[go: up one dir, main page]

CN109040127B - Diameter flood attack detection device and method - Google Patents

Diameter flood attack detection device and method Download PDF

Info

Publication number
CN109040127B
CN109040127B CN201811086841.3A CN201811086841A CN109040127B CN 109040127 B CN109040127 B CN 109040127B CN 201811086841 A CN201811086841 A CN 201811086841A CN 109040127 B CN109040127 B CN 109040127B
Authority
CN
China
Prior art keywords
state machine
signaling
parameter
parameters
matching
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811086841.3A
Other languages
Chinese (zh)
Other versions
CN109040127A (en
Inventor
刘彩霞
王凯
刘树新
吉立新
李星
冯莉
葛东东
陈云杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PLA Information Engineering University
Original Assignee
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLA Information Engineering University filed Critical PLA Information Engineering University
Priority to CN201811086841.3A priority Critical patent/CN109040127B/en
Publication of CN109040127A publication Critical patent/CN109040127A/en
Application granted granted Critical
Publication of CN109040127B publication Critical patent/CN109040127B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Multimedia (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of communication security, and particularly relates to a device and a method for detecting Diameter flooding attack, wherein the device comprises: the parameter extraction module is used for extracting signaling message parameters in the signaling, matching the state machine according to the parameters, setting and initializing each signaling message parameter counter, wherein the signaling message parameters comprise session identification parameters, source host parameters and user name parameters; the signaling flow analysis module is used for carrying out early warning analysis on signaling message parameters in the signaling by utilizing the counting value of the counter according to the matching condition of the state machine; and the detection alarm module is used for carrying out flooding attack alarm according to the early warning analysis result of the signaling message parameters. The invention is suitable for the IMS network in the mobile communication network, realizes the safety detection and early warning of the Diameter flooding attack, automatically identifies and detects the Diameter protocol flooding attack according to the IMS signaling flow, detects and early warns the Diameter flooding attack flow from the signaling flow, improves the safety of the IMS network, and has important guiding significance for the safety of the communication network.

Description

Diameter洪泛攻击的检测装置及方法Diameter flood attack detection device and method

技术领域technical field

本发明属于通信安全技术领域,特别涉及一种Diameter洪泛攻击的检测装置及方法,可适用于移动通信网络中的IMS网络,实现对Diameter洪泛攻击的安全检测和预警。The invention belongs to the technical field of communication security, and in particular relates to a Diameter flood attack detection device and method, which can be applied to an IMS network in a mobile communication network to realize the security detection and early warning of Diameter flood attack.

背景技术Background technique

IMS(IP Multimedia Subsystem)是基于IP网提供话音及多媒体业务的网络体系架构。IMS可以实现固定用户业务、移动用户业务与与因特网业务融合,语音、数据、视频等多媒体业务融合,是下一代网络的核心技术。IMS (IP Multimedia Subsystem) is a network architecture that provides voice and multimedia services based on an IP network. IMS can realize the integration of fixed user services, mobile user services and Internet services, and the integration of multimedia services such as voice, data, and video. It is the core technology of the next generation network.

IMS网络架构中,HSS(Home Subscriber Server,归属签约用户服务器)作为网络中用户的重要数据中心,担负着所有用户的鉴权和认证等相关工作。Diameter协议是HSS与CSCF(Call Session Control Function,呼叫会话控制功能)交互的主要协议。由于IMS网络基于全IP承载的核心网,具有IP网络先天存在的脆弱性。因此更容易受到各种形式的网络攻击,尤其是利用Diameter协议的洪泛攻击。Diameter洪泛攻击旨在利用大量的Diameter信令,发送到HSS/CSCF等关键网元实体,占用其服务和网络资源,进而使相关网元服务能力下降甚至拒绝服务。针对IMS网络中Diameter协议洪泛攻击的检测方法对于确保IMS网络核心网元实体的安全性具有十分重要的作用,也是保障IMS网络整体服务质量和可靠性的重要技术手段。In the IMS network architecture, HSS (Home Subscriber Server, Home Subscriber Server), as an important data center of users in the network, is responsible for the authentication and authentication of all users and other related work. The Diameter protocol is the main protocol for the interaction between the HSS and the CSCF (Call Session Control Function, call session control function). Because the IMS network is based on the core network carried by all IP, it has the inherent vulnerability of the IP network. Therefore, it is more vulnerable to various forms of network attacks, especially flooding attacks using the Diameter protocol. Diameter flooding attacks are designed to use a large amount of Diameter signaling to send to key network element entities such as HSS/CSCF, occupying its services and network resources, and then reducing the service capability of related network elements or even denial of service. The detection method for Diameter protocol flooding attack in the IMS network plays an important role in ensuring the security of the core network element entity of the IMS network, and is also an important technical means to ensure the overall service quality and reliability of the IMS network.

发明内容SUMMARY OF THE INVENTION

为此,本发明提供一种Diameter洪泛攻击的检测装置及方法,通过在CSCF实体或HSS实体前进行部署,提取Diameter消息的关键参数建立状态机,对流经的所有Diameter信令进行分析和统计,进而对超出阀值的Diamster消息流进行检测告警,易于结合实现,提高通信网络的安全性。To this end, the present invention provides a Diameter flooding attack detection device and method. By deploying in front of a CSCF entity or an HSS entity, extracting key parameters of Diameter messages to establish a state machine, and analyzing and counting all Diameter signaling flowing through , and then detects and alarms the Diamster message flow exceeding the threshold value, which is easy to implement in combination and improves the security of the communication network.

