provided, including: an input circuit, an output circuit and a processing circuit. The processing circuit is configured to receive a signal through the input circuit and transmit a signal through the output circuit, so that the processor executes to implement any one of the above first to fourth aspects and the first to fourth aspects. possible implementation methods.

In the specific implementation process, the above-mentioned processor can be one or more chips, the input circuit can be an input pin, the output circuit can be an output pin, and the processing circuit can be a transistor, a gate circuit, a flip-flop and various logic circuits, etc. . The input signal received by the input circuit may be received and input by, for example, but not limited to, a receiver, and the signal output by the output circuit may be, for example, but not limited to, an output To the transmitter and transmitted by the transmitter, the input circuit and the output circuit may be the same circuit, which is used as an input circuit and an output circuit respectively at different times. The embodiments of this application do not limit the specific implementation methods of the processor and various circuits.

In an eleventh aspect, a processing device is provided, including a processor and a memory. The processor is used to read instructions stored in the memory, and can receive signals through a receiver and transmit signals through a transmitter to execute any of the above first to fourth aspects and possible implementations of the first to fourth aspects. method within the method.

For example, there are one or more processors and one or more memories.

For example, the memory may be integrated with the processor, or the memory may be provided separately from the processor.

In the specific implementation process, the memory can be a non-transitory memory, such as a read-only memory (ROM), which can be integrated on the same chip as the processor, or can be set in different On the chip, the embodiment of the present application does not limit the type of memory and the arrangement of the memory and the processor.

It should be understood that the relevant data interaction process, for example, sending instruction information may be a process of outputting instruction information from the processor, and receiving capability information may be a process of the processor receiving input capability information. Specifically, the data output by the processor can be output to the transmitter, and the input data received by the processor can be from the receiver. Among them, the transmitter and receiver can be collectively called a transceiver.

The processing device in the above eleventh aspect may be one or more chips. The processor in the processing device can be implemented by hardware or software. When implemented by hardware, the processor can be a logic circuit, an integrated circuit, etc.; when implemented by software, the processor can be a general processor, which is implemented by reading software codes stored in a memory, and the memory can Integrated in the processor, it can be located outside the processor and exist independently.

In a twelfth aspect, a computer program product is provided. The computer program product includes: a computer program (which may also be called a code, or an instruction). When the computer program is run, the computer is caused to execute the first aspect. to the fourth aspect and the method in any possible implementation manner of the first to fourth aspects.

In a thirteenth aspect, a computer-readable storage medium is provided. The computer-readable storage medium stores a computer program (which may also be called a code, or an instruction) that when run on a computer causes the above-mentioned first aspect and The method in any possible implementation manner of the second aspect is executed.

A fourteenth aspect provides a communication system, including the aforementioned first network element and an analysis network element communicating with the first network element, wherein the first network element is a user plane network element or an application function network element, The analysis network element is a session management network element or a network data analysis function network element.

Description of the drawings

Figure 1 is a schematic diagram of an application scenario applicable to the method of the embodiment of the present application.

FIG. 2 is a schematic flow chart of an anomaly detection method provided by an embodiment of the present application.

Figure 3 is a schematic flow chart of an anomaly detection method provided by another embodiment of the present application.

Figure 4 is a schematic flow chart of an anomaly detection method provided by another embodiment of the present application.

Figure 5 is a schematic flow chart of an anomaly detection method provided by another embodiment of the present application.

Figure 6 is a schematic diagram of a communication device provided by an embodiment of the present application.

Figure 7 is a schematic block diagram of a communication device provided by an embodiment of the present application.

FIG. 8 is a schematic diagram of a chip system provided by an embodiment of the present application.

Detailed ways

The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings.

The technical solutions of the embodiments of the present application can be applied to various communication systems, such as: long term evolution (long term evolution, LTE) system, LTE frequency division duplex (FDD) system, LTE time division duplex (time division duplex) , TDD), global interoperability for microwave access (WiMAX) communication system, fifth generation (5th generation, 5G) communication system or future communication system, for example, sixth generation (6th generation, 6G) communication system , vehicle-to-x, V2X), where V2X can include vehicle-to-network (V2N), vehicle-to-vehicle (V2V), vehicle-to-infrastructure ( vehicle-to-infrastructure (V2I), vehicle-to-pedestrian (V2P), etc., long term evolution-vehicle (LTE-V), vehicle networking, machine type communication (machine type communication), etc. , MTC), Internet of things (IoT), long term evolution-machine (LTE-M), machine to machine (M2M) wait.

Figure 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of this application. The network architecture may specifically include the following network elements:

1. User equipment (UE): can include various handheld devices with wireless communication functions, vehicle-mounted devices, wearable devices, computing devices or other processing devices connected to wireless modems, as well as various forms of terminals, mobile devices Mobile station (MS), terminal or soft terminal, etc. For example, water meters, electricity meters, sensors, etc.

Illustratively, the user equipment in the embodiment of the present application may refer to an access terminal, a user unit, a user station, a mobile station, a mobile station, a relay station, a remote station, a remote terminal, a mobile device, a user terminal (user terminal), and a terminal device. (terminal equipment), wireless communications equipment, user agent or user device. The user equipment may also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), a device with wireless communications Functional handheld devices, computing devices or other processing devices connected to wireless modems, vehicle-mounted devices, wearable devices, user equipment in 5G networks or users in future evolved public land mobile communications networks (PLMN) Equipment or user equipment in future Internet of Vehicles, etc. This application is not limited to this.

As an example and not a limitation, in the embodiments of this application, a wearable device may also be called a wearable smart device, which is a general term for applying wearable technology to intelligently design daily wear and develop wearable devices, such as glasses, Gloves, watches, clothing and shoes, etc. A wearable device is a portable device that is worn directly on the body or integrated into the user's clothing or accessories. Wearable devices are not just hardware devices, they can also achieve powerful functions through software support, data interaction, and cloud interaction. Broadly defined wearable smart devices include full-featured, large-sized devices that can achieve complete or partial functions without relying on smartphones, such as smart watches or smart glasses, and those that only focus on a certain type of application function and need to cooperate with other devices such as smartphones. Use, such as various smart bracelets, smart jewelry, etc. for physical sign monitoring.

In addition, in the embodiments of this application, the user equipment can also be user equipment in the Internet of Things (IoT) system. IoT is an important part of the future development of information technology. Its main technical feature is to transfer items through communication technology. Connect with the network to realize an intelligent network of human-computer interconnection and physical-object interconnection. In the embodiment of this application, IOT technology can achieve massive connections, deep coverage, and terminal power saving through, for example, narrowband (NB) technology. In addition, in the embodiment of this application, user equipment may also include sensors such as smart printers, train detectors, and gas stations. The main functions include collecting data (part of user equipment), receiving control information and downlink data of access network equipment, and Send electromagnetic waves to transmit uplink data to access network equipment.

2. (Wireless) access network equipment (radio access network, (R)AN): used to provide network access functions for authorized user equipment in a specific area, and can use different quality transmissions according to the level of user equipment, business needs, etc. tunnel.

RAN can manage wireless resources, provide access services for user equipment, and then complete the forwarding of control signals and user equipment data between the user equipment and the core network. RAN can also be understood as a base station in a traditional network.

Illustratively, the access network device in the embodiment of the present application may be any communication device with wireless transceiver functions used to communicate with user equipment. The access network equipment includes but is not limited to: evolved Node B (eNB), baseband unit (BBU), access point (access point) in the wireless fidelity (wireless fidelity, WIFI) system, AP), wireless relay node, wireless backhaul node, transmission point (TP) or transmission and reception point (TRP), etc. It can also be 5G, such as NR, gNB in the system, or , transmission point (TRP or TP), one or a group (including multiple antenna panels) of antenna panels of a base station in a 5G system, or it can also be a network node that constitutes a gNB or transmission point, such as a baseband unit (BBU), Or, distributed unit (DU), etc.

In some deployments, gNB may include centralized units (CUs) and DUs. The gNB may also include an active antenna unit (AAU). CU implements some functions of gNB, and DU implements some functions of gNB. For example, the CU is responsible for processing non-real-time protocols and services, and implementing radio resource control (RRC) and packet data convergence protocol (PDCP) layer functions. DU is responsible for processing physical layer protocols and real-time services, and implementing the functions of the radio link control (RLC) layer, media access control (MAC) layer and physical (physical, PHY) layer. AAU implements some physical layer processing functions, radio frequency processing and active antenna related functions. Since RRC layer information will eventually become PHY layer information, or transformed from PHY layer information, in this architecture, high-level signaling, such as RRC layer signaling, can also be considered to be sent by DU , or sent by DU+AAU. It can be understood that the access network device may be a device including one or more of a CU node, a DU node, and an AAU node. In addition, the CU can be divided into access network equipment in the access network (radio access network, RAN), or the CU can be divided into access network equipment in the core network (core network, CN). This application does not Make limitations.

2. Access and mobility management function (AMF) network element: mainly used for mobility management and access management, etc., and can be used to implement mobility management entity (mobility management entity, MME) functions in addition to Other functions besides session management, such as access authorization/authentication and other functions.

3. Session management function (SMF) network element: mainly used for session management, Internet protocol (IP) address allocation and management of terminal devices, selection and management of user plane functions, policy control and charging function interfaces Endpoints and downstream data notifications, etc.

4. Policy control function (PCF) network element: a unified policy framework used to guide network behavior, providing policy rule information for network network elements (such as AMF, SMF network elements, etc.) or terminal devices.

5. User plane function (UPF) network element: used for packet routing and forwarding and quality of service (QoS) processing of user plane data. User data can be accessed to the data network (DN) through this network element. In the embodiment of this application, it can be used to implement the functions of user plane network elements.

6. Application function (AF) network element: used for data routing affected by applications, access to network open function network elements, and interaction with the policy framework for policy control, etc.

7. Data network (DN): used to provide a network for transmitting data. For example, the operator's business network, Internet network, third-party business network, etc.