按照本发明所提供的设计方案,一种Diameter洪泛攻击的检测装置,该检测装置部署于网络架构网元实体前,用于实时检测信令流中的洪泛攻击并进行预警;该检测装置包含:参数提取模块、信令流分析模块和检测告警模块,其中,According to the design scheme provided by the present invention, a Diameter flood attack detection device is deployed in front of the network element entity of the network architecture to detect the flood attack in the signaling flow in real time and give an early warning; the detection device Including: parameter extraction module, signaling flow analysis module and detection alarm module, among which,

参数提取模块,用于提取流经信令中的信令消息参数,并根据参数进行状态机匹配,信令消息参数包含会话标识参数、源主机参数和用户名参数,设置每个信令消息参数计数器并初始化;The parameter extraction module is used to extract the parameters of the signaling message flowing through the signaling, and perform state machine matching according to the parameters. The parameters of the signaling message include the session identification parameter, the source host parameter and the user name parameter, and each signaling message parameter is set counter and initialize;

信令流分析模块,用于依据状态机匹配情况并利用计数器计数数值对信令中信令消息参数进行预警分析;The signaling flow analysis module is used for early warning analysis of the signaling message parameters in the signaling according to the state machine matching situation and using the counter count value;

检测告警模块,用于依据信令消息参数预警分析结果进行洪泛攻击告警。The detection and alarm module is used for flooding attack alarm according to the alarm analysis result of signaling message parameters.

上述的,参数提取模块还包含状态机查询子模块,预先根据提取的信令消息参数查询状态机匹配情况,根据查询结果创建用于协调控制的状态机并存储信令消息参数。As mentioned above, the parameter extraction module further includes a state machine query sub-module, which queries the state machine matching situation according to the extracted signaling message parameters in advance, creates a state machine for coordinated control according to the query result, and stores the signaling message parameters.

上述的,所述的信令流分析模块包含会话标识分析子模块、源主机分析子模块和用户名分析子模块,其中,Above, the signaling flow analysis module includes a session identification analysis sub-module, a source host analysis sub-module and a username analysis sub-module, wherein,

会话标识分析子模块,用于对流经信令的会话标识参数与状态机中存储的该参数数据进行匹配,匹配一致,则该参数计数器计数,并通过该参数计数器数值与预设会话标识洪泛阈值进行比对,根据比对情况获取预警分析结果;The session identification analysis sub-module is used to match the session identification parameter flowing through the signaling with the parameter data stored in the state machine. If the match is consistent, the parameter counter is counted, and the parameter counter value and the preset session identification are flooded The thresholds are compared, and the early warning analysis results are obtained according to the comparison;

源主机分析子模块,用于对流经信令的源主机参数与状态机中存储的该参数数据进行匹配,匹配一致,则该参数计数器计数,并通过该参数计数器数值与预设源主机洪泛阈值进行比对,根据比对情况获取预警分析结果;The source host analysis sub-module is used to match the source host parameters flowing through the signaling with the parameter data stored in the state machine. If the match is consistent, the parameter counter counts, and the parameter counter value is flooded with the preset source host The thresholds are compared, and the early warning analysis results are obtained according to the comparison;

用户名分析子模块,用于对流经信令的用户名参数与状态机中存储的该参数数据进行匹配,匹配一致,则该参数计数器计数,并通过该参数计数器数值与预设用户名洪泛阈值进行比对,根据比对情况获取预警分析结果。The username analysis sub-module is used to match the username parameter flowing through the signaling with the parameter data stored in the state machine. If the match is consistent, the parameter counter counts, and the parameter counter value is flooded with the preset username The thresholds are compared, and the early warning analysis results are obtained according to the comparison.

优选的,所述的信令流分析模块还包含状态机超时处理子模块,该状态机超时处理子模块用于依据状态机创建时间、当前时间点及预设时间段来判定状态机超时状态,并依据判定结果对状态机进行超时处理操作。Preferably, the signaling flow analysis module further includes a state machine timeout processing sub-module, and the state machine timeout processing sub-module is used to determine the state machine timeout state according to the state machine creation time, the current time point and the preset time period, And according to the judgment result, the state machine is timed out.

更进一步,所述的状态机超时处理子模块包含状态机删除单元和计数清零单元,其中,Further, the state machine timeout processing submodule includes a state machine deletion unit and a count clearing unit, wherein,

状态机删除单元,用于依据当前时间点和状态机创建时间之间的时间段与预设销毁时间段进行比对,根据比对结果对该状态机进行删除操作;The state machine deletion unit is used to compare the time period between the current time point and the state machine creation time with the preset destruction time period, and delete the state machine according to the comparison result;

计数清零单元,用于依据当前时间点和状态机创建时间之间的时间段与预设清零时间段进行比对,根据比对结果对将该状态机中各信令消息参数计数器进行清零处理。The counting clearing unit is used to compare the time period between the current time point and the state machine creation time with the preset clearing time period, and clear each signaling message parameter counter in the state machine according to the comparison result. Zero processing.

一种Diameter洪泛攻击的检测方法,包含如下内容:A Diameter flooding attack detection method, including the following:

A)提取流经信令的信令消息参数,并根据参数进行状态机匹配,信令消息参数包含会话标识参数、源主机参数和用户名参数,设置每个信令消息参数计数器并初始化;A) extract the signaling message parameters that flow through the signaling, and perform state machine matching according to the parameters, the signaling message parameters include session identification parameters, source host parameters and user name parameters, and each signaling message parameter counter is set and initialized;

B)依据状态机匹配情况并利用计数器计数数值对信令消息参数进行预警分析;B) according to the state machine matching situation and utilize the counter count value to carry out early warning analysis to the signaling message parameter;

C)依据信令消息参数预警分析结果进行洪泛攻击告警。C) Flood attack warning is performed according to the warning analysis result of signaling message parameters.