8. Network data analytics function (NWDAF) network element: NWDAF can have at least one of the following functions:

Data collection, model training, model feedback, analysis result inference, analysis result feedback, etc. Among them, the data collection function can refer to NWDAF collecting data from network elements, third-party servers, terminal devices or network management systems; the model training function can refer to NWDAF analyzing and training based on relevant input data to obtain models (for example, machine learning models); The model feedback function can refer to NWDAF sending the trained machine learning model to the network element that supports the inference function; the analysis result inference function can refer to the NWDAF making inferences based on the trained machine learning model and inference data to determine the data analysis results; the analysis result feedback function It can refer to NWDAF providing data analysis results to network elements, third-party servers, terminal equipment or network management systems. The data analysis results can assist the network in selecting service quality parameters for the business, or assist the network in performing traffic routing, or assist the network in selecting background traffic. Transmission strategy, etc.

One application scenario of NWDAF is the customization or optimization of terminal parameters. That is, NWDAF collects user information such as connection management, mobility management, session management, and accessed services, and uses reliable analysis and prediction models to evaluate and analyze different types of users, build user portraits, and determine the user's movement trajectory and services. Usage habits, optimize user mobility management parameters and wireless resource management parameters, etc. In addition, NWDAF can also identify whether the terminal has abnormal behavior based on the constructed user portrait.

In the embodiment of this application, the NWDAF may be a separate network element or may be co-located with other network elements. For example, NWDAF network elements can be co-located with AMF or co-located with SMF.

In addition, the above network architecture may also include network exposure function (NEF) network elements. NEF is used to securely open to the outside the services and capabilities provided by the 3rd Generation Partnership Project (3GPP) network functions. It should be understood that the network elements included in the communication system listed above are only exemplary illustrations, and the present application is not limited thereto.

In the above network architecture, the N2 interface is the interface between RAN and AMF network elements and is used for sending wireless parameters, non-access stratum (NAS) signaling, etc.; the N3 interface is the interface between RAN and UPF network elements. The interface between them is used to transmit user plane data, etc.; the N4 interface is the interface between the SMF network element and the UPF network element, and is used to transmit business policies, tunnel identification information of the N3 connection, data cache indication information, and downlink Data notifications and other information. The N6 interface is the interface between the DN and UPF network elements and is used to transmit user plane data.

It should be understood that in the above network architecture, network elements can interact with each other through service-oriented interfaces. For example, NWDAF can collect data generated by terminals on network elements through service-oriented interfaces (such as Namf, Nsmf, etc.) provided by other network elements (such as AMF, SMF, etc.); NWDAF can also use Nnwdaf interfaces to other network elements. Network elements (such as AMF, PCF, etc.) provide data analysis results, models, data, etc.

It should be understood that the network architecture applicable to the embodiments of the present application is not limited to this, and any network architecture that can realize the functions of each of the above network elements is applicable to the embodiments of the present application.

It should be noted that the names of each network element and interface in this application are just examples. This application does not rule out the possibility that each network element will have other names in the future, and the functions between each network element will be merged. With the evolution of technology, any device or network element that can realize the functions of each of the above network elements is within the scope of protection of this application. Secondly, the above network elements can also be called entities, equipment, devices or modules, etc. This application is not particularly limited. Moreover, in this application, in order to facilitate understanding and explanation, the description of "network element" is omitted in some descriptions. For example, the NWDAF network element is referred to as NWDAF. In this case, the "NWDAF" should be understood as the NWDAF network element. In the following, description of the same or similar situations will be omitted.

NWDAF can analyze the data generated by the terminal device on the network-side functional network element (for example, AMF, SMF, etc.) and identify whether the behavior of the terminal device is abnormal, for example, identify whether the terminal device frequently accesses or registers. In the existing solution, NWDAF mainly identifies whether the access and registration information of the terminal device is compliant, thereby identifying whether the terminal device is an abnormal terminal device. When the access and registration information are compliant, the terminal device may also cause interference to other terminal devices, for example, by initiating abnormal calls to other terminal devices. How to identify such abnormal terminal devices has become an urgent problem to be solved.

In view of this, this application proposes an anomaly detection method, which can effectively identify such abnormal terminal equipment by analyzing network elements.

In order to facilitate understanding of the embodiments of the present application, the following points are explained.

First, the first, second and various numerical numbers (for example, "#1", "#2", etc.) shown in this application are only for convenience of description and are used to distinguish objects, and are not used to limit this application. Scope of Application Embodiments. For example, distinguish different core network elements, etc. It is not used to describe a specific order or sequence. It is to be understood that objects so described are interchangeable where appropriate to enable description of aspects other than the embodiments of the present application.

Second, the "preset", "preconfiguration", etc. involved in the embodiments of this application can be realized by pre-saving corresponding codes, tables or other methods that can be used to indicate relevant information in the device (for example, network device) , this application does not limit its specific implementation, such as the preset anomaly detection strategy, preset thresholds, etc. in the embodiments of this application.

Third, the term "and/or" in this article is only an association relationship describing related objects, indicating that there can be three relationships. For example, A and/or B can mean: A alone exists, and A and B exist simultaneously. , there are three situations of B alone. In addition, the character "/" in this article generally indicates that the related objects are an "or" relationship.

The methods provided by the embodiments of the present application will be described in detail below with reference to the accompanying drawings. The embodiments provided in this application can be applied to the network architecture shown in Figure 1 above without limitation.

FIG. 2 is a schematic diagram of an anomaly detection method 200 provided by an embodiment of the present application. Method 200 may include the following steps.

S210. The first network element sends first information to the first analysis network element, where the first information includes information about the SIP message related to the terminal device.

Correspondingly, the first analysis network element receives the first information from the first network element.

The first network element may be a user plane network element or an application function network element. For example, the application function network element may be a proxy call control function network element (proxy CSCF, P-CSCF); the first analysis network element may be It is the session management network element. SIP messages related to the terminal device may be understood as SIP messages from the terminal device and/or SIP messages sent to the terminal device.

It can be understood that when a terminal device initiates a call to another terminal device (called a called terminal device), the terminal device initiates a first session for the call. The data of the first session is transmitted by the first network element. The data of the first session includes a SIP message, and the SIP message is a SIP message sent by the terminal device. In the case where another terminal device initiates a call to the terminal device, the other terminal device initiates a second session for calling the terminal device. The first network element is used to transmit data of the second session. The data of the second session includes a SIP message. The SIP message may be a SIP message sent to the terminal device.

The information of this SIP message includes at least one of the following information:

(1) Type of SIP message.

For example, the types of the SIP messages include SIP INVITE messages, SIP CANCEL messages and SIP BYE messages.

The type of session corresponding to the SIP message can be determined by the type of the SIP message. For example, the SIP INVITE message can represent a session initiated to initiate a call, the SIP BYE message can represent a session initiated to hang up the peer call, and the SIP CANCEL message Can represent a session initiated to reject a call from the peer. By determining the type of session, it can be determined whether the terminal device initiates a call or is called, the call initiated by the terminal device is hung up, and the call initiated by the terminal device is rejected.

(2) The source address of the SIP message.

When the SIP message is a SIP message sent by the terminal device, the source address of the SIP message may be the address of the terminal device, for example, an Internet Protocol (IP) address; when the SIP message is sent to the terminal device In the case of a SIP message sent by a device, the source address of the SIP message may be the address of the other terminal device, for example, the IP address.

(3) The destination address of the SIP message.

The destination address of the SIP message may be the IP address of the application function network element.

(4) Information in the first field of the SIP message.

This first field is used to identify the device used by the sender of the SIP message.

In one case, the terminal device is jointly identified by the identity of the terminal device and the identity of the device used by the terminal device. The identity of the terminal device may include the identity of a subscriber identity module (SIM) card of the terminal device. For example, the identity of the SIM card can be a subscriber permanent identifier (SUPI), an international mobile subscriber identity (IMSI), etc. The identifier of the device used by the terminal device may be, for example, a permanent equipment identifier (Permanent Equipment Identifier, PEI) or an International Mobile Equipment Identity (International Mobile Equipment Identity, IMEI).

(5) Information in the second field of the SIP message.

The second field is used to identify the recipient device of the SIP message, or in other words, the second field indicates the identity of the recipient device of the SIP message.

For example, the second field may be a SIP_Tel_Number field that identifies the telephone number of the recipient device of the SIP message.

(6) The time information of the SIP message is detected.

The time information of detecting the SIP message may be, for example, information of the time when the first network element detects the SIP message.

In a possible implementation manner, the first network element may send the first information to the first analysis network element according to preset reporting rules. For example, the reporting rule may be periodic reporting, reporting upon detection of SIP messages related to the terminal device, reporting upon detection of a preset number of SIP messages related to the terminal device, etc.

It can be understood that the SIP message sent by the first network element to the first analysis network element may include the information of the above-mentioned SIP message of one or more SIP messages; or may include the information of the above-mentioned SIP message of one or more SIP messages. partial information. For example, the first network element may report the type of the first SIP message, the source address and destination address of the first SIP message, information on the time when the first SIP message was detected, and the first field of the first SIP message. Information in the second field; the first network element can report information on the type of the second SIP message, the source address, and the time when the second SIP message was detected.

Optionally, before the first network element sends the first information to the first analysis network element, the method may also include S220 and S230:

S220: The first network element receives instruction information from the first analysis network element, and the instruction information instructs to detect SIP messages related to the terminal device according to a first packet detection rule (PDR).

Correspondingly, the first network element receives the first information from the first analysis network element.

Exemplarily, the first PDR may include at least one of the following rules: detecting SIP messages whose source address is the terminal device; detecting SIP messages whose target address is the terminal device.

It can be understood that the SIP message whose source address or destination address is the terminal device can include multiple types of SIP messages. For example, the source address is the SIP INVITE message of the terminal device, and the destination address is the SIP CANCEL message or SIP BYE message of the terminal device. News etc.

S230: The first network element detects the SIP message related to the terminal device according to the first PDR, and determines the information of the SIP message.

For example, after receiving the session data, the first network element may determine that the type of the session data is a SIP message. The first network element can detect the source address and/or destination address of the SIP message based on the first PDR; after detecting the SIP message matching the first PDR, the first network element can also determine the SIP message information in the first field and/or the second field. Further, the first network element may also determine the time information at which the SIP message is detected.

Optionally, S240, the first network element may also determine statistical information of the SIP message based on the information of the SIP message.

Exemplarily, the statistical information of the SIP message includes at least one of the following: the total number of SIP messages of the same type, the total number of SIP messages with the same source address and the same type, the total number of SIP messages with the same destination address and the same type, the source address The number of SIP messages that are the same but have different first fields, and the information of the first duration; wherein the first duration can be determined by the time information of the third SIP message and the time information of the fourth SIP message, and the source of the third SIP message The address is the same as the target address of the fourth SIP message, and the type of the third SIP message is different from the type of the fourth SIP message.

It can be understood that the statistical information of the SIP message is for multiple SIP messages related to the terminal device. For example, the first network element may determine the statistical information of the SIP message within a preset statistical period.

For example, the first network element may enable a first counter, which is used to count the total number of SIP messages of the same type. When the first network element detects a certain type of SIP message based on the first PDR, for example, a SIP INVITE message, the first network element determines The count value of the first counter is increased by 1. Within the preset statistical period, the count value of the first counter can represent the total number of SIP messages of the same type.

The total number of calls made by the terminal device can be determined by counting the total number of SIP messages of the same type. The total number of calls made by the terminal device includes the sum of the number of calls initiated by the terminal device and the number of calls initiated to the terminal device.

For another example, the first network element can enable a second counter, which is used to count the total number of SIP messages with the same source address and the same type. Taking the source address as the address of the terminal device and the SIP message as the SIP INVITE message as an example, the first network element detects the SIP INVITE whose source address is the address of the terminal device within a preset statistical period based on the first PDR detection. message, if the SIP INVITE message is detected, the first network element determines that the second counter is increased by 1. The count value of the second counter may represent the total number of calls initiated by the terminal device.

By counting SIP INVITE messages with the same source address, at least one of the total number of calls initiated by the terminal device and the number of calls initiated to the terminal device can be determined; by counting SIP BYE messages with the same destination address, it can be determined that the call initiated by the terminal device has been hung up. The number of disconnections; by counting SIP CANCEL messages with the same destination address, at least one of the number of times calls initiated by the terminal device are rejected can be determined.

The first network element may also detect a specific field of the SIP message, for example, the first field. The number of SIP messages with the same source address and different first fields can be determined by detecting specific fields of the SIP messages. Similarly, the first network element can use a counter to count the number of SIP messages with the same source address and different first fields within the preset statistical period.

The frequency with which the terminal device switches the identity of the device used can be determined by detecting the total number of SIP messages with the same source address and different first fields.

The first network element may also record the time information when the SIP message is detected, for example, record the time when the SIP message is detected. Optionally, the first network element may also detect the time information of the two SIP messages in association with each other to determine the first duration information. For example, one of the two SIP messages may be a SIPINVITE message with the source address being the address of the terminal device, and the other of the two SIP messages may be a SIP BYE message or SIP message with the destination address being the address of the terminal device. CANCEL message.

By determining the time information when the SIP message is detected, the time information when the terminal device initiates a call, and the time information when the call initiated by the terminal device is rejected or hung up can be determined. Further, correlating the time information of the two SIP messages can determine the call duration (ie, the first duration) between the terminal device and at least one called terminal device.

In the case where the first network element determines the statistical information of the SIP message, the first information includes the statistical information of the SIP message. In this case, S240 may be executed before S210.

Optionally, S250, the first analysis network element determines the statistical information of the SIP message based on the information of the SIP message.

The first analysis network element determines the statistical information of the SIP message based on the information of the SIP message, which is similar to the first network element determining the statistical information of the SIP message. Please refer to the description of S240, which will not be described again.

It can be understood that if S240 is not executed, the first network element can send the information of the SIP message related to the terminal device to the first analysis network element, and the analysis network element determines the SIP message related to the terminal device based on the information. Statistics of SIP messages.

S260a: The first analysis network element determines whether the terminal device is abnormal based on the statistical information of the SIP message.

Specifically, the first analysis network element may determine whether the terminal device is abnormal according to the anomaly detection policy and the statistical information of the SIP message.

The first analysis network element may be pre-configured with at least one anomaly detection strategy for detecting whether the terminal device is abnormal. Each anomaly detection strategy in the at least one anomaly detection strategy may include an analysis entry (or may also be called an analysis parameter, an example of the first parameter) and a threshold corresponding to the analysis parameter.

Optionally, the anomaly detection strategy may also include a weight corresponding to each anomaly detection strategy, and the weight is used by the first analysis network element to associate multiple anomaly detection strategies to determine whether there is an abnormality in the terminal device.

For example, judging whether the terminal device is abnormal according to the anomaly detection strategy can be understood as judging the size relationship between the statistical value of the analysis entry of the terminal device and its corresponding threshold. If the size relationship meets the expected result, it can be determined that the terminal device may exist abnormal. Among them, the statistical value of the analysis entry in the anomaly detection strategy can be determined by the statistical information of the SIP message.

The analysis entry (first parameter) may include at least one of the following parameters: the ratio of the total number of SIP BYE messages to the total number of SIP INVITE messages, the ratio of the total number of SIP CANCEL messages to the total number of SIP INVITE messages, the total number of SIP INVITE messages , detecting the dispersion of the time information of the SIP message, the dispersion of the first duration.

It can be understood that the first analysis network element can receive the statistical information of the SIP message from the first network element, or the first analysis network element can The user can determine the statistics of the SIP message by itself. The first analysis network element can determine the total number of SIP BYE messages, SIP CANCEL messages, or SIP INVITE messages, so that the first analysis network element can determine the proportion of the total number of SIP BYE messages to the total number of SIP INVITE messages. The ratio of the total number to the total number of SIP INVITE messages, the total number of SIP INVITE messages. The first analysis network element may determine the dispersion of the time information of the detected SIP message based on the time information of the detected SIP message, and determine the dispersion of the first duration based on the information of the first duration.

If the first analysis network element determines that the value of the first parameter and its corresponding threshold satisfy the preset size relationship according to the statistical information of the SIP message, the first analysis network element can determine that the terminal device may be abnormal.

Optionally, before the first analysis network element determines whether the terminal device is abnormal, the first analysis network element may also send a request message to the application function network element, where the request message is used to request the location information of the called terminal device.

Correspondingly, the first analysis network element receives the location information of the called terminal device from the application function network element.

The request message may carry the identity of the called terminal device. For example, the first analysis network element may determine the identity of the peer terminal device by determining the second field of the SIP INVITE message whose source address is the address of the terminal device. It should be understood that the application function network element can determine the location information of the called terminal device according to the identity of the called terminal device.

The first analysis network element may determine the dispersion of the call target address of the terminal device based on the location information of the called terminal device. The analysis entry may include the dispersion of the terminal device's call destination address. The first analysis network element can determine whether the terminal device is abnormal by determining the relationship between the dispersion degree of the terminal device's call target address and the threshold value.

Optionally, S270, the first analysis network element sends the statistical information of the SIP message to the second analysis network element.

Correspondingly, the second analysis network element receives the statistical information of the SIP message from the first analysis network element.

S260b: The second analysis network element determines whether the terminal device is abnormal based on the statistical information of the SIP message.

The specific process of the second analysis network element determining whether the terminal device is abnormal may refer to the process of the first analysis network element determining whether the terminal device is abnormal in S260a.

That is to say, the first network element can determine the SIP message related to the terminal device, and the first network element can determine the statistical information of the SIP message based on the information of the SIP message; the first network element sends the SIP message to the analysis network element The statistical information of the message is used to enable the analysis network element to determine whether the terminal device is abnormal based on the statistical information of the SIP message. The analysis network element can be a session management network element or a network data analysis function network element. When the analysis network element is a network data analysis function network element, the first network element can send the statistical information of the SIP message to the network data analysis function network element through the session management network element.

Alternatively, the first network element determines the SIP message related to the terminal device, and the first network element sends the information of the SIP message to the analysis network element; the analysis network element can determine the SIP message based on the information of the SIP message. Statistical information; the analysis network element determines whether the terminal device is abnormal based on the statistical information of the SIP message. The analysis network element may be a session management network element or a network data analysis function network element.

Alternatively, the first network element determines the SIP message related to the terminal device, and the first network element sends the information of the SIP message to the first analysis network element; the first analysis network element can determine the SIP message based on the information of the SIP message. Determine the statistical information of the SIP message; the first analysis network element can send the statistical information of the SIP message to the second analysis network element, so that the second analysis network element determines whether the terminal device is abnormal. The first analysis network element may be a session management network element; the second analysis network element may be a network data analysis function network element.

Based on the above solution, the analysis network element can effectively identify abnormal terminal equipment based on SIP messages related to the terminal equipment to avoid causing interference to other terminal equipment.

FIG. 3 is a schematic diagram of an anomaly detection method 300 provided by an embodiment of the present application. Method 300 may include the following steps.

S301, SMF starts the abnormality detection process of the UE.

SMF enabling the UE's anomaly detection can be understood as SMF enabling the subsequent anomaly detection process.

SMF's anomaly detection process can be configured by the operator. For example, the operator may configure an anomaly detection process for one or more SMFs in a specific area of the network, including the SMF.

Anomaly detection policies can be configured in this SMF. For example, the multiple anomaly detection strategies are as shown in Table 1, and different anomaly detection strategies can be identified by policy IDs.

Table 1

As shown in Table 1, taking UE#1 as an example, the call initiated by UE#1 may be that UE#1 initiates a call to the called UE, and the called UE includes at least one UE.

The call initiated by UE#1 being rejected may mean that the call initiated by UE#1 is rejected by the called UE.