上述的方法,A)中,根据提取的信令消息参数查询状态机匹配情况,并根据查询结果创建用于协调控制的状态机并存储信令消息参数。In the above method, in A), the state machine matching situation is queried according to the extracted signaling message parameters, and a state machine for coordinated control is created according to the query result and the signaling message parameters are stored.

上述的方法,B)中,对信令消息参数进行预警分析,具体包含如下内容:In the above-mentioned method, B), an early warning analysis is carried out to the signaling message parameter, which specifically includes the following content:

B1)对流经信令的会话标识参数与状态机中存储的该参数数据进行匹配,若匹配一致,则该参数计数器计数,并通过该参数计数器数值与预设会话标识洪泛阈值进行比对,根据比对情况获取预警分析结果,若匹配不一致,则进入步骤B2);B1) Match the session identification parameter flowing through the signaling with the parameter data stored in the state machine, if the match is consistent, the parameter counter counts, and the parameter counter value is compared with the preset session identification flooding threshold, Obtain the early warning analysis result according to the comparison situation, if the matching is inconsistent, then enter step B2);

B2)对流经信令的源主机参数与状态机中存储的该参数数据进行匹配,若匹配一致,则该参数计数器计数,并通过该参数计数器数值与预设源主机洪泛阈值进行比对,根据比对情况获取预警分析结果,若匹配不一致,则进入步骤B3);B2) match the source host parameter flowing through the signaling with the parameter data stored in the state machine, if the match is consistent, the parameter counter counts, and the parameter counter value is compared with the preset source host flooding threshold, Obtain early warning analysis results according to the comparison situation, if the matching is inconsistent, then enter step B3);

B3)对流经信令的用户名参数与状态机中存储的该参数数据进行匹配,匹配一致,则该参数计数器计数,并通过该参数计数器数值与预设用户名洪泛阈值进行比对,根据比对情况获取预警分析结果,若匹配不一致,则读取流经的下一条信令。B3) Match the username parameter flowing through the signaling with the parameter data stored in the state machine, if the match is consistent, the parameter counter counts, and the parameter counter value is compared with the preset username flooding threshold, according to the Compare the situation to obtain early warning analysis results. If the matching is inconsistent, read the next signaling that flows through.

上述的方法,B)中,预警分析结果为超过阈值情形或为未超过阈值情形。In the above-mentioned method, B), the result of the early warning analysis is that the threshold value is exceeded or the threshold value is not exceeded.

上述的方法,C)中,对超过阈值情形的预警分析结果进行洪泛攻击警告;对未超过阈值情形的预警分析结果,则不进行告警,继续提取流经的下一条信令。In the above-mentioned method, C), a flood attack warning is performed on the pre-warning analysis result that exceeds the threshold situation; for the pre-warning analysis result that does not exceed the threshold situation, the alarm is not performed, and the next signaling that flows through is continued to be extracted.

本发明的有益效果:Beneficial effects of the present invention:

本发明中,通过将检测装置部署于CSCF实体或HSS实体前,提取Diameter消息的关键参数建立状态机,对流经的所有Diameter信令进行分析和统计,进而对超出阀值的Diamster消息流进行检测告警;可适用于移动通信网络中的IMS网络,用于实现对Diameter洪泛攻击的安全检测和预警,根据IMS信令流自动识别并检测Diameter协议洪泛攻击,从信令流中检测并预警Diameter洪泛攻击流,提高IMS网络的安全性,对通信网络的安全具有重要的指导意义。In the present invention, the detection device is deployed before the CSCF entity or the HSS entity, extracts the key parameters of the Diameter message to establish a state machine, analyzes and counts all the Diameter signaling flowing through, and then detects the Diameter message flow exceeding the threshold value. Alarm; applicable to the IMS network in the mobile communication network, to realize the security detection and early warning of Diameter flooding attacks, automatically identify and detect Diameter protocol flooding attacks according to the IMS signaling flow, and detect and give early warning from the signaling flow Diameter floods the attack flow, improves the security of the IMS network, and has important guiding significance for the security of the communication network.

附图说明:Description of drawings:

图1为实施例中检测装置示意图;1 is a schematic diagram of a detection device in an embodiment;

图2为实施例中信令流分析模块示意图;2 is a schematic diagram of a signaling flow analysis module in an embodiment;

图3为实施例中状态机超时处理子模块示意图;3 is a schematic diagram of a state machine timeout processing sub-module in an embodiment;

图4为实施例中检测方法流程图一;Fig. 4 is a flow chart of the detection method in the embodiment;

图5为实施例中Diameter协议信令相关实体示意图;5 is a schematic diagram of entities related to Diameter protocol signaling in the embodiment;

图6为实施例中检测方法流程图二;Fig. 6 is the detection method flow chart two in the embodiment;

图7为实施例中状态机示意图;7 is a schematic diagram of a state machine in an embodiment;

图8为实施例中Diameter消息参数示意图。FIG. 8 is a schematic diagram of Diameter message parameters in an embodiment.