The called UE#1 may be a call initiated by the called UE to UE#1, and the called UE includes at least one UE.

The call initiated by UE#1 is hung up may mean that the call initiated by UE#1 is hung up by the called UE.

When UE#1 initiates a call to the called UE, UE#1 acts as the calling party; otherwise, UE#1 acts as the called party.

The ratio of UE#1 acting as the calling party and UE#1 acting as the called party can be understood as the ratio of the number of times UE#1 initiates calls to the number of times UE#1 is called.

UE#1 can initiate different times of calls to multiple called UEs. For example, UE#1 initiates 5 calls to called UE#2 and 7 calls to called UE#3. Then UE#1 calls each of the called UEs on average. The number of calls initiated by the called party is 6.

The dispersion of MEs switched by UE#1 can be expressed by the dispersion of the identifiers of MEs switched by UE#1. The identifier of the ME is, for example, IMEI. The dispersion of MEs switched by the UE may refer to the span of multiple IMEIs corresponding to the MEs switched by the UE.

The dispersion degree of the calling target area of UE#1 may refer to the dispersion degree of the regional locations of the multiple called UEs when UE#1 initiates a call to the multiple called UEs.

The dispersion of call duration of UE#1 may refer to the dispersion of call duration between UE#1 and other UEs. The other UEs may be the calling UE or the called UE.

UE#1 may initiate calls to different called UEs at multiple times, and the dispersion of the time when UE#1 initiates the call may refer to the dispersion of the multiple times.

S302, UE#1 sends a packet data unit (protocol data unit, PDU) session establishment request to the SMF.

Accordingly, the SMF receives the PDU session establishment request from the UE.

Illustratively, the PDU session establishment request is an IP multimedia subsystem (IP multimedia subsystem, IMS) class PDU session establishment request.

The PDU session establishment request message carries an identification field used to identify the requested session type. For example, the identification field It can be the "Data Network Name Type (DNN type)" field or any other field. The content of the identification field can be IMS.

The PDU session establishment request may also carry indication information, which indicates that UE#1 requests the address of the P-CSCF, for example, the IP address. For the specific request method of UE#1, please refer to TS 23.502 Section 3.3.2.

S303, SMF selects UPF.

The UPF selected by the SMF is used to transmit user plane data of UE#1. For details on how to choose UPF for SMF, please refer to the existing relevant descriptions.

For example, the UPF may forward the data packet of at least one session received from the UE#1 to the destination UE in the UPF, or send the data packet of the at least one session to the network side device through the N6 interface, or, The data packets of the at least one session may also be sent to other UPFs via the N19 interface. Similarly, the UPF can also forward data packets from at least one session of the UE in the UPF, or data packets of at least one session from the network side device, or data packets of at least one session from other UPFs to The UE#1.

S304: The SMF sends instruction information #1 to the UPF. The instruction information #1 instructs the UPF to count and report statistical information on SIP messages related to UE#1.

Correspondingly, UPF receives the indication information #1 from the SMF.

The SIP messages related to UE#1 may include SIP messages from UE#1 and SIP messages sent to UE#1.

For example, when UE#1 initiates session #1 for calling UE#2 to UE#2, UE#1 sends SIP message #1 of session #1 to UE#2 through the UPF; in response to the SIP message #1 , UE#2 can send SIP message #2 to UE#1. The SIP message related to UE#1 may include the SIP message #1 and SIP message #2.

The indication information #1 may carry the data packet detection rule PDR#1, which is used to match or detect the data packets of the SIP message related to UE#1.

For example, the rules of PDR#1 may include: causing UPF to identify data packets whose destination address and/or source address are specific IP addresses, for example, the source address is the IP address of UE#1 (denoted as IPUE#1), A data packet whose destination address is the IP address of P-CSCF (recorded as IPP-CSCF); or a data packet whose source address is the IP address of the opposite end UE and whose destination address is the IP address of P-CSCF.

The rules of PDR#1 may also include: causing UPF to identify specific types of data packets. For example, identify data packets of type SIP message. Further, the rules of PDR#1 also include identifying SIP messages whose control fields include "INVITE", "BYE" or "CANCEL". Among them, the SIP message whose control field includes "INVITE" can also be called SIP INVITE message. Similarly, the SIP message whose control field includes "BYE" or "CANCEL" can also be called SIP BYE message or SIP CANCEL message.

The PDR#1 may also include reporting rules for UPF to report statistical information of SIP messages related to UE#1, for example, periodic reporting, reporting of statistical information entries exceeding a preset threshold, reporting after each statistical information update, etc.

After UPF receives a data packet, it matches each field of the data packet header with the parameter items defined in the PDR, and detects the SIP message related to UE#1.

S305: UPF#1 starts counting SIP messages of UE#1 based on the indication information #1.

In other words, UPF#1 starts to determine the statistical information of the SIP message of UE#1 based on the indication information.

S306: The SMF sends the address of the P-CSCF to UE#1.

SMF sends the P-CSCF address to UE#1, that is, the PDU session is successfully established.

It can be understood that S306 can be executed before or after S305. S306 can be understood as a response to S302.

That is, after receiving the PDU session establishment request of UE#1, the SMF starts an abnormality detection process according to the preconfiguration, and the abnormality detection process includes S304. After S304, UPF starts statistics of SIP messages related to UE#1.

Among them, the SIP messages of UE#1 that can be counted by UPF can come from calls initiated by UE#1, such as mobile original calls, which can also be called calling calls, MO calls or MO calls, and calls initiated from the network side, such as , mobile terminated call, can also be called called call, MT call or MT call.

The UPF statistics of SIP messages related to UE#1 in these two calls are introduced below.

It should be noted that this application does not limit the number and sequence of the above two calls. For example, UPF may only receive SIP messages for MO calls initiated by UE#1 during the statistical time period, but no SIP messages for MT calls; or UPF may only receive SIP messages for MT calls during the statistical time period, but no SIP messages for UE#. SIP messages for MO calls initiated by UE#1; alternatively, UPF may receive one or more SIP messages for MT calls after receiving one or more SIP messages for calls initiated by UE#1; alternatively, UPF may receive one or more SIP messages for MT calls initiated by UE#1. After one or more SIP messages for the MT call, one or more SIP messages for the call initiated by UE#1 are received.

For the statistical information of the SIP messages used by the UPF to determine the MT call, please refer to S307 and S308.

S307, UPF detects the first data packet according to PDR#1.

The first data packet includes data packet #1, and data packet #1 is a data packet used by the network side to initiate an MT call. The type of data packet #1 is a SIP message; the control field of data packet #1 includes "INVITE"; the source address of data packet #1 is IPP-CSCF, and the destination address of data packet #1 is IPUE#1.

If UPF detects data packet #1 based on PDR#1, S308, UPF updates information #1, which information #1 includes statistical information of the SIP message of the MT call.

Specifically, if UPF detects a data packet #1, UPF updates the count of counter #1. The counter #1 is used to count the number of calls initiated to UE#1. The statistical information of the SIP messages of the MT call may include the count of counter #1. In other words, the count of UPF update counter #1 is UPF update information #1.

Optionally, if UPF detects the data packet #1, UPF updates the count of counter #2. The counter #2 is used to count the total number of calls made by UE#1. The total number of calls made by UE#1 includes the sum of the number of times the network side initiates calls to UE#1 and the number of times UE#1 initiates calls. The statistical information of the SIP message of the MT call may also include the count of counter #2. In other words, the count of UPF update counter #2 is UPF update information #1.

For example, the statistical information of the SIP message of UE#1 may be as shown in Table 2.

Table 2

For the statistical information of the SIP messages used by UPF to determine the MO call, please refer to S309 and S310.

S309, UPF detects the second data packet based on PDR#1.

The second data packet includes data packet #2, and data packet #2 is a data packet for UE#1 to initiate an MO call. The content type of packet #2 is a SIP message; the control field of packet #2 includes "INVITE", the source address is IPUE#1, and the destination address is IPP-CSCF.

If UPF detects data packet #2 based on PDR#1, S310, UPF updates information #1, which information #1 includes statistical information of the SIP message of the MO call.

Specifically, if UPF detects a packet #2, UPF updates the count of counter #3. The counter #3 is used to count the number of calls initiated by UE#1. The statistics of the SIP messages of the MO call may include the count of counter #3.

For example, after the UPF detects the data packet #2, the updated statistical information of the SIP message of UE#1 can be as shown in Table 3.

table 3

Optionally, if UPF detects a data packet #2, UPF updates the count of counter #2. That is, UPF updates the total number of calls made by UE#1.

After UPF detects the data packet #2, it can also determine at least one of the information of field #1 and the information of field #2 of data packet #2.

Field #1 is used to identify the device used by the sender of data packet #2. When the source address of the data packet is the address of UE#1, field #1 may indicate the device used by UE#1. For example, field #1 carries the IMEI of the UE#1 device. Field #2 is used to identify the receiving device of data packet #2. For example, this data packet #2 is a data packet for UE#1 to initiate a call to UE#2. This field #2 can carry the phone number of UE#2. Field #2 2 can be the SIP_Tel_Number field.

UPF can count the information of field #1 and/or field #2 of multiple data packets #2, and the statistical information of the SIP message of UE#1 includes the information of field #1 and/or field of multiple data packets #2. #2 information. The multiple data packets #2 can be understood as multiple calls initiated by UE#1. The multiple data packets #2 may be data packets in which UE#1 initiates multiple calls to one UE, or may be data packets in which UE#1 initiates calls to multiple different UEs.

After UPF detects the data packet #2, it can also record the information of time #1 when the data packet #2 is detected. The statistical information of the SIP message of UE#1 includes the information of time #1. For example, the data packet #2 is a SIP message in which UE#1 initiates a call to UE#2. The statistical information of the SIP message of UE#1 can be as shown in Table 4.

Table 4

Optionally, UPF may also detect data packet #3 (an example of the second data packet), which may be a data packet corresponding to data packet #2. In other words, the data packet #3 is a data packet in which the opposite end UE (called UE) of the call initiated by UE#1 responds to the call initiated by UE#1. The destination address of packet #3 is IPUE#1, the source address is IPP-CSCF, the type is SIP message, and the content is "BYE".

If the UPF detects the data packet #3, the UPF updates the timing of the counter #4. The counter #4 is used to count the number of times the call initiated by UE#1 is connected. The statistical information of the SIP message of UE#1 includes the count value of counter#4.

Optionally, UPF can also record information about time #2 when packet #3 is detected. The UPF may correlate time #1 of packet #2 to determine the length of time between time #1 and time #2. This duration may represent the duration of the conversation between UE#1 and the called UE.

For example, data packet #2 is a data packet for UE#1 to initiate a call to UE#2. When UPF detects data packet #2, UPF can record the identity of UE#2 (for example, phone number) and the detected data packet. Moment #1 of #2; when UPF detects data packet #3, UPF can associate the identity of the sender device of data packet #3 to determine whether data packet #3 is sent by UE#2 for this data packet. #2 responds to the data packet, if so, UPF can record the time #2 when the data packet #3 is detected; the time between time #1 and time #2 is the length of the call between UE#1 and UE#2 .

The statistical information of the SIP message of UE#1 may be as shown in Table 5.

table 5

Optionally, UPF may also detect data packet #4 (an example of the second data packet), which may be a data packet corresponding to data packet #2. In other words, the data packet #4 is a data packet in which the opposite end UE (the called UE) of the call initiated by UE#1 responds to the call initiated by UE#1. The destination address of packet #4 is IPUE#1, the source address is IPP-CSCF, the type is SIP message, and the content is "CANCEL".

If UPF detects data packet #4, UPF updates the timing of counter #5. This timer #5 is used to count the number of times calls initiated by UE #1 are rejected.

For example, UE#3 sends a SIP CANCEL message to UE#1, and the statistical information of the SIP message of UE#1 can be as shown in Table 6.

Table 6

It should be noted that the SIP messages for UPF statistics on MT calls and the SIP messages for UPF statistics for MO calls can be within the same statistical period, or the period of the SIP messages for UPF statistics on MT calls can be greater than or equal to the SIP messages for UPF statistics on MO calls. cycle.

S311. The UPF sends the statistical information of the SIP message of UE#1 to the SMF.

Correspondingly, the SMF receives the statistical information of the SIP messages of UE#1 from the UPF.

The statistical information of the SIP message may include the count of at least one counter among counter #1 to counter #5. The statistical information of the SIP message may also include the time information of detecting the SIP message and the call length information.

S312: The SMF sends the statistical information of the SIP message of the UE#1 to the NWDAF.

Accordingly, the NWDAF receives the statistical information of the SIP messages of UE#1 from the SMF.

Optionally, before the SMF sends the statistical information of UE#1's SIP messages to the NWDAF, the SMF can also send a request message #1 to the P-CSCF. The request message #1 is used to request the location information of the UE#1 calling the opposite end UE. .

Correspondingly, the P-CSCF receives the request message #1 from the SMF. The request message #1 may carry the identity of the peer UE, for example, a phone number.

Optionally, the P-CSCF sends the location information of the opposite end UE to the SMF.

Correspondingly, the SMF receives the location information of the opposite end UE from the P-CSCF.

For example, the location information may be a location area code (LAC), a tracking area identifier (TAI), a cell ID (cell ID), and a geographic area identifier (LAC) of the peer UE called by UE#1. area identifier (GAI), network code (NC), country code (CC), city code (city code), county code (county code), etc.

It can be understood that the statistical information of the SIP message of UE#1 sent by the SMF to the NWDAF may also include the location information of the peer UE called by UE#1.

S313, NWDAF determines whether there is an abnormality in UE#1.

Specifically, NWDAF determines whether UE#1 is abnormal based on the abnormality detection policy and the statistical information of the SIP message of UE#1. For this anomaly detection strategy, please refer to the description in S260a.

The value of the analysis entry of the anomaly detection policy may be determined based on the statistical information of the SIP message of UE#1.

For example, the number of calls initiated by UE#1 may be determined based on the count value of counter #3. If the NWDAF determines that the count value of counter #3 is greater than the threshold T1, the NWDAF may determine that there may be an abnormality in UE#1.

The number of times calls initiated by UE#1 are rejected can be determined by counting counter #5. If NWDAF determines that the count value of counter #5 is greater than T2, NWDAF can determine that UE#1 may be abnormal.

Similarly, the number of times UE#1 is called can be determined by the counting of counter #1; the number of times calls initiated by UE#1 are connected can be determined by the counting of counter #3; the number of times calls initiated by UE#1 are rejected The ratio of the total number of calls to UE#1 can be determined by correlating the count values of counter #5 and counter #2; the ratio of the number of times calls initiated by UE#1 are connected to the total number of calls to UE#1 can be determined by correlating counters #3 and counters The count value of #2 is determined; the ratio of UE acting as the calling party to the UE acting as the called party can be determined by correlating the counting values of counter #1 and technical device #3; the average number of times the UE initiates calls to each called UE can be determined by the counting value of counter #3 The count value is determined along with the information in Field #2 of the SIP message.

The dispersion of mobile equipment (ME) switched by UE#1 can be determined by the information of field #1 of the SIP message. This field #1 carries the identification of the device used by UE#1, for example, IMEI. The dispersion of the ME switched by UE#1 can be understood as the dispersion of multiple IMEIs switched by UE#1. The dispersion of the multiple IMEIs can be determined by the contents of the IMEI. For example, if the contents of the multiple IMEIs are continuous, then It is considered that the dispersion of IMEI is small; if the content of IMEI is random and irregular, it can be considered that the dispersion of multiple IMEIs is large.

The dispersion of the target area called by UE#1 can be determined by the location information of the opposite UE called by UE#1; the dispersion of the call duration of UE#1 can be determined by the call duration information of UE#1; the time when UE#1 initiates the call Dispersion can send SIP messages through UE#1 The time information of the message is determined.

It should be noted that NWDAF can determine whether UE#1 is abnormal through one or more analysis parameters in the anomaly detection strategy. When NWDAF determines whether UE#1 is abnormal based on one analysis parameter in the anomaly detection strategy, NWDAF can determine whether UE#1 is abnormal through The relationship between the statistical information of the SIP message of #1 and the threshold determines whether there is an abnormality in UE#1. When NWDAF determines whether UE#1 is abnormal through multiple analysis parameters in the anomaly detection strategy, NWDAF can determine UE#1 based on the relationship between the statistical information of UE#1's SIP messages and the threshold, and the weight corresponding to each analysis parameter. Is there any exception?

For example, the NWDAF may configure the total weight of the UE to be abnormal as W. When the current total weight of the UE Wt is greater than or equal to W, the NWDAF determines that the UE is abnormal. For example, NWDAF combines the anomaly detection policy #1 (policy ID is "1") and the anomaly detection policy #2 to determine whether there is an abnormality in UE#1. If the number of times UE#1 initiates calls is greater than the threshold T1, then Wt=W1; while the number of times UE#1 initiates calls is greater than T1, if the number of times UE#1 initiates calls is rejected is greater than T2, then Wt=W1+ W2; If Wt is greater than or equal to W, NWDAF can determine that UE#1 is abnormal.

It can be understood that the NWDAF can receive statistical information of SIP messages of multiple UEs within a preset time period, and determine whether the multiple UEs are abnormal based on the statistical information of SIP messages of the multiple UEs.

After determining that the multiple UEs are abnormal, optionally, the NWDAF may also determine the abnormal access address through the location information of the multiple UEs.

For example, if the location information of some UEs among the multiple UEs is the same, which is address #1, then NWDAF may determine that address #1 is the abnormal access address. By correlating all abnormal UEs, it can be determined whether the abnormal access address has a cluster abnormal call system.

Based on the above solution, NWDAF can obtain the statistical information of SIP messages related to the UE session from the SMF, and determine whether the UE is abnormal based on the statistical information of the SIP message and the anomaly detection policy, thereby effectively preventing the UE's abnormal behavior.

FIG. 4 is a schematic diagram of an anomaly detection method 400 provided by an embodiment of the present application. Method 400 may include the following steps.

S401, SMF starts the abnormality detection process of the UE.

SMF's anomaly detection process can be configured by the operator. For example, the operator can configure an anomaly detection process for one or more SMFs in a specific area of the network.

For this step, please refer to the description of S301 and will not be described again.

S402, UE#1 sends a PDU session establishment request to the SMF.

This step is similar to S302.

S403, SMF selects UPF.

This step is similar to S303.

S404: The SMF sends instruction information #2 to the UPF. The instruction information #2 instructs the UPF to report SIP message information related to UE#1.

Correspondingly, UPF receives the indication information #2 from the SMF.

For the SIP message related to UE#1, please refer to the description in S304.

The indication information #2 may carry the data packet detection rule PDR#2, which is used to match or detect the data packets of the SIP message related to UE#1.

For example, the rules of PDR#2 may include: identifying data packets whose destination address and/or source address are specific IP addresses, for example, the source address is the IP address of UE#1 (denoted as IPUE#1), the destination address The data packet is the IP address of P-CSCF (recorded as IPP-CSCF); or the source address is the IP address of the opposite end UE and the destination address is the IP address of P-CSCF.

The PDR#2 rules may also include: identifying specific types of data packets. For example, identify data packets of type SIP message. Further, the rules of PDR#1 also include identifying SIP messages whose control fields include "INVITE", "BYE" or "CANCEL".

Among them, the SIP message whose control field includes "INVITE" can also be called SIP INVITE message. Similarly, the SIP message whose control field includes "BYE" or "CANCEL" can also be called SIP BYE message or SIP CANCEL message.

The PDR#2 may also include a reporting rule for the UPF to report the information of the SIP message related to UE#1. For example, the reporting rule may be to report upon detection, that is, when the UPF detects the information of a SIP message, the UPF reports the information to the SMF. SIP message information.