具体实施方式:Detailed ways:

为使本发明的目的、技术方案和优点更加清楚、明白,下面结合附图和技术方案对本发明作进一步详细的说明。In order to make the objectives, technical solutions and advantages of the present invention clearer and more comprehensible, the present invention will be described in further detail below with reference to the accompanying drawings and technical solutions.

Diameter消息由两部分组成,即:消息头(header)和消息体(message body)。消息头位于消息的前端,包括了协议版本、消息长度、命令码、应用ID、逐跳标识和端到端标识,详见附图8所示;消息体由多个AVP,每个AVP组成为AVP Code、AVP Flag、AVP Length、Vendor-ID和Data组成,详见附图8所示。由于IMS网络基于全IP承载的核心网,具有IP网络先天存在的脆弱性。因此更容易受到各种形式的网络攻击,尤其是利用Diameter协议的洪泛攻击。Diameter洪泛攻击旨在利用大量的Diameter信令,发送到HSS/CSCF等关键网元实体,占用其服务和网络资源,进而使相关网元服务能力下降甚至拒绝服务。为此,本发明实施例,参见图1所示,提供一种Diameter洪泛攻击的检测装置,包含:参数提取模块、信令流分析模块和检测告警模块,其中,Diameter message consists of two parts, namely: message header (header) and message body (message body). The message header is located at the front end of the message, including the protocol version, message length, command code, application ID, hop-by-hop identification and end-to-end identification, as shown in Figure 8 for details; the message body consists of multiple AVPs, and each AVP consists of It consists of AVP Code, AVP Flag, AVP Length, Vendor-ID and Data, as shown in Figure 8 for details. Because the IMS network is based on the core network carried by all IP, it has the inherent vulnerability of the IP network. Therefore, it is more vulnerable to various forms of network attacks, especially flooding attacks using the Diameter protocol. Diameter flooding attacks are designed to use a large amount of Diameter signaling to send to key network element entities such as HSS/CSCF, occupying its services and network resources, and then reducing the service capability of related network elements or even denial of service. To this end, an embodiment of the present invention, as shown in FIG. 1 , provides a Diameter flood attack detection device, including: a parameter extraction module, a signaling flow analysis module, and a detection and alarm module, wherein,

参数提取模块,用于提取流经信令中的信令消息参数,并根据参数进行状态机匹配,信令消息参数包含会话标识参数、源主机参数和用户名参数,设置每个信令消息参数计数器并初始化;The parameter extraction module is used to extract the parameters of the signaling message flowing through the signaling, and perform state machine matching according to the parameters. The parameters of the signaling message include the session identification parameter, the source host parameter and the user name parameter, and each signaling message parameter is set counter and initialize;

信令流分析模块,用于依据状态机匹配情况并利用计数器计数数值对信令中信令消息参数进行预警分析;The signaling flow analysis module is used for early warning analysis of the signaling message parameters in the signaling according to the state machine matching situation and using the counter count value;

检测告警模块,用于依据信令消息参数预警分析结果进行洪泛攻击告警。The detection and alarm module is used for flooding attack alarm according to the alarm analysis result of signaling message parameters.

该检测装置部署于网络架构网元实体前,用于实时检测信令流中的洪泛攻击并进行预警;该检测装置。参见图5所示,实施例中的检测装置可部署在CSCF实体或HSS实体前,对IMS网络中持续的Diameter信令流进行实时检测预警。The detection device is deployed in front of the network element entity of the network architecture, and is used for real-time detection of flooding attacks in the signaling flow and early warning; the detection device is provided. Referring to FIG. 5 , the detection apparatus in the embodiment may be deployed in front of the CSCF entity or the HSS entity to perform real-time detection and early warning on the continuous Diameter signaling flow in the IMS network.

根据信令消息参数进行状态机匹配时,为避免匹配不成功的情形,本发明另一个实施例中,参数提取模块还包含状态机查询子模块,预先根据提取的信令消息参数查询状态机匹配情况,根据查询结果创建用于协调控制的状态机并存储信令消息参数。When the state machine matching is performed according to the signaling message parameters, in order to avoid the situation that the matching is unsuccessful, in another embodiment of the present invention, the parameter extraction module further includes a state machine query sub-module, which queries the state machine matching according to the extracted signaling message parameters in advance. In some cases, according to the query result, a state machine for coordinated control is created and the parameters of the signaling message are stored.

根据计数器及状态机匹配情况进行信令预警分析过程中,本发明的再一个实施例中,设置有对信令消息参数中的会话标识参数、源主机参数和用户名参数的分析模块,具体的,参见图2所示,信令流分析模块包含会话标识分析子模块、源主机分析子模块和用户名分析子模块,其中,In the process of analyzing the signaling early warning according to the matching situation of the counter and the state machine, in another embodiment of the present invention, an analysis module for the session identification parameter, the source host parameter and the user name parameter in the signaling message parameters is provided. , as shown in Figure 2, the signaling flow analysis module includes a session identification analysis sub-module, a source host analysis sub-module and a user name analysis sub-module, wherein,

会话标识分析子模块,用于对流经信令的会话标识参数与状态机中存储的该参数数据进行匹配,匹配一致,则该参数计数器计数,并通过该参数计数器数值与预设会话标识洪泛阈值进行比对,根据比对情况获取预警分析结果;The session identification analysis sub-module is used to match the session identification parameter flowing through the signaling with the parameter data stored in the state machine. If the match is consistent, the parameter counter is counted, and the parameter counter value and the preset session identification are flooded The thresholds are compared, and the early warning analysis results are obtained according to the comparison;