S405: UPF starts detecting the SIP message of UE#1 based on the indication information #2.

In other words, UPF#1 starts detecting SIP messages related to UE#1 based on the indication information #2.

S406: The SMF sends the P-CSCF address to UE#1.

It can be understood that S406 can be executed before or after S405. S406 can be understood as a response to S402.

That is, after receiving the PDU session establishment request of UE#1, the SMF starts an abnormality detection process according to the preconfiguration, and the abnormality detection process includes S404. After S404, UPF starts detecting SIP messages related to UE#1.

The SIP messages of UE#1 detectable by UPF may come from calls initiated by UE#1, for example, MO calls, and from calls initiated by the network side, for example, MT calls.

It should be noted that this application does not limit the number and sequence of the above two calls. For example, the UPF may only receive the SIP message for the MO call initiated by UE#1 within the preset time period, but no SIP message for the MT call; or the UPF may only receive the SIP message for the MT call within the preset time period, but no SIP message for the MT call. SIP messages for MO calls initiated by UE#1; or, UPF may receive one or more SIP messages for MT calls after receiving one or more SIP messages for calls initiated by UE#1; or, UPF may receive SIP messages for MO calls initiated by UE#1. After receiving SIP messages for one or more MT calls, one or more SIP messages for UE#1 to initiate a call are received.

S407, UPF detects the first data packet according to PDR#2.

The first data packet may include data packet #1. This data packet #1 is a data packet for the network side to initiate an MT call. The type of data packet #1 is a SIP message; the control field of data packet #1 includes "INVITE"; the source address of data packet #1 is IPP-CSCF, and the destination address of data packet #1 is IPUE#1.

The first data packet may also include data packet #2. This data packet #2 is a data packet for UE#1 to initiate an MO call. The content type of packet #2 is a SIP message, the control field of packet #1 includes "INVITE", the source address is IPUE#1, and the destination address is IPP-CSCF.

The first data packet may also include data packet #3. The data packet #3 may be a data packet corresponding to the data packet #2. In other words, the data packet #3 is a data packet in which the opposite end UE (called UE) of the call initiated by UE#1 responds to the call initiated by UE#1. The destination address of packet #3 is IPUE#1, the source address is IPP-CSCF, the type is SIP message, and the control field includes "BYE".

The first data packet may also include data packet #4. The data packet #4 may be a data packet corresponding to the data packet #2. In other words, the data packet #4 is a data packet in which the opposite end UE (the called UE) of the call initiated by UE#1 responds to the call initiated by UE#1. The destination address of packet #4 is IPUE#1, the source address is IPP-CSCF, the type is SIP message, and the control field includes "CANCEL".

Optionally, the UPF may also determine the first information of the first data packet.

The first information may include time information when the first data packet is detected. For example, the time information may include time information when data packet #2, data packet #3, and data packet #4 are detected.

The first information may also include information on specific fields in the first data packet. For example, the specific field may be used to identify the UE that UE#1 calls the opposite end. For example, the specific field identifies the phone number of the opposite end that UE#1 calls. This specific field could be the field in packet #2.

It should be noted that UPF can detect the first data packet and report the SIP message information related to UE#1 according to the rules of PDR#2, or UPF can also report the SIP message information related to UE#1 after detecting multiple data packets. The SMF reports the SIP message information related to UE#1, or the UPF can report periodically or regularly.

S408: The UPF sends the SIP message information related to UE#1 to the SMF.

For example, if the UPF detects data packet #1, the information of the SIP message related to UE #1 reported by the UPF to the SMF may be as shown in Table 7.

Table 7

If UPF detects packet #2, the information of the SIP message related to UE#1 reported by UPF to SMF can be as shown in Table 8.

Table 8

If the UPF detects data packet #3 and/or data packet #4, the information of the SIP message related to UE#1 reported by the UPF to the SMF may be as shown in Table 9.

Table 9

In the above Tables 7 to 9, the calling UE may refer to the UE that initiates the call; the event ID is used to refer to the session event triggered by the UE, for example, UE#1 initiates a call to UE#2, or in other words, UE#1 initiates a call to UE#2 By sending a SIP message for initiating a call, the call initiated by UE#1 to UE#2 can be identified as a session event.

S409: The SMF determines the statistical information of the SIP message based on the information of the SIP message of the UE#1.

For example, if the SMF receives the information of the SIP message of event ID #1, the SMF updates the count of counter #1. The counter #1 is used to count the number of calls initiated to UE#1. The statistical information of the SIP message may include the count of counter #1.

After SMF receives the information of the SIP message of event ID #1, SMF updates the count of counter #2. The counter #2 is used to count the total number of calls made by UE#1. The total number of calls made by UE#1 includes the sum of the number of times the network side initiates calls to UE#1 and the number of times UE#1 initiates calls. The statistical information of the SIP message may also include the count of counter #2.

If the SMF receives the information of the SIP message of event ID #2, the SMF updates the count of counter #3. The counter #3 is used to count the number of calls initiated by UE#1. The statistics of the SIP message may include the count of counter #3. After SMF receives the information of the SIP message of event ID #2, SMF updates the count of counter #2.

If the SMF receives the information of the SIP message of event ID #3, the SMF updates the count of counter #4. The counter #4 is used to count the number of times calls initiated by UE#1 are hung up. The statistics of the SIP message may include the count of counter #4.

Optionally, if the SMF receives the information of the SIP message of event ID#3, the SMF can also correlate the information of the SIP message of event ID#2 to determine the duration of the conversation between UE#1 and the called UE. For example, SMF determines based on the statistical information of the SIP message of event ID#3 that the time when UE#2 sends the SIP BYE message to UE#1 is time #2, and SMF determines based on the information of the SIP message of event ID#2 that UE#1 The time when the SIP INVITE message is sent to UE#2 is time #1, then SMF can determine that the duration of the call between UE#1 and the called UE#2 is from time #1 to time #2.

If the SMF receives the information of the SIP message of event ID #4, the SMF updates the count of counter #5. The counter #5 is used to count the number of times calls initiated by UE#1 are hung up. The statistical information of the SIP message may include the count of counter #5.

S410: The SMF sends the statistical information of the SIP message of the UE#1 to the NWDAF.

This step is similar to S312 and will not be described again.

Correspondingly, the P-CSCF sends the location information of the opposite end UE to the SMF.

S411, NWDAF determines whether there is an abnormality in UE#1.

Specifically, NWDAF determines whether UE#1 is abnormal based on the abnormality detection policy and the statistical information of the SIP message of UE#1.

The value of the analysis parameter of the anomaly detection strategy may be determined based on the statistical information of the SIP message of UE#1.

For details of this step, please refer to the description of S313.

FIG. 5 is a schematic diagram of an anomaly detection method 500 provided by an embodiment of the present application. Method 500 may include the following steps.

S501, SMF starts the abnormality detection process of the UE.

For example, multiple anomaly detection strategies for detecting whether the UE is abnormal may be pre-configured in SMF (an example of analyzing network elements). For the anomaly detection strategy, please refer to the description in S301 and will not be described again.

S502: UE#1 sends a PDU session establishment request to the SMF.

This step is similar to S302.

S503, SMF selects UPF.

This UPF is used to transmit user plane data of UE#1. For details on how to choose UPF for SMF, please refer to the existing relevant descriptions. This step is similar to S303.

S504. The SMF sends a request message #2 to the NWDAF. The request message #2 is used to request the selection of an AF with statistics and reporting of UE session signaling.

Accordingly, NWDAF receives the request message #2 from SMF.

The AF that has statistics and reports UE session signaling is, for example, a P-CSCF that has statistics and reports UE session signaling.

The request message #2 may include the identification of UE#1, for example, the SUPI, PEI or GPSI of UE#1. The request message #2 may also include the location information of UE#1, for example, the LAC, cell ID, etc. of UE#1.

S505. The NWDAF sends request message #3 to the P-CSCF. The request message #3 is used to request to determine the statistical information of the SIP message related to UE#1.

Correspondingly, P-CSCF receives the request message #3 from NWDAF.

The request message #3 may include the identity of UE#1. Optionally, the request message #3 also includes the location information of UE#1 and the identification of the anomaly detection strategy.

S506, NWDAF sends the address of P-CSCF to SMF.

Accordingly, the SMF receives the address of the P-CSCF from the NWDAF.

After NWDAF receives the response message of P-CSCF to request message #3, NWDAF sends the address of P-CSCF to SMF.

S507: The SMF sends the P-CSCF address to UE#1.

S508: The P-CSCF starts to detect SIP messages related to UE#1 based on the request message #3.

Among them, the SIP messages of UE#1 that can be counted by P-CSCF can come from calls initiated by UE#1, for example, the calling call (MO call or MO call), and from calls initiated by the opposite end UE, such as the called call. (MT call or MT call).

It can be understood that the opposite end UE is relative to UE#1. UE#1 initiates a call to UE#2, and UE#2 can be called the opposite end UE; UE#2 initiates a call to UE#1, and the UE#2 It can also be called the opposite end UE.

It should be noted that this application does not limit the number and sequence of the above two calls. For example, the P-CSCF may only receive the SIP message for the MO call initiated by UE#1 within the preset time period, but not the SIP message for the MT call; or the P-CSCF may only receive the SIP message for the MT call within the preset time period. message without the SIP message of the MO call initiated by UE#1; or, the P-CSCF may After receiving one or more SIP messages for UE#1 to initiate a call, one or more SIP messages for MT calls are received; alternatively, the P-CSCF may receive one or more SIP messages for MT calls. One or more SIP messages initiated by UE#1.

Specifically, the P-CSCF detects the first data packet related to UE#1.

For example, the first data packet may refer to the description in S407, and the first data packet may include at least one of data packet #1, data packet #2, data packet #3, and data packet #4. For data packet #1 to data packet #4, please refer to the description of S407.

Optionally, the P-CSCF may also determine the first information of the first data packet.

S509, P-CSCF determines the statistical information of the SIP message.

The P-CSCF determines the statistical information of the SIP message by referring to the process of the SMF determining the statistical information of the SIP message in S409, which will not be described again.

S510: The P-CSCF sends the statistical information of the SIP message of the UE#1 to the NWDAF.

Correspondingly, the NWDAF receives the statistical information of the SIP messages of UE#1 from the P-CSCF.

This step is similar to S312 and will not be described again.

After the NWDAF receives the statistical message of the SIP message of the UE#1 from the P-CSCF, optionally, the NWDAF can also request the SMF for the information of the UE#1, for example, the SUPI, LAC, cell of the UE#1 ID etc.

S511, NWDAF determines whether there is an abnormality in UE#1.

For details, please refer to the description of S313.

It should be understood that the specific examples in the embodiments of the present application are only to help those skilled in the art better understand the embodiments of the present application, but are not intended to limit the scope of the embodiments of the present application.

It should also be understood that the size of the serial numbers of the above-mentioned processes does not mean the order of execution. The execution order of each process should be determined by its functions and internal logic, and should not constitute any limitation on the implementation process of the embodiment of the present application.

It should also be understood that in the various embodiments of the present application, if there are no special instructions or logical conflicts, the terms and/or descriptions between different embodiments are consistent and can be referenced to each other. The technical features in different embodiments New embodiments can be formed based on their internal logical relationships.

It can be understood that in the above embodiments of the present application, the method implemented by the communication device can also be implemented by components (such as chips or circuits) that can be configured inside the communication device.

Above, the anomaly detection method provided by the embodiment of the present application is described in detail with reference to FIGS. 2 to 5 . The above methods are mainly introduced from the perspective of interaction between network elements. It can be understood that, in order to implement the above functions, each network element includes a corresponding hardware structure and/or software module to perform each function. Those skilled in the art should realize that the present application can be implemented in the form of hardware or a combination of hardware and computer software with the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein. Whether a function is performed by hardware or computer software driving the hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each specific application, but such implementations should not be considered beyond the scope of this application.

The communication device provided by the embodiment of the present application will be described in detail below with reference to FIGS. 6 to 8 . It should be understood that the description of the device embodiments corresponds to the description of the method embodiments. Therefore, for content that is not described in detail, please refer to the above method embodiments. For the sake of brevity, some content will not be described again.

FIG. 6 is a schematic block diagram of a communication device 600 provided by an embodiment of the present application. As shown in the figure, the communication device 600 may include: Transceiver unit 610 and processing unit 620.

In a possible design, the communication device 600 may be the first network element in the above method embodiment, or may be a chip used to implement the functions of the first network element in the above method embodiment.

It should be understood that the communication device 600 may correspond to the first network element in the method 200 according to the embodiment of the present application, or correspond to the UPF in the method 300, 400 or 500, or the P-CSCF in the method 500. The communication device 600 may include a method unit for executing the first network element in the method 200 in FIG. 2, a method unit for executing the UPF in the method 300 in FIG. 3, the method 400 or the method 500 in FIG. 4, FIG. The method unit executed by the P-CSCF in method 500 in 5. Moreover, each unit in the communication device 600 and the above-mentioned other operations and/or functions are respectively intended to implement the corresponding processes of the method 200 in FIG. 2 to the method 500 in FIG. 5 . It should be understood that the specific process of each unit performing the above corresponding steps has been described in detail in the above method embodiments, and will not be described again for the sake of brevity.

In another possible design, the communication device 600 may be the analysis network element in the above method embodiment, or may be a chip used to implement the analysis network element function in the above method embodiment.

It should be understood that the communication device 600 may correspond to the first analysis network element or the second analysis network element in the method 200 according to the embodiment of the present application, and the communication device 600 may include a device for performing the first analysis network element or the second analysis network element. The unit of the method executed by the network element. Moreover, each unit in the communication device 600 and the above-mentioned other operations and/or functions are respectively intended to implement the corresponding flow of the method 200 in FIG. 2 . It should be understood that the specific process of each unit performing the above corresponding steps has been described in detail in the above method embodiments, and will not be described again for the sake of brevity.

Alternatively, the communication device 600 may correspond to SMF or NWDAF in method 300, method 400, or method 500. The communication device 600 may include a method unit for SMF or NWDAF execution in method 400 or method 500 in FIG. 3 . Moreover, each unit in the communication device 600 and the above-mentioned other operations and/or functions are respectively intended to implement the corresponding processes of the method 300 in FIG. 3 to the method 500 in FIG. 5 . It should be understood that the specific process of each unit performing the above corresponding steps has been described in detail in the above method embodiments, and will not be described again for the sake of brevity.

It should also be understood that the transceiver unit 610 in the communication device 600 may correspond to the transceiver 720 in the communication device 700 shown in FIG. 7 . The processing unit 620 in the communication device 600 may correspond to the processor 710 in the communication device 700 shown in FIG. 7 .

It should also be understood that when the communication device 600 is a chip, the chip includes a transceiver unit. Exemplarily, the chip may also include a processing unit. The transceiver unit may be an input-output circuit or a communication interface; the processing unit may be a processor, microprocessor, or integrated circuit integrated on the chip.

The transceiver unit 610 is used to implement the signal transceiver operation of the communication device 600 , and the processing unit 620 is used to implement the signal processing operation of the communication device 600 .

Exemplarily, the communication device 600 further includes a storage unit 630, which is used to store instructions.

Figure 7 is a schematic block diagram of a communication device 700 provided by an embodiment of the present application. As shown in FIG. 7 , the communication device 700 includes: at least one processor 710 and a communication interface 720 . The processor 710 is coupled to the memory and is used to execute instructions stored in the memory to control the communication interface 720 to send and/or receive signals. Exemplarily, the communication device 700 also includes a memory 730 for storing instructions.

It should be understood that the above-mentioned processor 710 and the memory 730 can be combined into one processing device, and the processor 710 is used to execute the program code stored in the memory 730 to implement the above functions. During specific implementation, the memory 730 may also be integrated in the processor 710 or independent of the processor 710 .

It should also be understood that in one possible design, the communication interface 720 may include a receiver (or receiver) and a transmitter (or transmitter). The communication interface 720 may further include an antenna, and the number of antennas may be one or more. Communication interface 720 may also be an interface circuit.

When the communication device 700 is a chip, the chip includes a transceiver unit and a processing unit. The transceiver unit may be an input-output circuit or a communication interface; the processing unit may be a processor, microprocessor, or integrated circuit integrated on the chip.

Figure 8 is a schematic diagram of a chip system according to an embodiment of the present application. The chip system here may also be a system composed of circuits. The chip system 800 shown in Figure 8 includes: a logic circuit 810 and an input/output interface (input/output interface) 820. The logic circuit is used to couple with the input interface and transmit data (such as a first input interface) through the input/output interface. instruction information) to perform the methods described in Figures 2 to 5.

An embodiment of the present application also provides a processing device, including a processor and an interface. The processor may be used to execute the method in the above method embodiment.

It should be understood that the above processing device may be a chip. For example, the processing device may be a field programmable gate array (field programmable gate array). programmable gate array (FPGA), which can be an application specific integrated circuit (ASIC), a system on chip (SoC), or a central processor unit (CPU), or It can be a network processor (NP), a digital signal processor (DSP), a microcontroller unit (MCU), or a programmable logic controller. device, PLD) or other integrated chip.

During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the processor. The steps of the method provided in conjunction with the embodiments of the present application can be directly implemented by a hardware processor, or executed by a combination of hardware and software modules in the processor. The software module can be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other mature storage media in this field. The storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.

It should be noted that the processor in the embodiment of the present application may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method embodiment can be completed through an integrated logic circuit of hardware in the processor or instructions in the form of software. The above-mentioned processor may be a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. . Each method, step and logical block diagram disclosed in the embodiment of this application can be implemented or executed. A general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc.

It can be understood that the memory in the embodiment of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memories. Among them, non-volatile memory can be read-only memory (ROM), programmable ROM (PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically removable memory. Erase electrically programmable read-only memory (EPROM, EEPROM) or flash memory. Volatile memory can be random access memory (RAM), which is used as an external cache.

According to the method provided by the embodiment of the present application, the present application also provides a computer program product. The computer program product includes: computer program code. When the computer program code is run on a computer, it causes the computer to execute the steps shown in Figures 2 to 5. The method of any one of the embodiments is shown.

According to the method provided by the embodiment of the present application, the present application also provides a computer-readable medium. The computer-readable medium stores program code. When the program code is run on a computer, it causes the computer to execute the steps shown in Figures 2 to 5. The method of any one of the embodiments is shown.

According to the method provided by the embodiment of the present application, the present application also provides a communication system, which includes the aforementioned first network element, a first analysis network element and a second analysis network element. For example, the first analysis network element can It is a session management network element, and the second analysis network element can be a network data analysis function network element; the communication system can also include a terminal device, and the terminal device is any terminal device that needs to perform abnormality detection.

Those of ordinary skill in the art will appreciate that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented with electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each specific application, but such implementations should not be considered beyond the scope of this application.

Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the systems, devices and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be described again here.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit.

If the functions are implemented in the form of software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in various embodiments of this application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code. .