源主机分析子模块,用于对流经信令的源主机参数与状态机中存储的该参数数据进行匹配,匹配一致,则该参数计数器计数,并通过该参数计数器数值与预设源主机洪泛阈值进行比对,根据比对情况获取预警分析结果;The source host analysis sub-module is used to match the source host parameters flowing through the signaling with the parameter data stored in the state machine. If the match is consistent, the parameter counter counts, and the parameter counter value is flooded with the preset source host The thresholds are compared, and the early warning analysis results are obtained according to the comparison;

用户名分析子模块,用于对流经信令的用户名参数与状态机中存储的该参数数据进行匹配,匹配一致,则该参数计数器计数,并通过该参数计数器数值与预设用户名洪泛阈值进行比对,根据比对情况获取预警分析结果。The username analysis sub-module is used to match the username parameter flowing through the signaling with the parameter data stored in the state machine. If the match is consistent, the parameter counter counts, and the parameter counter value is flooded with the preset username The thresholds are compared, and the early warning analysis results are obtained according to the comparison.

对信令流进行预警分析过程中,本发明的再一个实施例中,信令流分析模块还包含状态机超时处理子模块,该状态机超时处理子模块用于依据状态机创建时间、当前时间点及预设时间段来判定状态机超时状态,并依据判定结果对状态机进行超时处理操作。In the process of early warning analysis of the signaling flow, in another embodiment of the present invention, the signaling flow analysis module further includes a state machine timeout processing sub-module, and the state machine timeout processing sub-module is used for state machine creation time, current time point and a preset time period to determine the timeout state of the state machine, and perform a timeout processing operation on the state machine according to the determination result.

在对状态机进行超时处理操作中,更进一步,参见图3所示,状态机超时处理子模块包含状态机删除单元和计数清零单元,其中,In the timeout processing operation of the state machine, further, as shown in FIG. 3, the state machine timeout processing sub-module includes a state machine deletion unit and a count clearing unit, wherein,

状态机删除单元,用于依据当前时间点和状态机创建时间之间的时间段与预设销毁时间段进行比对,根据比对结果对该状态机进行删除操作;The state machine deletion unit is used to compare the time period between the current time point and the state machine creation time with the preset destruction time period, and delete the state machine according to the comparison result;

计数清零单元,用于依据当前时间点和状态机创建时间之间的时间段与预设清零时间段进行比对,根据比对结果对将该状态机中各信令消息参数计数器进行清零处理。The counting clearing unit is used to compare the time period between the current time point and the state machine creation time with the preset clearing time period, and clear each signaling message parameter counter in the state machine according to the comparison result. Zero processing.

基于上述的检测装置,本发明实施例还提供一种Diameter洪泛攻击的检测方法,参见图4所示,包含如下内容:Based on the above detection device, an embodiment of the present invention further provides a Diameter flooding attack detection method, as shown in FIG. 4 , including the following content:

提取流经信令的信令消息参数,并根据参数进行状态机匹配,信令消息参数包含会话标识参数、源主机参数和用户名参数,设置每个信令消息参数计数器并初始化;Extract the parameters of the signaling message flowing through the signaling, and perform state machine matching according to the parameters. The signaling message parameters include the session identification parameter, the source host parameter and the user name parameter, and each signaling message parameter counter is set and initialized;

依据状态机匹配情况并利用计数器计数数值对信令消息参数进行预警分析;According to the state machine matching situation and using the counter count value to carry out early warning analysis on the signaling message parameters;

依据信令消息参数预警分析结果进行洪泛攻击告警。Flood attack warning is performed according to the warning analysis result of signaling message parameters.

本发明检测方法实施例中,根据提取的信令消息参数查询状态机匹配情况,根据查询结果创建用于协调控制的状态机并存储信令消息参数。In the embodiment of the detection method of the present invention, the state machine matching situation is queried according to the extracted signaling message parameters, a state machine for coordinated control is created according to the query result, and the signaling message parameters are stored.

本发明检测方法的再一个实施例中,对信令消息参数进行预警分析,具体包含如下内容:In yet another embodiment of the detection method of the present invention, an early warning analysis is performed on the parameters of the signaling message, which specifically includes the following content:

B1)对流经信令的会话标识参数与状态机中存储的该参数数据进行匹配,若匹配一致,则该参数计数器计数,并通过该参数计数器数值与预设会话标识洪泛阈值进行比对,根据比对情况获取预警分析结果,若匹配不一致,则进入步骤B2);B1) Match the session identification parameter flowing through the signaling with the parameter data stored in the state machine, if the match is consistent, the parameter counter counts, and the parameter counter value is compared with the preset session identification flooding threshold, Obtain the early warning analysis result according to the comparison situation, if the matching is inconsistent, then enter step B2);

B2)对流经信令的源主机参数与状态机中存储的该参数数据进行匹配,若匹配一致,则该参数计数器计数,并通过该参数计数器数值与预设源主机洪泛阈值进行比对,根据比对情况获取预警分析结果,若匹配不一致,则进入步骤B3);B2) match the source host parameter flowing through the signaling with the parameter data stored in the state machine, if the match is consistent, the parameter counter counts, and the parameter counter value is compared with the preset source host flooding threshold, Obtain early warning analysis results according to the comparison situation, if the matching is inconsistent, then enter step B3);

B3)对流经信令的用户名参数与状态机中存储的该参数数据进行匹配,匹配一致,则该参数计数器计数,并通过该参数计数器数值与预设用户名洪泛阈值进行比对,根据比对情况获取预警分析结果,若匹配不一致,则读取流经的下一条信令。B3) Match the username parameter flowing through the signaling with the parameter data stored in the state machine, if the match is consistent, the parameter counter counts, and the parameter counter value is compared with the preset username flooding threshold, according to the Compare the situation to obtain early warning analysis results. If the matching is inconsistent, read the next signaling that flows through.

预警分析结果为超过阈值情形或为未超过阈值情形。The result of the early warning analysis is that the threshold is exceeded or the threshold is not exceeded.

对超过阈值情形的预警分析结果进行洪泛攻击警告;对未超过阈值情形的预警分析结果,则不进行告警,继续提取流经的下一条信令。Flood attack warning is performed for the early warning analysis results that exceed the threshold; for the early warning analysis results that do not exceed the threshold, no warning is issued, and the next signaling that flows through is continued to be extracted.

为进一步验证本发明的有效性,如图6所示,通过具体的Diameter信令进行说明:In order to further verify the validity of the present invention, as shown in FIG. 6 , the specific Diameter signaling is used to illustrate:

步骤(一):读取一条Diameter信令消息,提取主要参数,包括:Session-id(后续简称SD)、Origin-Host(后续简称OH)和User-Name(后续简称UN),其在消息中的位置如图8所示;Step (1): Read a Diameter signaling message and extract the main parameters, including: Session-id (hereinafter referred to as SD), Origin-Host (hereinafter referred to as OH) and User-Name (hereinafter referred to as UN), which are in the message The location is shown in Figure 8;

步骤(二):如图7所示,在所有状态机中查询匹配是否存在上述参数的状态机,若不存在,则建立状态机,存储上述参数,并设置相同SD数目、相同OH数目和相同UN数目均为0,并添加创建时间T创建,然后跳转至步骤(七);若存在,则继续;Step (2): As shown in Figure 7, check whether there is a state machine matching the above parameters in all state machines, if not, establish a state machine, store the above parameters, and set the same SD number, the same OH number and the same The number of UNs is all 0, and the creation time T is added to create , and then jump to step (7); if there is, continue;

步骤(三):计算该状态机是否超时,当(T当前-T创建)>T销毁时,删除该状态机(其中T当前为当前时间点,T销毁为销毁的阈值,可设置);当(T当前-T创建)>T清零时,该状态机中相同SD数目、相同OH数目和相同UN数目均置0(其中T清零为清零的阈值,可设置);若不超时,则继续;Step (3): Calculate whether the state machine has timed out. When (T current - T created ) > T destroyed , delete the state machine (where T is the current time point, and T is the destruction threshold, which can be set); when (T current - T created ) > T is cleared , the same SD number, the same OH number and the same UN number in the state machine are all set to 0 (where T is cleared as the threshold for clearing, which can be set); if it does not time out, continue;

步骤(四):如果消息中Session-Id和状态机中一致,则相同SD数目加1,并判断若相同SD数目大于NOD(NOD为相同SD的洪泛阀值),则告警洪泛攻击,否则跳转到步骤(七);Step (4): If the Session-Id in the message is consistent with that in the state machine, add 1 to the same SD number, and judge that if the same SD number is greater than NOD ( NOD is the flooding threshold of the same SD), the alarm is flooded Attack, otherwise jump to step (7);

步骤(五):如果消息中Origin-Host和状态机中一致,则相同OH数目加1,并判断若相同OH数目大于NOH(NOH为相同OH的洪泛阀值),则告警洪泛攻击,否则跳转到步骤(七);Step (5): If the Origin-Host in the message is consistent with the state machine, add 1 to the number of the same OH, and judge that if the number of the same OH is greater than N OH (N OH is the flooding threshold of the same OH), the alarm floods Attack, otherwise jump to step (7);

步骤(六):如果消息中User-Name和状态机中一致,则相同UN数目加1,并判断若相同UN数目大于NUN(NUN为相同UN的洪泛阀值),则告警洪泛攻击,否则跳转到步骤(七);Step (6): If the User-Name in the message is the same as that in the state machine, add 1 to the number of the same UN, and judge that if the number of the same UN is greater than N UN (N UN is the flooding threshold of the same UN), the alarm is flooded Attack, otherwise jump to step (7);

步骤(七):处理下一条Diameter消息。Step (7): Process the next Diameter message.

本发明中实施例,根据IMS信令流自动识别检测Diameter协议洪泛攻击,从信令流中检测并预警Diameter洪泛攻击流,提高IMS网络的安全性,有效保证通信网络的安全性和可靠性,对通信网络安全发展具有重要的意义。The embodiment of the present invention automatically identifies and detects Diameter protocol flooding attacks according to the IMS signaling flow, detects and warns the Diameter flooding attack flow from the signaling flow, improves the security of the IMS network, and effectively ensures the security and reliability of the communication network. It is of great significance to the development of communication network security.

本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same and similar parts between the various embodiments can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant part can be referred to the description of the method.

结合本文中所公开的实施例描述的各实例的单元及方法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已按照功能一般性地描述了各示例的组成及步骤。这些功能是以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。本领域普通技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不认为超出本发明的范围。The units and method steps of each example described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, computer software or a combination of the two. In order to clearly illustrate the interchangeability of hardware and software, in the above description The components and steps of each example have been described generally in terms of functionality. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Those of ordinary skill in the art may use different methods of implementing the described functionality for each particular application, but such implementations are not considered beyond the scope of the present invention.