The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto. Any person familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present application. should be covered by the protection scope of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims

A method of anomaly detection, characterized by including:

Receive first information from the first network element, where the first information includes information about the initialization protocol SIP message related to the terminal device;

Determine whether the terminal device is abnormal based on the first information;

Wherein, the information of the SIP message includes at least one of the following information:

The type of SIP message, the source address of the SIP message, the destination address of the SIP message, the information of the first field of the SIP message, the information of the second field of the SIP message, the time information of detecting the SIP message, and the type of the SIP message includes SIP invite INVITE message, SIP reject CANCEL message and SIP hang up BYE message, the first field is used to identify the device used by the sender of the SIP message, and the second field is used to identify the recipient device of the SIP message.
The method according to claim 1, characterized in that before determining whether the terminal device is abnormal based on the first information, the method further includes:

Determine statistical information of the SIP message according to the first information;

Determining whether the terminal device is abnormal based on the first information includes:

Determine whether the terminal device is abnormal based on the statistical information of the SIP message.
The method according to claim 2, characterized in that the statistical information of the SIP message includes at least one of the following information:

The total number of SIP messages of the same type, the total number of SIP messages with the same source address and the same type, the total number of SIP messages with the same destination address and the same type, the number of SIP messages with the same source address and different first fields, the first duration information ;

Wherein, the first duration is determined by the time information of the first SIP message and the time information of the second SIP message, the source address of the first SIP message and the target address of the second SIP message are the same, and the first The type of the SIP message is different from the type of the second SIP message.
The method according to any one of claims 1 to 3, characterized in that,

The receiving the first information from the first network element includes: the first analysis network element receiving the first information from the first network element;

Determining whether the terminal device is abnormal based on the first information includes: the first analysis network element or the second analysis network element determines whether the terminal device is abnormal based on the first information, and the first analysis network element determines whether the terminal device is abnormal based on the first information. The network element is a session management network element or a first network data analysis function network element, and the second analysis network element is a second network data analysis function network element.
The method according to any one of claims 1 to 4, characterized in that the first network element is a user plane network element or an application function network element.
The method according to any one of claims 1 to 5, characterized in that, before receiving the first information from the first network element, the method further includes:

Receive a session establishment request from the terminal device;

Instruction information is sent to the first network element according to the session establishment request, and the instruction information instructs to detect the SIP message according to the first packet detection rule PDR.
The method according to any one of claims 1 to 6, characterized in that the method further includes:

Send the information of the second field of the third SIP message to the application function network element, where the source address of the third SIP message is the address of the terminal device;

Receive location information from at least one terminal device of the application function network element, where the location information of the at least one terminal device is sent according to the second field of the third SIP message;

The first information is updated, and the first information includes location information of the at least one terminal device.
The method according to any one of claims 2 to 7, wherein determining whether the terminal device is abnormal based on the first information includes:

Determine the value of the first parameter based on the statistical information of the SIP message;

Determine whether the terminal device is abnormal based on the relationship between the value of the first parameter and the first threshold,

Wherein, the first parameter includes at least one of the following parameters:

The ratio of the total number of SIP BYE messages to the total number of SIP INVITE messages, and the total number of SIP CANCEL messages to the total number of SIP INVITE The proportion of the total number of messages, the total number of SIP INVITE messages, the dispersion of the time information of the detected SIP messages, the dispersion of the first duration, and the dispersion of the location information of the at least one terminal device.
The method of claim 8, wherein determining whether the terminal device is abnormal based on the first information further includes:

Determine whether the terminal device is abnormal based on the relationship between the value of the first parameter and the first threshold and a first weight, where the first weight includes a weight corresponding to at least one parameter among the first parameters.
A method of anomaly detection, characterized by including:

The first network element determines first information about the terminal device, where the first information includes information about the initialization protocol SIP message related to the terminal device;

The first network element sends the first information to the analysis network element, where the first information is used to determine whether the terminal device is abnormal;

Wherein, the information of the SIP message includes at least one of the following information:

The type of SIP message, the source address of the SIP message, the destination address of the SIP message, the information of the first field of the SIP message, the information of the second field of the SIP message, the time information of detecting the SIP message, and the type of the SIP message includes SIP invite INVITE message, SIP reject CANCEL message and SIP hang up BYE message, the first field is used to identify the device used by the sender of the SIP message, and the second field is used to identify the recipient device of the SIP message.
The method according to claim 10, characterized in that, before the first network element determines the first information of the terminal device, the method further includes:

Receive instruction information from the analysis network element, where the instruction information instructs to detect the SIP message according to the first packet detection rule PDR.
The method according to claim 10 or 11, characterized in that the first network element is a user plane network element or an application function network element.
The method according to any one of claims 10 to 12, characterized in that the analysis network element is a session management network element or a network data analysis function network element.
A communication system, characterized in that the communication system includes a first analysis network element and a second analysis network element,

The first analysis network element is configured to receive first information from the first network element, where the first information includes information on the initialization protocol SIP message related to the terminal device;

The second analysis network element is used to determine whether the terminal device is abnormal based on the first information;

Wherein, the information of the SIP message includes at least one of the following information:

The type of SIP message, the source address of the SIP message, the destination address of the SIP message, the information of the first field of the SIP message, the information of the second field of the SIP message, the time information of detecting the SIP message, and the type of the SIP message includes SIP invite INVITE message, SIP reject CANCEL message and SIP hang up BYE message, the first field is used to identify the device used by the sender of the SIP message, and the second field is used to identify the recipient device of the SIP message.
The system according to claim 14, characterized in that:

The first analysis network element is also used to determine statistical information of SIP messages based on the first information;

The second analysis network element is specifically configured to determine whether the terminal device is abnormal based on the statistical information of the SIP message.
The system according to claim 15, characterized in that the statistical information of the SIP message includes at least one of the following information:

The total number of SIP messages of the same type, the total number of SIP messages with the same source address and the same type, the total number of SIP messages with the same destination address and the same type, the number of SIP messages with the same source address and different first fields, the first duration information ;

Wherein, the first duration is determined by the time information of the first SIP message and the time information of the second SIP message, the source address of the first SIP message and the target address of the second SIP message are the same, and the first The type of the SIP message is different from the type of the second SIP message.
The system according to any one of claims 10 to 16, characterized in that the first network element is a user plane network element or an application function network element.
The system according to any one of claims 10 to 17, characterized in that the first analysis network element is also used for:

Receive a session establishment request from the terminal device;

Instruction information is sent to the first network element according to the session establishment request, and the instruction information indicates that according to the first data packet detection rule The PDR then detects the SIP message.
The system according to any one of claims 10 to 18, characterized in that the first analysis network element is also used for:

Send the information of the second field of the third SIP message to the application function network element, where the source address of the third SIP message is the address of the terminal device;

Receive location information from at least one terminal device of the application function network element, where the location information of the at least one terminal device is sent according to the second field of the third SIP message;

The first information is updated, and the first information includes location information of the at least one terminal device.
The system according to any one of claims 11 to 19, characterized in that the second analysis network element is specifically used for:

Determine the value of the first parameter based on the statistical information of the SIP message;

Determine whether the terminal device is abnormal based on the relationship between the value of the first parameter and the first threshold,

Wherein, the first parameter includes at least one of the following parameters:

The ratio of the total number of SIP BYE messages to the total number of SIP INVITE messages, the ratio of the total number of SIP CANCEL messages to the total number of SIP INVITE messages, the total number of SIP INVITE messages, the discreteness of the time information of the detected SIP messages, the first duration The degree of dispersion is the degree of dispersion of the location information of the at least one terminal device.
The system according to claim 20, characterized in that the second analysis network element is specifically used for:

Determine whether the terminal device is abnormal based on the relationship between the value of the first parameter and the first threshold and a first weight, where the first weight includes a weight corresponding to at least one parameter among the first parameters.
A communication device, characterized by including:

Memory, used to store computer programs;

A processor, configured to execute a computer program stored in the memory, so that the communication device performs the method described in any one of claims 1 to 9, or performs the method described in any one of claims 10 to 13 Methods.
A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium. When the computer program is run by a communication device, it causes the device to execute any one of claims 1 to 9. The method described in claim 10, or performing the method described in any one of claims 10 to 13.
A chip system is characterized by including:

A processor, configured to call and run a computer program from the memory, so that the communication device installed with the chip system executes the method as claimed in any one of claims 1 to 9, or executes as claimed in claims 10 to 13 any of the methods described.
A computer program product containing instructions, characterized by:

When it is run on a computer, the computer is caused to perform the method as described in any one of claims 1 to 9; or, to perform the method as described in any one of claims 10 to 13.
A method of anomaly detection, characterized by including:

The first analysis network element receives first information from the first network element, where the first information includes information on the initialization protocol SIP message related to the terminal device;

The second analysis network element determines whether the terminal device is abnormal based on the first information;

Wherein, the information of the SIP message includes at least one of the following information:

The type of SIP message, the source address of the SIP message, the destination address of the SIP message, the information of the first field of the SIP message, the information of the second field of the SIP message, the time information of detecting the SIP message, and the type of the SIP message includes SIP invite INVITE message, SIP reject CANCEL message and SIP hang up BYE message, the first field is used to identify the device used by the sender of the SIP message, and the second field is used to identify the recipient device of the SIP message.
A method of anomaly detection, characterized by including:

The first network element determines first information about the terminal device, where the first information includes information about the initialization protocol SIP message related to the terminal device;

The first network element sends the first information to the analysis network element;

The analysis network element receives the first information from the first network element, and determines whether the terminal device is abnormal based on the first information;

Wherein, the information of the SIP message includes at least one of the following information:

The type of SIP message, the source address of the SIP message, the destination address of the SIP message, the information of the first field of the SIP message, the information of the second field of the SIP message, the time information of detecting the SIP message, and the type of the SIP message includes SIP invitation INVITE message, SIP To reject the CANCEL message and the SIP hang-up BYE message, the first field is used to identify the device used by the sender of the SIP message, and the second field is used to identify the recipient device of the SIP message.
A communication system, characterized in that the communication system includes a first network element and an analysis network element,

The first network element is configured to: determine first information of the terminal device, and send the first information to the analysis network element, where the first information includes information on the initialization protocol SIP message related to the terminal device. ;

The analyzing network element is configured to: receive first information from the first network element, and determine whether the terminal device is abnormal based on the first information;

Wherein, the information of the SIP message includes at least one of the following information:

The type of SIP message, the source address of the SIP message, the destination address of the SIP message, the information of the first field of the SIP message, the information of the second field of the SIP message, the time information of detecting the SIP message, and the type of the SIP message includes SIP invite INVITE message, SIP reject CANCEL message and SIP hang up BYE message, the first field is used to identify the device used by the sender of the SIP message, and the second field is used to identify the recipient device of the SIP message.