本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序来指令相关硬件完成,所述程序可以存储于计算机可读存储介质中,如:只读存储器、磁盘或光盘等。可选地,上述实施例的全部或部分步骤也可以使用一个或多个集成电路来实现,相应地,上述实施例中的各模块/单元可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。本发明不限制于任何特定形式的硬件和软件的结合。Those skilled in the art can understand that all or part of the steps in the above method can be completed by instructing relevant hardware through a program, and the program can be stored in a computer-readable storage medium, such as a read-only memory, a magnetic disk, or an optical disk. Optionally, all or part of the steps in the above embodiments may also be implemented by using one or more integrated circuits. Correspondingly, each module/unit in the above embodiments may be implemented in the form of hardware, or may be implemented in the form of software function modules. form realization. The present invention is not limited to any particular form of combination of hardware and software.

对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本申请。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本申请的精神或范围的情况下,在其它实施例中实现。因此,本申请将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments enables any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the present application. Therefore, this application is not intended to be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (8)

1. A detection device for Diameter flooding attack is characterized in that the detection device is deployed in front of a network architecture network element entity and is used for detecting flooding attack in a signaling flow in real time and carrying out early warning; the detection device comprises: a parameter extraction module, a signaling flow analysis module and a detection alarm module, wherein,
the parameter extraction module is used for extracting signaling message parameters in the signaling, matching the state machine according to the parameters, setting and initializing each signaling message parameter counter, wherein the signaling message parameters comprise session identification parameters, source host parameters and user name parameters;
the signaling flow analysis module is used for carrying out early warning analysis on signaling message parameters in the signaling by utilizing the counting value of the counter according to the matching condition of the state machine;
the detection alarm module is used for carrying out flooding attack alarm according to the early warning analysis result of the signaling message parameter;
the signaling flow analysis module comprises a session identification analysis sub-module, a source host analysis sub-module and a user name analysis sub-module, wherein,
the session identification analysis submodule is used for matching the session identification parameters flowing through the signaling with the parameter data stored in the state machine, if the matching is consistent, the parameter counter counts, the value of the parameter counter is compared with a preset session identification flooding threshold value, and an early warning analysis result is obtained according to the comparison condition;
the source host analysis submodule is used for matching the source host parameters flowing through the signaling with the parameter data stored in the state machine, if the matching is consistent, the parameter counter counts, the value of the parameter counter is compared with a preset source host flooding threshold value, and an early warning analysis result is obtained according to the comparison condition;
and the user name analysis sub-module is used for matching the user name parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset user name flooding threshold value, and acquiring an early warning analysis result according to the comparison condition.
2. The device of claim 1, wherein the parameter extraction module further comprises a state machine query submodule configured to query a state machine matching condition in advance according to the extracted signaling message parameters, create a state machine for coordination control according to a query result, and store the signaling message parameters.
3. The device of claim 1, wherein the signaling flow analysis module further comprises a state machine timeout processing sub-module, and the state machine timeout processing sub-module is configured to determine a timeout state of the state machine according to the creation time of the state machine, the current time point, and a preset time period, and perform a timeout processing operation on the state machine according to the determination result.
4. The apparatus of claim 3 wherein the state machine timeout processing submodule comprises a state machine deletion unit and a count clear unit, wherein,
the state machine deleting unit is used for comparing the time period between the current time point and the state machine establishing time with the preset destroying time period and deleting the state machine according to the comparison result;
and the counting zero clearing unit is used for comparing the time period between the current time point and the state machine creation time with a preset zero clearing time period and carrying out zero clearing treatment on each signaling message parameter counter in the state machine according to the comparison result.
5. A method for detecting a Diameter flooding attack is characterized by comprising the following contents:
A) extracting signaling message parameters flowing through signaling, matching a state machine according to the parameters, setting and initializing each signaling message parameter counter, wherein the signaling message parameters comprise a session identification parameter, a source host parameter and a user name parameter;
B) according to the matching condition of the state machine, utilizing the counting value of the counter to carry out early warning analysis on the signaling message parameters;
C) carrying out flooding attack alarm according to the early warning analysis result of the signaling message parameter;
B) in the method, early warning analysis is performed on signaling message parameters, and the method specifically comprises the following contents:
B1) matching the session identification parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset session identification flooding threshold value, obtaining an early warning analysis result according to the comparison condition, and entering step B2 if the matching is inconsistent);
B2) matching the source host parameters flowing through the signaling with the parameter data stored in the state machine, counting by the parameter counter if the matching is consistent, comparing the value of the parameter counter with a preset source host flooding threshold value, acquiring an early warning analysis result according to the comparison condition, and entering step B3 if the matching is inconsistent);
B3) and matching the user name parameters passing through the signaling with the parameter data stored in the state machine, if the matching is consistent, counting by the parameter counter, comparing the value of the parameter counter with a preset user name flooding threshold value, acquiring an early warning analysis result according to the comparison condition, and if the matching is inconsistent, reading the next signaling passing through.
6. The method of detecting Diameter flooding attacks of claim 5, characterized in that, in A), the state machine matching condition is queried according to the extracted signaling message parameters, and a state machine for coordination control is created according to the query result and the signaling message parameters are stored.
7. The method of detecting a Diameter flooding attack of claim 5, characterized in that in B), the early warning analysis result is a threshold condition is exceeded or a threshold condition is not exceeded.
8. The method for detecting Diameter flooding attacks of claim 7, characterized in that in C), a flooding attack warning is performed on the early warning analysis result of the situation exceeding the threshold; and if the early warning analysis result does not exceed the threshold value, no warning is carried out, and the next signaling flowing through is continuously extracted.
CN201811086841.3A 2018-09-18 2018-09-18 Diameter flood attack detection device and method Active CN109040127B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811086841.3A CN109040127B (en) 2018-09-18 2018-09-18 Diameter flood attack detection device and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811086841.3A CN109040127B (en) 2018-09-18 2018-09-18 Diameter flood attack detection device and method

Publications (2)

Publication Number Publication Date
CN109040127A CN109040127A (en) 2018-12-18
CN109040127B true CN109040127B (en) 2020-11-03

Family

ID=64616721

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811086841.3A Active CN109040127B (en) 2018-09-18 2018-09-18 Diameter flood attack detection device and method

Country Status (1)

Country Link
CN (1) CN109040127B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113115314B (en) * 2021-03-30 2022-11-01 中国人民解放军战略支援部队信息工程大学 A 4G mobile communication network HSS signaling protection method and device
CN119967416B (en) * 2025-01-26 2025-09-26 中国人民解放军网络空间部队信息工程大学 Method and device for detecting illegal access network element of DRA equipment based on signaling fusion analysis technology

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1968280A (en) * 2006-11-23 2007-05-23 华为技术有限公司 System and method for detecting and filtering invalid header field
EP1830536A1 (en) * 2006-03-01 2007-09-05 Siemens Aktiengesellschaft Method for self-provisioning of subscriber data in the IP multimedia subsystem (IMS)
CN102075924A (en) * 2010-11-22 2011-05-25 北京邮电大学 Session state based method and system for detecting vulnerability of internet protocol (IP) multimedia subsystem (IMS)
CN104468506A (en) * 2014-10-28 2015-03-25 大唐移动通信设备有限公司 Session state detection method and device
CN108076019A (en) * 2016-11-17 2018-05-25 北京金山云网络技术有限公司 Anomalous traffic detection method and device based on traffic mirroring

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8375453B2 (en) * 2008-05-21 2013-02-12 At&T Intellectual Property I, Lp Methods and apparatus to mitigate a denial-of-service attack in a voice over internet protocol network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1830536A1 (en) * 2006-03-01 2007-09-05 Siemens Aktiengesellschaft Method for self-provisioning of subscriber data in the IP multimedia subsystem (IMS)
CN1968280A (en) * 2006-11-23 2007-05-23 华为技术有限公司 System and method for detecting and filtering invalid header field
CN102075924A (en) * 2010-11-22 2011-05-25 北京邮电大学 Session state based method and system for detecting vulnerability of internet protocol (IP) multimedia subsystem (IMS)
CN104468506A (en) * 2014-10-28 2015-03-25 大唐移动通信设备有限公司 Session state detection method and device
CN108076019A (en) * 2016-11-17 2018-05-25 北京金山云网络技术有限公司 Anomalous traffic detection method and device based on traffic mirroring

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"IMS网络安全威胁及测试方法研究";陈慧敏;《 现代电信科技》;20130225(第2期);第66-72页 *
"IMS网络Diameter协议流程漏洞挖掘";郭严赞等;《计算机工程》;20130915;第39卷(第9期);第6-11页 *
"VoIP intrusion detection through interacting protocol state machines";Sengar, H.等;《In International Conference on Dependable Systems and Networks》;20060630;第393-402页 *

Also Published As

Publication number Publication date
CN109040127A (en) 2018-12-18

Similar Documents

Publication Publication Date Title
CN111131310B (en) Access control method, device, system, computer device and storage medium
CN112887274B (en) Method and device for detecting command injection attack, computer equipment and storage medium
CN103795709A (en) Network security detection method and system
CN101136922A (en) Service flow identification method and device, distributed denial of service attack defense method and system
CN109040127B (en) Diameter flood attack detection device and method
CN100479396C (en) Method and device for detecting the message attack
CN102045300A (en) Detecting method, device and system of botnet
CN101540758A (en) Method, device and system for inhibiting waste service
CN113489702A (en) Interface current limiting method and device and electronic equipment
CN113132316A (en) Web attack detection method and device, electronic equipment and storage medium
CN116546545A (en) A signaling storm detection method, device, electronic equipment and storage medium
CN106506630A (en) A Method for Discovering Malicious Network Behaviors Based on HTTP Content Consistency
CN103368963A (en) HTTP message tamper-proofing method in content distribution network
CN112003873B (en) HTTP (hyper text transport protocol) traffic defense method and system for resisting DDoS (distributed denial of service) attack
CN109040126B (en) Detection device and method for SIP flooding attack of IMS network
CN106789413A (en) A kind of method and apparatus for detecting proxy surfing
CN105516200B (en) Cloud system method and device of safe processing
CN115567942A (en) 5G network endogenous security protection method, device, network element and storage medium
CN109067782B (en) IMS network session abnormal interruption attack detection device and method
KR101538309B1 (en) APPARATUS, SYSTEM AND METHOD FOR DETECTING ABNORMAL VoLTE REGISTRATION MESSAGE IN 4G MOBILE NETWORKS
CN114938269A (en) Public safety video monitoring digital asset key escrow method and system
US20200021647A1 (en) Method of P2P Botnet Detection Based on Netflow Sessions
CN101325495A (en) A detection method, device and system for detecting hacker servers
CN109246144A (en) HSS unauthorized access detection device and method in IMS network
KR101466895B1 (en) Method of detecting voip fraud, apparatus performing the same and storage media storing the same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant